[Openid-specs-ab] OX work on OpenID Connect multi-party Federations
John Bradley
ve7jtb at ve7jtb.com
Fri Aug 31 14:44:05 UTC 2012
Publishing the certs on a https: URI basically gives you no better than HTTPS PKIX security.
I think that is fine for most applications. For LoA 3 and perhaps LoA 2 the certificate or keys may need to be in the meta-data to be part of a more highly trusted trust chain.
John B.
On 2012-08-31, at 10:38 AM, Michael Schwartz <mike at gluu.org> wrote:
>
> I just added :
>
> 1) RP and OP to publish public certificates on an HTTPS URI
> 2) Federation publishes Public Key and signs federation metadata
>
> per John's suggestion.
>
> - Mike
>
>
>
> -------------------------------------
> Michael Schwartz
> Gluu
> Founder / CEO
> office: +1 646-810-8761
> mike at gluu.org
>
> On Fri, 31 Aug 2012, John Bradley wrote:
>
>> I think the general idea is good. It will be important to support entity attributes for LOA and claims confidence.
>>
>> Andreas has also had some thoughts.
>> https://rnd.feide.no/2012/08/24/openid-connect-federations/
>>
>> We should try and dedicate a call or session at IIW to this.
>>
>> John
>> On 2012-08-31, at 10:12 AM, Michael Schwartz <mike at gluu.org> wrote:
>>
>>>
>>> OpenID Group...
>>>
>>> We weren't going to announce this until we had working code, but we have started to sketch a design for OpenID Connect federation metadata:
>>> http://ox.gluu.org/doku.php?id=oxauth:federation
>>>
>>> I used Shib-style federations like InCommon as the model.
>>>
>>> This obviously needs some work... I would like to reference the entity's certificates by URI if that's feasible.
>>>
>>> Sorry it goes into the weeds a little at the end. We're moving some of the content to new pages :)
>>>
>>> thx,
>>>
>>> Mike
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4937 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120831/14145329/attachment.p7s>
More information about the Openid-specs-ab
mailing list