yes. Ill get back to it tomorrow, once the monday rush is over.
was the part of the site that does that protocol engine for openid the bit
in java, .net or php?
I have the decoding library in all three platforms. I can simply send a php
package, for example, or a jar... or a .dll
--------------------------------------------------
From: "David Corcoran" <[EMAIL PROTECTED]>
Sent: Monday, February 18, 2008 1:19 PM
To: <[EMAIL PROTECTED]>; "MUSCLE" <[email protected]>
Subject: Re: [Muscle] OpenID for PC/SC Lite / MuscleCard
Hi Peter,
Did you get my last mail ? I think we would be interested in doing
this - I would like to learn more.
Thanks,
Dave
----------------------------------------------------------
TrustBearer Labs
3201 Stellhorn Road 260-399-1648
Fort Wayne, IN 46815
TrustBearer Enabled OpenID at
https://openid.trustbearer.com
----------------------------------------------------------
On Feb 17, 2008, at 2:40 AM, Peter Williams wrote:
what language/platform did you write it in? Hopefully, its Java, .NET or
PHP.
If I paid your firm $1000 a month for 3 months, would you run an
experimental, live OP service for us - with low volume usage?
I'd need a couple of changes, if the answer is yes: having received the
request and before presenting the user with the per-RP page on whether
or not to release certain personal data items, Id need the site to
engage in an additional round of browser redirects/postbacks - use the
SAML2 protocol to ping our attribute store rather than use your own. The
redirect request is little more than a 302 URL including the openid of
the user. The redirect response is just a POSTED AES-protected token in
an IETF-disclosed format - one that requires adding and using its
decoding/decrypting library to your site (obviously I give you this!).
Rather than have you use a native SAML2 open source library, Id want
this token used as it remotely binds to a SAML2 server whose endpoints
are certified to ensure the OP has a complete set of *advanced* SAML2
"name management/ provisioning" features that I really need for the
experiment - which the open source "websso-centric" tookits rarely
implement.
Within openid Im promoting the idea of openid as a pure protocol
gateway, rather than a complete solution. One of the protocol's
shortfalls, compared to SAML design, is it lacks a bridging/proxying/
cascading model and associated technical security controls. By having
openid front the saml2 websso model (exploiting SAML2's formal proxying
controls) I'm essentially lobbying for the addition of these features to
openid 3 - by showcasing the benefits. At each proxy, different
authentication management policies can be imposed, creating a
composition of authentication acts (viewing the proxy chain as a chain
of authentication steps). At your site, you'd get to impose optionally
the trustbearer scheme, based on testing for a CAC or PIV card, based on
the result of negotiating with our upstream proxy.
In time terms, this will take about 1 to 2 day's programming, 1 days
testing. Then we see where it goes. If your openid2 portocol support is
pretty complete and highly interoperable, perhaps we just license your
server after the trial is over! (We have a large community of muscle
cards users, having made our own USB token that was a variant of the
CAC)
Peter.
> Date: Fri, 15 Feb 2008 14:51:22 -0500
> From: [EMAIL PROTECTED]
> To: [email protected]
> Subject: Re: [Muscle] OpenID for PC/SC Lite / MuscleCard
>
> Peter Williams wrote:
> > is it openid1 or openid2?
> >
> > if its openid2, what is the "pape" value that a relying party can
> > request, to ensure that it's a "trustbearer" authentication
between
> > user/device and the OP?
> >
> > is trustbearer mechanism of user auth actually a. SSL client
cert auth,
> > using a cert on the device? b. 7816 authentication? c. ICC
proprietary
> > authentication (e.g. GlobalPlatform), or something else?
> >
> OpenID 1 and 2 capable
>
> We respond that its level 4 due to the hardware token involved +
policies demarking
> phishing protection, multi-factor & multi-factor physical.
>
> User auth is being performed using challenge-response based on the
certificate from the
> token. Pre-registration is necessary since effectively, only the
public key is used for
> our setup.
>
> --
> Thomas Harning @ TrustBearer Labs (http://www.trustbearer.com)
> Secure OpenID: https://openid.trustbearer.com/harningt
> 3201 Stellhorn Road 260-399-1656
> Fort Wayne, IN 46815
> _______________________________________________
> Muscle mailing list
> [email protected]
> http://lists.drizzle.com/mailman/listinfo/muscle
Shed those extra pounds with MSN and The Biggest Loser! Learn
more._______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
