what language/platform did you write it in? Hopefully, its Java, .NET or PHP.
If I paid your firm $1000 a month for 3 months, would you run an experimental,
live OP service for us - with low volume usage?
I'd need a couple of changes, if the answer is yes: having received the request
and before presenting the user with the per-RP page on whether or not to
release certain personal data items, Id need the site to engage in an
additional round of browser redirects/postbacks - use the SAML2 protocol to
ping our attribute store rather than use your own. The redirect request is
little more than a 302 URL including the openid of the user. The redirect
response is just a POSTED AES-protected token in an IETF-disclosed format - one
that requires adding and using its decoding/decrypting library to your site
(obviously I give you this!). Rather than have you use a native SAML2 open
source library, Id want this token used as it remotely binds to a SAML2 server
whose endpoints are certified to ensure the OP has a complete set of *advanced*
SAML2 "name management/provisioning" features that I really need for the
experiment - which the open source "websso-centric" tookits rarely implement.
Within openid Im promoting the idea of openid as a pure protocol gateway,
rather than a complete solution. One of the protocol's shortfalls, compared to
SAML design, is it lacks a bridging/proxying/cascading model and associated
technical security controls. By having openid front the saml2 websso model
(exploiting SAML2's formal proxying controls) I'm essentially lobbying for the
addition of these features to openid 3 - by showcasing the benefits. At each
proxy, different authentication management policies can be imposed, creating a
composition of authentication acts (viewing the proxy chain as a chain of
authentication steps). At your site, you'd get to impose optionally the
trustbearer scheme, based on testing for a CAC or PIV card, based on the result
of negotiating with our upstream proxy.
In time terms, this will take about 1 to 2 day's programming, 1 days testing.
Then we see where it goes. If your openid2 portocol support is pretty complete
and highly interoperable, perhaps we just license your server after the trial
is over! (We have a large community of muscle cards users, having made our own
USB token that was a variant of the CAC)
Peter.
> Date: Fri, 15 Feb 2008 14:51:22 -0500> From: [EMAIL PROTECTED]> To:
> [email protected]> Subject: Re: [Muscle] OpenID for PC/SC Lite /
> MuscleCard> > Peter Williams wrote:> > is it openid1 or openid2?> > > > if
> its openid2, what is the "pape" value that a relying party can > > request,
> to ensure that it's a "trustbearer" authentication between > > user/device
> and the OP?> > > > is trustbearer mechanism of user auth actually a. SSL
> client cert auth, > > using a cert on the device? b. 7816 authentication? c.
> ICC proprietary > > authentication (e.g. GlobalPlatform), or something else?>
> > > OpenID 1 and 2 capable> > We respond that its level 4 due to the hardware
> token involved + policies demarking > phishing protection, multi-factor &
> multi-factor physical.> > User auth is being performed using
> challenge-response based on the certificate from the > token.
> Pre-registration is necessary since effectively, only the public key is used
> for > our setup.> > -- > Thomas Harning @ TrustBearer Labs
> (http://www.trustbearer.com)> Secure OpenID:
> https://openid.trustbearer.com/harningt> 3201 Stellhorn Road 260-399-1656>
> Fort Wayne, IN 46815> _______________________________________________> Muscle
> mailing list> [email protected]>
> http://lists.drizzle.com/mailman/listinfo/muscle
_________________________________________________________________
Shed those extra pounds with MSN and The Biggest Loser!
http://biggestloser.msn.com/
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
