Using Yadis For Security Profile Discovery

Dick Hardt dick at sxip.com
Fri Aug 25 04:40:00 UTC 2006


I think having a clearly defined security gradient is critical to the  
success of OpenID.

There already are a number of variation points. I believe that Hans  
is doing is putting them into nice packages.

-- Dick

On 24-Aug-06, at 9:30 PM, Johannes Ernst wrote:

> Larry (Drebes), if you are listening to this conversation ... I'm  
> hearing your voice in the back of my head saying "no variation  
> points, please, let's do one way only, otherwise nothing will ever  
> interoperate because the cost of making all cases work (and test  
> all combinations) is too high".
>
> Maybe I'm putting words into your mouth, but ... what do you think  
> about this?
>
> On Aug 24, 2006, at 16:38, Granqvist, Hans wrote:
>
>> I'm working on a proposal of a few security profiles
>> and will post to the list as soon as I'm done . . .
>>
>> -Hans
>>
>>
>>> -----Original Message-----
>>> From: yadis-bounces at lists.danga.com
>>> [mailto:yadis-bounces at lists.danga.com] On Behalf Of Gabe Wachob
>>> Sent: Thursday, August 24, 2006 4:24 PM
>>> To: Recordon, David; yadis at lists.danga.com
>>> Subject: RE: Using Yadis For Security Profile Discovery
>>>
>>> David-
>>> 	Thats what I was suggesting when talking about
>>> advertising different service types based on "security
>>> profile". So it sounds reasonable to me.
>>>
>>> 	-Gabe
>>>
>>>> -----Original Message-----
>>>> From: yadis-bounces at lists.danga.com
>>>> [mailto:yadis-bounces at lists.danga.com]
>>>> On Behalf Of Recordon, David
>>>> Sent: Thursday, August 24, 2006 4:17 PM
>>>> To: yadis at lists.danga.com
>>>> Subject: Using Yadis For Security Profile Discovery
>>>>
>>>> In talking about adding the concept of adding security profiles to
>>>> OpenID, we run into the problem of how to express them from a
>>>> discovery standpoint.  One idea is that we have IdPs
>>> advertise which
>>>> of the security profiles they support via Yadis files.  As
>>> it stands
>>>> the URI http://openid.net/auth/2.0 is being used, so the proposal
>>>> would be URIs such as http://openid.net/auth/2.0/FOO,
>>>> http://openid.net/auth/2.0/BAR, etc.
>>>>
>>>> So in this case, the relying party would know what security
>>> profiles
>>>> the IdP supports before starting the authentication
>>> protocol.  Thus if
>>>> the IdP only supports FOO and the RP requires BAR, then the
>>> RP could
>>>> tell the user upfront that the protocol cannot succeed.
>>> Additionally,
>>>> if the IdP lists that it supports both FOO and BAR, the RP
>>> could pick
>>>> which one it wants to use.  This then should remove the issue that
>>>> Johannes brought up around degradation.
>>>>
>>>> Thoughts?
>>>
>>>
>>>
>
> Johannes Ernst
> NetMesh Inc.
>
> <lid.gif>
>  http://netmesh.info/jernst
>
>
>
>



More information about the yadis mailing list