specs Digest, Vol 36, Issue 1

John Bradley jbradley at mac.com
Thu Aug 13 15:34:25 UTC 2009 

Nat,

You can do identity less openID checkid_imediate requests to invoke  
extensions like AX.

That doesn't let you piggyback AX on a association request though.

I am sympathetic to your problem of wanting an artifact binding for  
openID.

The reality is that we need to create a artifact binding in 2.1 rather  
than try and slip it through some loose wording in the 2.0 spec.

OpenID 2.0 doesn't support artifact binding.

If it did then that would have helped me with the LoA 2 justification.

Artifact binding will add complexity and not everyone will support it.

Some may ask if we add artifact binding, signatures and encryption are  
we not reinventing SAML Web SSO, or something of equal complexity?

I am not against doing it if that is the chosen direction.   However I  
would like to see a full and open discussion on it.

John B.

On 13-Aug-09, at 8:03 AM, openid-specs-request at lists.openid.net wrote:

> Date: Fri, 14 Aug 2009 00:03:12 +0900
> From: Nat Sakimura <sakimura at gmail.com>
> Subject: Re: So, what is an OpenID Extension?
> To: James Henstridge <james at jamesh.id.au>
> Cc: OpenID Specs Mailing List <specs at openid.net>
> Message-ID:
> 	<bf26e2340908130803h390947eya0f6af01c65daee5 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hmmm. So, there is no way we can do direct communication in an  
> extension? What
> I want to do is to send the large payload directly between the  
> servers and
> move only the reference through OpenID Authn request and response so  
> that
>
> 1) mobile clients will not choke.
> 2) is going to be more secure.
>
> In AX, there is a notion of update_url, but is that also used only for
> indirect communication through browser?
>
> I feel that it is extremely limiting if we cannot do the server to  
> server
> communication.
>
> If that is not a possibility, then I should probably do the server  
> to server
> portion elsewhere, and just do the reference/artifact moving through  
> OpenID
> AuthN, but that sounds like OpenID strangling itself.
>
> =nat

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090813/94655ac5/attachment.htm>

More information about the specs mailing list