Using Yadis For Security Profile Discovery
Gabe Wachob
gabe.wachob at amsoft.net
Thu Aug 24 23:23:47 UTC 2006
David-
Thats what I was suggesting when talking about advertising different
service types based on "security profile". So it sounds reasonable to me.
-Gabe
> -----Original Message-----
> From: yadis-bounces at lists.danga.com [mailto:yadis-bounces at lists.danga.com]
> On Behalf Of Recordon, David
> Sent: Thursday, August 24, 2006 4:17 PM
> To: yadis at lists.danga.com
> Subject: Using Yadis For Security Profile Discovery
>
> In talking about adding the concept of adding security profiles to
> OpenID, we run into the problem of how to express them from a discovery
> standpoint. One idea is that we have IdPs advertise which of the
> security profiles they support via Yadis files. As it stands the URI
> http://openid.net/auth/2.0 is being used, so the proposal would be URIs
> such as http://openid.net/auth/2.0/FOO, http://openid.net/auth/2.0/BAR,
> etc.
>
> So in this case, the relying party would know what security profiles the
> IdP supports before starting the authentication protocol. Thus if the
> IdP only supports FOO and the RP requires BAR, then the RP could tell
> the user upfront that the protocol cannot succeed. Additionally, if the
> IdP lists that it supports both FOO and BAR, the RP could pick which one
> it wants to use. This then should remove the issue that Johannes
> brought up around degradation.
>
> Thoughts?
More information about the yadis
mailing list