Using Yadis For Security Profile Discovery

Johannes Ernst jernst+lists.danga.com at netmesh.us
Fri Aug 25 04:30:10 UTC 2006


Larry (Drebes), if you are listening to this conversation ... I'm  
hearing your voice in the back of my head saying "no variation  
points, please, let's do one way only, otherwise nothing will ever  
interoperate because the cost of making all cases work (and test all  
combinations) is too high".

Maybe I'm putting words into your mouth, but ... what do you think  
about this?

On Aug 24, 2006, at 16:38, Granqvist, Hans wrote:

> I'm working on a proposal of a few security profiles
> and will post to the list as soon as I'm done . . .
>
> -Hans
>
>
>> -----Original Message-----
>> From: yadis-bounces at lists.danga.com
>> [mailto:yadis-bounces at lists.danga.com] On Behalf Of Gabe Wachob
>> Sent: Thursday, August 24, 2006 4:24 PM
>> To: Recordon, David; yadis at lists.danga.com
>> Subject: RE: Using Yadis For Security Profile Discovery
>>
>> David-
>> 	Thats what I was suggesting when talking about
>> advertising different service types based on "security
>> profile". So it sounds reasonable to me.
>>
>> 	-Gabe
>>
>>> -----Original Message-----
>>> From: yadis-bounces at lists.danga.com
>>> [mailto:yadis-bounces at lists.danga.com]
>>> On Behalf Of Recordon, David
>>> Sent: Thursday, August 24, 2006 4:17 PM
>>> To: yadis at lists.danga.com
>>> Subject: Using Yadis For Security Profile Discovery
>>>
>>> In talking about adding the concept of adding security profiles to
>>> OpenID, we run into the problem of how to express them from a
>>> discovery standpoint.  One idea is that we have IdPs
>> advertise which
>>> of the security profiles they support via Yadis files.  As
>> it stands
>>> the URI http://openid.net/auth/2.0 is being used, so the proposal
>>> would be URIs such as http://openid.net/auth/2.0/FOO,
>>> http://openid.net/auth/2.0/BAR, etc.
>>>
>>> So in this case, the relying party would know what security
>> profiles
>>> the IdP supports before starting the authentication
>> protocol.  Thus if
>>> the IdP only supports FOO and the RP requires BAR, then the
>> RP could
>>> tell the user upfront that the protocol cannot succeed.
>> Additionally,
>>> if the IdP lists that it supports both FOO and BAR, the RP
>> could pick
>>> which one it wants to use.  This then should remove the issue that
>>> Johannes brought up around degradation.
>>>
>>> Thoughts?
>>
>>
>>

Johannes Ernst
NetMesh Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
Url : http://lists.danga.com/pipermail/yadis/attachments/20060824/b6b58890/lid.gif
-------------- next part --------------
  http://netmesh.info/jernst






More information about the yadis mailing list