Using Yadis For Security Profile Discovery
Granqvist, Hans
hgranqvist at verisign.com
Thu Aug 24 23:38:52 UTC 2006
I'm working on a proposal of a few security profiles
and will post to the list as soon as I'm done . . .
-Hans
> -----Original Message-----
> From: yadis-bounces at lists.danga.com
> [mailto:yadis-bounces at lists.danga.com] On Behalf Of Gabe Wachob
> Sent: Thursday, August 24, 2006 4:24 PM
> To: Recordon, David; yadis at lists.danga.com
> Subject: RE: Using Yadis For Security Profile Discovery
>
> David-
> Thats what I was suggesting when talking about
> advertising different service types based on "security
> profile". So it sounds reasonable to me.
>
> -Gabe
>
> > -----Original Message-----
> > From: yadis-bounces at lists.danga.com
> > [mailto:yadis-bounces at lists.danga.com]
> > On Behalf Of Recordon, David
> > Sent: Thursday, August 24, 2006 4:17 PM
> > To: yadis at lists.danga.com
> > Subject: Using Yadis For Security Profile Discovery
> >
> > In talking about adding the concept of adding security profiles to
> > OpenID, we run into the problem of how to express them from a
> > discovery standpoint. One idea is that we have IdPs
> advertise which
> > of the security profiles they support via Yadis files. As
> it stands
> > the URI http://openid.net/auth/2.0 is being used, so the proposal
> > would be URIs such as http://openid.net/auth/2.0/FOO,
> > http://openid.net/auth/2.0/BAR, etc.
> >
> > So in this case, the relying party would know what security
> profiles
> > the IdP supports before starting the authentication
> protocol. Thus if
> > the IdP only supports FOO and the RP requires BAR, then the
> RP could
> > tell the user upfront that the protocol cannot succeed.
> Additionally,
> > if the IdP lists that it supports both FOO and BAR, the RP
> could pick
> > which one it wants to use. This then should remove the issue that
> > Johannes brought up around degradation.
> >
> > Thoughts?
>
>
>
More information about the yadis
mailing list