Using Yadis For Security Profile Discovery

Recordon, David drecordon at verisign.com
Thu Aug 24 23:16:49 UTC 2006


In talking about adding the concept of adding security profiles to
OpenID, we run into the problem of how to express them from a discovery
standpoint.  One idea is that we have IdPs advertise which of the
security profiles they support via Yadis files.  As it stands the URI
http://openid.net/auth/2.0 is being used, so the proposal would be URIs
such as http://openid.net/auth/2.0/FOO, http://openid.net/auth/2.0/BAR,
etc.

So in this case, the relying party would know what security profiles the
IdP supports before starting the authentication protocol.  Thus if the
IdP only supports FOO and the RP requires BAR, then the RP could tell
the user upfront that the protocol cannot succeed.  Additionally, if the
IdP lists that it supports both FOO and BAR, the RP could pick which one
it wants to use.  This then should remove the issue that Johannes
brought up around degradation.

Thoughts?


More information about the yadis mailing list