Using Yadis For Security Profile Discovery
larry drebes
ltd at janrain.com
Fri Aug 25 16:01:06 UTC 2006
I agree with Dick.
larry-
Dick Hardt wrote:
> I think having a clearly defined security gradient is critical to the
> success of OpenID.
>
> There already are a number of variation points. I believe that Hans is
> doing is putting them into nice packages.
>
> -- Dick
>
> On 24-Aug-06, at 9:30 PM, Johannes Ernst wrote:
>
>> Larry (Drebes), if you are listening to this conversation ... I'm
>> hearing your voice in the back of my head saying "no variation
>> points, please, let's do one way only, otherwise nothing will ever
>> interoperate because the cost of making all cases work (and test all
>> combinations) is too high".
>>
>> Maybe I'm putting words into your mouth, but ... what do you think
>> about this?
>>
>> On Aug 24, 2006, at 16:38, Granqvist, Hans wrote:
>>
>>> I'm working on a proposal of a few security profiles
>>> and will post to the list as soon as I'm done . . .
>>>
>>> -Hans
>>>
>>>
>>>> -----Original Message-----
>>>> From: yadis-bounces at lists.danga.com
>>>> [mailto:yadis-bounces at lists.danga.com] On Behalf Of Gabe Wachob
>>>> Sent: Thursday, August 24, 2006 4:24 PM
>>>> To: Recordon, David; yadis at lists.danga.com
>>>> Subject: RE: Using Yadis For Security Profile Discovery
>>>>
>>>> David-
>>>> Thats what I was suggesting when talking about
>>>> advertising different service types based on "security
>>>> profile". So it sounds reasonable to me.
>>>>
>>>> -Gabe
>>>>
>>>>> -----Original Message-----
>>>>> From: yadis-bounces at lists.danga.com
>>>>> [mailto:yadis-bounces at lists.danga.com]
>>>>> On Behalf Of Recordon, David
>>>>> Sent: Thursday, August 24, 2006 4:17 PM
>>>>> To: yadis at lists.danga.com
>>>>> Subject: Using Yadis For Security Profile Discovery
>>>>>
>>>>> In talking about adding the concept of adding security profiles to
>>>>> OpenID, we run into the problem of how to express them from a
>>>>> discovery standpoint. One idea is that we have IdPs
>>>> advertise which
>>>>> of the security profiles they support via Yadis files. As
>>>> it stands
>>>>> the URI http://openid.net/auth/2.0 is being used, so the proposal
>>>>> would be URIs such as http://openid.net/auth/2.0/FOO,
>>>>> http://openid.net/auth/2.0/BAR, etc.
>>>>>
>>>>> So in this case, the relying party would know what security
>>>> profiles
>>>>> the IdP supports before starting the authentication
>>>> protocol. Thus if
>>>>> the IdP only supports FOO and the RP requires BAR, then the
>>>> RP could
>>>>> tell the user upfront that the protocol cannot succeed.
>>>> Additionally,
>>>>> if the IdP lists that it supports both FOO and BAR, the RP
>>>> could pick
>>>>> which one it wants to use. This then should remove the issue that
>>>>> Johannes brought up around degradation.
>>>>>
>>>>> Thoughts?
>>>>
>>>>
>>>>
>>
>> Johannes Ernst
>> NetMesh Inc.
>>
>> <lid.gif>
>> http://netmesh.info/jernst
>>
>>
>>
>>
>
>
>
More information about the yadis
mailing list