<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi David, FYI, NTT built something like you describe for SAML SSO -
specifically the scenario you list below in #4<br>
<br>
<a class="moz-txt-link-freetext" href="http://www.projectliberty.org/liberty/content/download/3960/26523/file/NTT-SASSO%20liberty%20case%20study.pdf">http://www.projectliberty.org/liberty/content/download/3960/26523/file/NTT-SASSO%20liberty%20case%20study.pdf</a><br>
<br>
paul<br>
<br>
On 3/3/2010 11:33 AM, David Fuelling wrote:
<blockquote
cite="mid:51dae84d1003030833r285f09c5q3b0b8bf8f065a90@mail.gmail.com"
type="cite">
<div>Wondering what people think about using as an iPhone (or
Android/etc) application as a personal OP. </div>
<div><br>
</div>
<div>Basically, the way it would work is as follows:</div>
<div>
<ol>
<li>Go to RP, get prompted with a login form.</li>
<li>Turn on iPhoneOP application on your iPhone.</li>
<ol>
<li>iPhone App turns on lighttpd (or some other ultra-small web
server) to serve web requests from the phone and act as an OP.</li>
<li>iPhone App then connects to a DDNS service that connects the
phone's current IPV6 address to the OP domain.</li>
<li>The iPhone is now the user's OP.</li>
</ol>
<li>User signs into the RP, which then does the OpenID dance with
the OP running on the user's iphone.</li>
<li>The user could login via the web, or optionally just
get prompted on the phone that a login is occurring - the user could
then accept the login and/or enter a security code (in case of a lost
iPhone).</li>
<li>User is logged-into the RP.</li>
<li>iPhone App turns off.</li>
</ol>
<div>Some initial thoughts I've had:</div>
<div>
<ol>
<li>Could this take us a lot closer to a user-centric identity?
Imagine if this software was built into the phone (so you didn't have
to run an App to make it work). </li>
<li>Something like this would be interesting from a multi-auth
perspective. On the one hand, it could preclude the need for
mulit-auth because a person could turn off his OP when the app isn't
running (thus ensuring no RP logins without the phone....mostly -- see
some security drawbacks below). </li>
<li>Alternatively, it could provide one multi-auth solution in that
an RP could be required to get an assertion from a "regular" OP and a
user-centric OP (like the iPhone) before allowing access.</li>
</ol>
<div>Security Drawbacks (?)</div>
<div>
<ol>
<li>The user should trust his/her DDNS provider because somebody at
that provider could change the IP address hooked up to the domain
backing the iPhoneOP (without the knowledge of the user). However,
this is an issue with current OPs (the rogue employee problem). Either
could be mitigated with multi-auth.</li>
</ol>
</div>
</div>
</div>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@lists.openid.net">general@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-general">http://lists.openid.net/mailman/listinfo/openid-general</a>
</pre>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
No virus found in this incoming message.
Checked by AVG - <a class="moz-txt-link-abbreviated" href="http://www.avg.com">www.avg.com</a>
Version: 9.0.733 / Virus Database: 271.1.1/2720 - Release Date: 03/03/10 02:34:00
</pre>
</blockquote>
</body>
</html>