<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>SAML2 now has a zero-cost linkup, too – or at least, a
particular vendor has one, when talking to itself.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>(I view that as a win for OpenID2. I’m convinced it
was done as reaction to OpenId2 design.)<o:p></o:p></span></p>
<div style='mso-element:para-border-div;border:none;border-bottom:solid windowtext 1.0pt;
padding:0in 0in 1.0pt 0in'>
<p class=MsoNormal style='border:none;padding:0in'><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p>
</div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Commentary:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>In some ways, what the Ping Identity folks did in auto-pulling
SAML metadata – in the same way that OpenID pulls down an XRDS was an
improvement on OpenId2. They addressed the use of email identifiers, frontally,
as the metadata locator; and formalized the relationship of https/PKI to the authority
distributing the “XRDS”. This really didn’t go beyond OpenID
(which states that trust model issues are handled externally to openID auth while
stating “We recommend use of https, folks) but ‘security engineered
it’ rather better, in my view. I can see the how the Ping Identity solution
can address CC criteria, as it maps onto the standard building blocks of
functionality and assurance.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If one uses the null ciphersuite option of OpenIDAuth (and dump the
OpenID DH mechanism and key wrapping design) and then use the DH ciphersuites
of SSL3, one gets something analogous to unsigned SAML message flows over
redirects (relying on nonces for end-end messaging anti-replay).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>One always has to look carefully at each OpenID and/or
SAML2vendor’simplementation tho. The Shibboleth 2.x “vendor” doesn’t
appear to exploit the anti-replay features of the SAML authnReq protocol, for
example.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
general-bounces@openid.net [mailto:general-bounces@openid.net] <b>On Behalf Of </b>Shane
B Weeden<br>
<b>Sent:</b> Sunday, October 19, 2008 9:36 AM<br>
<b>To:</b> Brandon Ramirez<br>
<b>Cc:</b> general-bounces@openid.net; OpenID List<br>
<b>Subject:</b> [LIKELY_SPAM]Re: [OpenID] Combining Google & Yahoo user
experience research<o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><br>
<tt><span style='font-size:10.0pt'>Brandon: </span></tt><span style='font-size:
10.0pt;font-family:"Courier New"'><br>
<tt>> [...] Why should I trust a random OP?</tt><br>
<tt>> </tt><br>
</span><br>
<tt><span style='font-size:10.0pt'>You shouldn't, and nobody is claiming you
should for any transaction of value. What does excite me about OpenID (and
InfoCard for that matter) over other SSO protocols like SAML is the zero cost
of onboarding additional RP's if I am acting as an IDP. All the RP needs to do
(besides following a best-practices secure deployment model) is define that
they trust the IDP (e.g. for OpenID define a trusted list of OP endpoints) and
the IDP need do nothing in particular.</span></tt> <br>
<br>
<tt><span style='font-size:10.0pt'>Sure, there are dynamic extensions to SAML
like those defined by Shibboleth for dynamic metadata sharing, but
out-of-the-box nothing I've been exposed to thus far quite matches the
simplicity of the OpenID model.</span></tt> <br>
<br>
<tt><span style='font-size:10.0pt'>=shane</span></tt><o:p></o:p></p>
</div>
</body>
</html>