Mike, Thank you very much for sending the links to the artifact binding home page and spec. I've had a quick look, and maybe I'm missing something, but it seems that this completely ignores the problem of authenticating the relying party. In section 7.4.1, the RP registers on the fly just by telling the OP who it claims to be, and the OP takes the RP's word for it without any verification and issues a client_secret. Same as OpenID Connect.
OpenID 2.0 at least goes to the trouble of asking the user whether he/she trusts the realm, and then verifying the return_url against the realm. I don't think that's sufficient, but it's better than nothing. Francisco --- On Wed, 1/5/11, Mike Jones <michael.jo...@microsoft.com> wrote: From: Mike Jones <michael.jo...@microsoft.com> Subject: RE: [OAUTH-WG] TLS is needed for redirecting back to the client To: "fcore...@pomcor.com" <fcore...@pomcor.com>, "Marius Scurtescu" <mscurte...@google.com>, "Justin Richer" <jric...@mitre.org> Cc: "oauth@ietf.org" <oauth@ietf.org>, "Karen P. Lewison" <kplewi...@pomcor.com>, "Nat Sakimura (n...@sakimura.org)" <n...@sakimura.org>, "John Bradley" <ve7...@ve7jtb.com> Date: Wednesday, January 5, 2011, 5:18 PM You can read about the Artifact Binding at https://bitbucket.org/openid/ab/wiki/Home. The latest draft is at https://bitbucket.org/openid/ab/raw/c1eaac175dc8/openid-artifact-binding-1_0.html. Nat Sakimura is actively updating the specification as we speak, incorporating some of the ideas from OpenID Connect. The merger of the specs that Nat is working on is sometimes referred to as OpenID Artifact Binding/Connect or OpenID ABC for short. FYI, specification will be using JSON Web Tokens (JWTs). -- Mike From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Francisco Corella Sent: Tuesday, January 04, 2011 5:04 PM To: Marius Scurtescu; Justin Richer Cc: oauth@ietf.org; Karen P. Lewison Subject: Re: [OAUTH-WG] TLS is needed for redirecting back to the client --- On Tue, 1/4/11, Justin Richer <jric...@mitre.org> wrote: > > > We need a protocol that does both authentication and > > > authorization. We can take OAuth and adapt it for > > > authentication, or take OpenID and adapt it for > > > authorization, or combine OpenID and OAuth (great > > > solution > > > for people who love complexity) or... take the best > > > ideas > > > from OpenID and OAuth and incorporate them into a new > > > protocol that's designed from the start for both > > > authentication and authorization. That's one of my > > > motivations for proposing PKAuth. > > > > Are you aware of OpenIDConnect? > > > > http://openidconnect.com/ > > And also the latest drafts of OpenID Artifact Binding: > > http://wiki.openid.net/w/page/12995134/Artifact-Binding I'm not familiar with that, and I haven't been able to find a draft at the site. Francisco
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
