Proposal to create the TX working group

Martin Paljak martin at paljak.pri.ee
Tue Nov 11 21:13:08 UTC 2008 

On 09.11.2008, at 20:51, Nat Sakimura wrote:
> As to AX+SAML (or for that matter XAdES) is concerned, that is a  
> valid approach, but if I were to use SAML, I would use

Just to clarify a technical detail: The XAdES example regarding  
Estonia you mentioned earlier does not include transporting XAdES  
payloads over OpenID AX (which seems to be the purpose of the  
discussed workgroup where the similarities of SAML over AX come in).  
The special behavior and out of band assurances given by openid.ee  
does not include anything new on the protocol level, just added  
semantics to basic OpenID transactions. If we could use PDF signatures  
as legally valid signatures in Estonia, it could be PDF based  
signatures instead of XAdES, or ODF signatures, or MS .doc signatures.

FYI, openid.ee allows a RP to upload a contract (template) which must  
be agreed with and digitally signed (legally binding signature  
resulting in an XAdES document with the filled in contract signed by  
the user with an ID-card and stored on the OP) before the OP starts  
issuing positive assertions about the given user to the given RP. The  
contract could be a document of any kind (PDF, JPG, DOC, TXT) and the  
only thing that is transferred to the RP over AX is a 'secret url'  
from where the RP can download the signed contract (XAdES container  
with the possibly PDF contract in it).

The actual assurance (that the user has signed the contract the RP has  
uploaded) comes from out of band agreements/contracts between OP and  
RP. The AX attribute is just an extra option, if the RP wishes to  
automatically fetch and store the signed contract somewhere.

Basically it is an advanced and legally binding 'I agree with terms  
and conditions' checkbox built on top of standard OpenID.
With legally binding I mean that it is dead simple in the court: "Here  
are the terms and conditions you digitally signed and which you have  
violated" as checking checkboxes and pressing 'continue' is not a  
legally binding action in Estonia, at least I don't know of any court  
cases about it.

If you need an example use case, think of signing and faxing NDA-s  
before you can download some simple "secret" product documentation.


-- 
Martin Paljak
http://martin.paljak.pri.ee
+372.515.6495

More information about the specs mailing list