<div dir="ltr"><div>Hi Peter, </div><div><br></div>If I understand correctly, SP Affiliation can be achieved by sector identifier. <br>See <a href="http://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation">http://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation</a><br><div><br></div><div>For token exchange, IETF OAuth WG is working on a spec. </div><div><a href="https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-00">https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-00</a><br></div><div><br></div><div>Perhaps this is something your are looking for? </div><div><br></div><div>Nat</div><div><br></div></div><br><div class="gmail_quote">On Wed Feb 18 2015 at 14:57:51 Peter Williams <<a href="mailto:home_pw@msn.com">home_pw@msn.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>
<div style="font-family:Calibri,sans-serif;font-size:11pt">Saml has a feature that I like, called sp affiliations. In short, if a local name binding is assigned by one sp/rp, all other RP in the affiliation get the same value.<br>
<br>
That is an example of sp centric architecture.<br>
<br>
If one has a cluster of gateways (at ip switching points close to a distributed set of RPs) it takes quite some engineering to share those names, enable a primary RP to assign the names, etc. The process can even be security critical, which obviously heightens
the engineering left further.<br>
<br>
One non (saml) standard architecture point can include swapping tokens for Kerberos tickets, to leverage Kerberos enforcing functions for delegation of privilege in operating system (networked) trusted computing bases.<br>
<br>
Those two examples hide security information from idps, and also prepare for an easy exit of an idp from the sp centric architecture (when an idp changes rules, say, in an unacceptable manner to the sp affiliation.) They limit dependency, at a policy level.<br>
<br>
While it's wonderful that a contrasting idp-centric architecture exists, allowing such as a media rendering box (eg appletv) to show such as a YouTube app that signs up the device to YouTube subscription via a pc-based process *using oauth to orchestrate things*,
not all web security models are about devices and apps, or app subscriptions to media, or syncing such subscriptions across multiple devices.</div></div></div><div><div><div style="font-family:Calibri,sans-serif;font-size:11pt"><br>
<br>
<br>
<br>
Sent from my Windows Phone</div></div></div><div><div><div style="font-family:Calibri,sans-serif;font-size:11pt"></div>
</div>
<div dir="ltr">
<hr>
<span style="font-family:Calibri,sans-serif;font-size:11pt;font-weight:bold">From:
</span><span style="font-family:Calibri,sans-serif;font-size:11pt"><a href="mailto:n-sakimura@nri.co.jp" target="_blank">Nat Sakimura</a></span><br>
<span style="font-family:Calibri,sans-serif;font-size:11pt;font-weight:bold">Sent:
</span><span style="font-family:Calibri,sans-serif;font-size:11pt">2/17/2015 8:55 PM</span><br>
<span style="font-family:Calibri,sans-serif;font-size:11pt;font-weight:bold">To:
</span><span style="font-family:Calibri,sans-serif;font-size:11pt"><a href="mailto:home_pw@msn.com" target="_blank">Peter Williams</a></span><br>
<span style="font-family:Calibri,sans-serif;font-size:11pt;font-weight:bold">Cc:
</span><span style="font-family:Calibri,sans-serif;font-size:11pt"><a href="mailto:James.H.Manger@team.telstra.com" target="_blank">Manger, James</a>;
<a href="mailto:openid-general@lists.openid.net" target="_blank">openid-general@lists.openid.net</a></span><br>
<span style="font-family:Calibri,sans-serif;font-size:11pt;font-weight:bold">Subject:
</span><span style="font-family:Calibri,sans-serif;font-size:11pt">Re: [OpenID] Switching from OpenID 2.0 to OpenID Connect for Google logins to <a href="http://openid.net" target="_blank">openid.net</a></span><br>
<br>
</div></div><div>
<div>
<div>Hi Peter, <br>
<br>
Could you elaborate on "this area" a bit more, please? <br>
We could certainly consider additional activities. <br>
<br>
Best, <br>
<br>
Nat<br>
<br>
On Tue, 17 Feb 2015 09:54:32 -0800<br>
Peter Williams <<a href="mailto:home_pw@msn.com" target="_blank">home_pw@msn.com</a>> wrote:<br>
<br>
> Shame openid foundation doesn't lead in this area, formentung common<br>
> architecture practices for RP communities, that are independent of<br>
> idp/cloud vendor.<br>
<br>
<br>
-- <br>
Nat Sakimura (<a href="mailto:n-sakimura@nri.co.jp" target="_blank">n-sakimura@nri.co.jp</a>)<br>
Nomura Research Institute, Ltd. <br>
<br>
PLEASE READ:<br>
The information contained in this e-mail is confidential and intended<br>
for the named recipient(s) only. If you are not an intended recipient<br>
of this e-mail, you are hereby notified that any review, dissemination,<br>
distribution or duplication of this message is strictly prohibited. If<br>
you have received this message in error, please notify the sender<br>
immediately and delete your copy from your system.<br>
</div>
</div>
</div>
______________________________<u></u>_________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net" target="_blank">general@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/<u></u>mailman/listinfo/openid-<u></u>general</a><br>
</blockquote></div>