<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:491411997;
mso-list-template-ids:-1505878334;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>OP/IDP via openid/SAML attribute provides OAuth shortlife ticket
authorizing SP to access membership/datasrc testing site. Particular ticket
would have the particular authorized test in the data source URL, for the
particular openid. Positive response over https is the “response”. Datasource right
to speak for said organization is again based on SSL server cert chain, with
organizational DN in the subject name, where issuer name of cert is VeriSign-asserted
organizational id.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Etc. major problem is all the spoofing. But, if Oath is good
enough, who cares.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Andrew Arnott
[mailto:andrewarnott@gmail.com] <br>
<b>Sent:</b> Monday, September 15, 2008 6:06 PM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> Dick Hardt; general@openid.net<br>
<b>Subject:</b> Re: [OpenID] Too many providers... and here's one reason<o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'>You know on second thought,
perhaps OAuth is appropriate. The 'protected resource' in this case is my
membership status. And while creating my account at the RP, I can check a
box saying "you may check my membership at org xyz", which will cue
the RP that it's worthwhile to redirect me to that site using OAuth to verify
membership.<o:p></o:p></p>
<div>
<p class=MsoNormal>On Mon, Sep 15, 2008 at 5:44 PM, Andrew Arnott <<a
href="mailto:andrewarnott@gmail.com">andrewarnott@gmail.com</a>> wrote:<o:p></o:p></p>
<div>
<p class=MsoNormal>That's sounding like what I was hoping existed.<o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Now, since I'm hoping to separate authentication from this
membership test, and if I didn't want my membership in Org XYZ to be public
knowledge, from a user's perspective it seems the only way to get this to work
would be this:<o:p></o:p></p>
</div>
<div>
<ol start=1 type=1>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>I log into RP using an Identifier of my choice,
and an asserting OP of my choice<o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>The RP is interested in my membership in Org XYZ,
so it asks Org XYZ if my Identifier is a member of the org.<o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>Similar to OpenID OP's list of sites I trust, Org
XYZ checks if the requesting RP is trusted by me. If it is, then it
just answers yes. If not, it tells the RP to take the long route.<o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>The long route would be the RP redirecting me to
Org XYZ to go to a page where I would grant permission for the RP to find
out that I am a member.<o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>The redirect (like OpenId) would tell the RP that
I am in a confirmable way.<o:p></o:p></li>
</ol>
<div>
<p class=MsoNormal>Blah, that sounds way just like the org being an OP.
So maybe for purposes of this investigation we'll just say it can be
public knowledge, but confirmable the way Peter just described.<o:p></o:p></p>
</div>
<div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal>On Mon, Sep 15, 2008 at 5:30 PM, Peter Williams <<a
href="mailto:pwilliams@rapattoni.com" target="_blank">pwilliams@rapattoni.com</a>>
wrote:<o:p></o:p></p>
<p class=MsoNormal>Couldn't this be handled by the XRI support, in the openid 2
world?<br>
<br>
Doesn't the XRI resolver allow the organizational claim to be tested?<br>
<br>
XRI essentially has a yellow-pages resolver built in. For any yellow page
index, you can resolve a name via that particular naming path. The XRI resolver
thus tests that one is listed in a particular "organizational" index,
or which there can be n. In trusted XRI, furthermore, the SAML assertions would
provide additional proof that the particular resolver listener is authorized to
speak for those organizations. In the HXRI trusted resolver variety, the usual
trick of the proxy resolver having n*1000 SSL server, one per organization,
would be sufficient to know that the listener speaks for the organization (over
https)<o:p></o:p></p>
<div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
-----Original Message-----<br>
From: <a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>
[mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>]
On Behalf Of Dick Hardt<br>
Sent: Monday, September 15, 2008 5:12 PM<br>
To: Andrew Arnott<br>
Cc: <a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
Subject: Re: [OpenID] Too many providers... and here's one reason<br>
<br>
<br>
On 15-Sep-08, at 4:45 PM, Andrew Arnott wrote:<br>
<br>
> I just spoke with an organization that wants to become a Provider so<br>
> that other RP web sites can specifically tell if the logging in user<br>
> is a member of this organization by whether their OpenID Identifier<br>
> was asserted by that org's OP.<br>
><br>
> Ideally, I'd like this org to choose to be an RP instead of an OP<br>
> because there are already too many OPs out there and not enough RPs,<br>
> IMO.<br>
><br>
> How can an RP accept an OpenID Identifier from arbitrary OPs, but at<br>
> each login determine whether the Identifier represents a user who<br>
> belongs to a particular Organization? Basically the Organization<br>
> needs to send an assertion about the Identifier's membership, but<br>
> only be willing to do so if that identifier is confirmed as having<br>
> logged in successfully to that RP. This would be easy to do if that<br>
> Org was an OP, but I'm trying to reduce the # of reasons to be an OP.<br>
<br>
I have envisioned this as a chain of assertions / claims.<br>
<br>
The user has a claim that their identifier is a member of the org.<br>
This claim could be cached or obtained each time it is needed.<br>
<br>
The user then presents that claim (binding identifier to org<br>
membership) and also proves that they control the identifier presented<br>
to the RP.<br>
<br>
InfoCards has this flow speced out ... will be interesting to see if<br>
there is interest in this from the OpenID community, particularly<br>
since this is where the identity protocols really start to<br>
differentiate themselves from existing username/password and form fill.<br>
<br>
-- Dick<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><o:p></o:p></p>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</body>
</html>