[security] Nonrepudiation, and Trusting OpenID Providers
=JeffH
Jeff.Hodges at KingsMountain.com
Wed Dec 9 18:18:28 UTC 2009
Ben Laurie observed:
> David Recordan said:
>> This is one thing which is known to be a challenge to see OpenID scale
>> into higher levels of assurance. The ultimate answer for these sorts
>> of use cases is not only the user trusting their provider, but the
>> relying party having some form of trust in the provider as well.
>
> That's only one ultimate answer. Another is for the user to sign stuff.
Yes, and thus the web sso protocol (and profile(s) thereof) needs to specify
conveyance of such.
e.g...
SAML V2.0 Holder-of-Key Web Browser SSO Profile
http://www.oasis-open.org/committees/download.php/34965/sstc-saml-holder-of-key-browser-sso-cd-03.pdf
SAML V2.0 Holder-of-Key Assertion Profile
http://www.oasis-open.org/committees/download.php/34962/sstc-saml2-holder-of-key-cd-03.pdf
=JeffH
More information about the security
mailing list