<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Bunch of us are actualy using RSA. <br>
I thought Google was also using it in their service but I may be
wrong. <br>
<br>
Nat<br>
<br>
(2013/09/27 4:05), Peter Williams wrote:<br>
</div>
<blockquote
cite="mid:BAY406-EAS25805CA42E06BE1D7647B3092280@phx.gbl"
type="cite">
<meta http-equiv="Context-Type" content="text/html; charset=utf-8">
<div>
<div>From a Nat write up (for the 7 billion of us web users who
are not inherently exceptional), the idtoken seems to be a
symmetrically signed jwt *in anticipated practice*. Its
motivation is as an "integrity check".<br>
<br>
If anyone is interested (in a relying party industry
perspective) the RSA signed token was more interesting, when
referencing a x509 cert chain. Testable by third parties
during offline dispute handling, its indication enabled the
client to retain and present unforgeable evidence of its
authority to access/store and even snoop/share on data
retrieved from certain other endpoints, concerning user x.
Typically, those endpoints are not even guarded (by access
tokens)<br>
<br>
Note , despite being a willing windows developer, I have
nothing to do with Microsoft - don't be confused by the
consumer centric msn.com domain name! I played with DSL-based
(dsam pop delivered) pptp VPN in 2001ish to see where the
surveillance crypto politics & associated engineering was
at, in the us), and the name stuck. <br>
<br>
My assumption is that Microsoft activities with their peers
here are being done in anticipation of services to be
delivered in 1-2 years from now to (developer) customers (per
normal engineering cycles).<br>
<br>
Sent from my Windows Phone</div>
</div>
<div dir="ltr">
<hr>
<span>From:
</span><span><a moz-do-not-send="true"
href="mailto:Michael.Jones@microsoft.com">Mike Jones</a></span><br>
<span>Sent:
</span><span>9/26/2013 10:02 AM</span><br>
<span>To:
</span><span><a moz-do-not-send="true"
href="mailto:home_pw@msn.com">peter williams</a>;
<a moz-do-not-send="true" href="mailto:general@openid.net">general@openid
net</a></span><br>
<span>Subject:
</span><span>RE: [OpenID] Openid connect and interoperability
(today)</span><br>
<br>
</div>
<div>
<div>
<div>
<div>There's over a dozen implementations with test sites up
at <a class="moz-txt-link-freetext" href="http://osis.idcommons.net/">http://osis.idcommons.net/</a>. See the Solutions link and
the page about the current OpenID Connect interop
activities. (We're currently in the 5th round of public
interop testing.)<br>
<br>
Best wishes,<br>
-- Mike<br>
</div>
</div>
<hr>
<span>From:
</span><span>peter williams</span><br>
<span>Sent:
</span><span>9/26/2013 7:49 AM</span><br>
<span>To:
</span><span>general@openid net</span><br>
<span>Subject:
</span><span>[OpenID] Openid connect and interoperability
(today)</span><br>
<br>
</div>
<span>
<div class="x_PlainText">One more general question comes to
mind. Using rsa-signed jwts, using id certs, using access
tokens that reference id certs, noting the claim that google
have deployed openid connect in essence, and noting that
facebook apparently use an original proprietary version of
openid connect, what is the state of multi-vendor openid
connect deployment?<br>
<br>
We almost licensed ping identitys openid module for their
federation server, once the firm announced oauth v2
conformance and once id figured that app/plugin fever had
struck in the heart of microsofts Office365 cloud service
(wherein web-hosted sites can host pages that display in the
outlook email client, augmenting the email page itself, as
rendered by the cloud service AND where oauth-like
authorization grant and vendor control practices govern
plugin activation and subscription). This seemed like a
good fit...for us...allowing professional data about a
"member of realty association" to augment the email
addressing information.<br>
<br>
Ping did their best to accomodate (since they tend to be
market leading and put up with me like few others do). But i
was stunned to learn that oauth 2 delivered nothing of any
value (to such a multi-vendor concept). The very concept was
still scoped to private community devices (logically
enabling controlled realty iphone apps talking to realty
apis, aping facebook model of world order). Such devices
(including windows toolkits making sp website into
"authorized devices") would still require custom code or
realty plugins even for that 5 year old world view.<br>
<br>
While the ping deal idn't happen for some strange commercial
reasons and my lack of faith that the market concept was of
much importance (why do i want to ape google/facebook, being
intentionally 5 years late to the party), we did go off and
extend our websso so that third party authorization servers
could do their thing, adding oauth2 value. Thus we let
microsoft azure cloud services for oauth offer such
extensibility (effectively adding yap - yet another (websso)
protocol - to the family). And duly another realty firm
with native table/phone apps did connect up .. finding oauth
2 code grant flow with rsa-signed jwts "just right".<br>
<br>
Which leads me back to the main question. Where is openid
connect in practice? Is there a groundswell? Is it at the
im explosion stage still (wherein aol, yahoo, live refused
to connect up...)? Is the technical profiling and core
interoperability phase done? Is it at the find a vc, phase?<br>
<br>
Perhaps want i really want to know is when will openid
connect be an open system? When can i talk to office 365
using my jwts, much as i can talk to any webserver on the
planet using my ssl x509 client certs?<br>
<br>
Or is that the wrong question? Is it _supposed_ to be a
closed system, like x400/x500, fully distributed but with a
hierarchical connectivity mesh controlled much public phone
systems connect (at a relatively few formal connection
points)?<br>
<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-general">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
</div>
</span></div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@lists.openid.net">general@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-general">http://lists.openid.net/mailman/listinfo/openid-general</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Nat Sakimura (<a class="moz-txt-link-abbreviated" href="mailto:n-sakimura@nri.co.jp">n-sakimura@nri.co.jp</a>)
Nomura Research Institute, Ltd.
Tel:+81-3-6274-1412 Fax:+81-3-6274-1547
本メールに含まれる情報は機密情報であり、宛先に記載されている方のみに送信することを意図しております。意図された受取人以外の方によるこれらの情報の開示、複製、再配布や転送など一切の利用が禁止されています。誤って本メールを受信された場合は、申し訳ござӓ
6;|
14;せんが、送信者までお知らせいただき、受信されたメールを削除していただきますようお願い致します。
PLEASE READ:
The information contained in this e-mail is confidential and intended for the named recipient(s) only.
If you are not an intended recipient of this e-mail, you are hereby notified that any review, dissemination, distribution or duplication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete your copy from your system.
</pre>
</body>
</html>