On Thu, Jan 6, 2011 at 9:16 AM, Francisco Corella <fcore...@pomcor.com>wrote:
> Mike, > > Thank you very much for sending the links to the artifact binding home page > and spec. I've had a quick look, and maybe I'm missing something, but it > seems that this completely ignores the problem of authenticating the relying > party. In section 7.4.1, the RP registers on the fly just by telling the OP > who it claims to be, and the OP takes the RP's word for it without any > verification and issues a client_secret. Same as OpenID Connect. > 7.4.1 was taken from OpenID Connect proposal. Primary mode for Artifact Binding was the Asymmetric Keys. Whether allowing dynamic association is entirely at the discretion of the IdP. I can imagine that IdP whitelisting or using whitelist from a trust framework will be the main mode of operation. This is not going to be in the protocol spec, but should be dealt with the Profiles that are defined by some sort of Trust Framework. > OpenID 2.0 at least goes to the trouble of asking the user whether he/she > trusts the realm, and then verifying the return_url against the realm. I > don't think that's sufficient, but it's better than nothing. > ABC may go much further than this, especially when using the asymmetric signatures and encryption. Whether the IdP is going to be operating in that mode is dependent on what kind of Trust Framework it is going to use. We should not conflate the protocol and the trust framework issues. FYI, the refactoring that we are doing for ABC spec right now is: 0. Signature, Encryption and Token. (JWT) 1. Core: defines the message format and abstract protocols. 2. Protocol Binding binds the Core into a specific flow/protocols. 3. Profiles (which are to be defined by the Trust Frameworks) further constrains the bindings. 4. Discovery 5. Dynamic Registration 6. Session Management =nat > > Francisco > > --- On *Wed, 1/5/11, Mike Jones <michael.jo...@microsoft.com>* wrote: > > > From: Mike Jones <michael.jo...@microsoft.com> > Subject: RE: [OAUTH-WG] TLS is needed for redirecting back to the client > To: "fcore...@pomcor.com" <fcore...@pomcor.com>, "Marius Scurtescu" < > mscurte...@google.com>, "Justin Richer" <jric...@mitre.org> > Cc: "oauth@ietf.org" <oauth@ietf.org>, "Karen P. Lewison" < > kplewi...@pomcor.com>, "Nat Sakimura (n...@sakimura.org)" <n...@sakimura.org>, > "John Bradley" <ve7...@ve7jtb.com> > Date: Wednesday, January 5, 2011, 5:18 PM > > > You can read about the Artifact Binding at > https://bitbucket.org/openid/ab/wiki/Home. The latest draft is at > https://bitbucket.org/openid/ab/raw/c1eaac175dc8/openid-artifact-binding-1_0.html. > Nat Sakimura is actively updating the specification as we speak, > incorporating some of the ideas from OpenID Connect. The merger of the > specs that Nat is working on is sometimes referred to as OpenID Artifact > Binding/Connect or OpenID ABC for short. FYI, specification will be using > JSON Web Tokens (JWTs). > > > > -- Mike > > > > *From:* oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] *On Behalf > Of *Francisco Corella > *Sent:* Tuesday, January 04, 2011 5:04 PM > *To:* Marius Scurtescu; Justin Richer > *Cc:* oauth@ietf.org; Karen P. Lewison > *Subject:* Re: [OAUTH-WG] TLS is needed for redirecting back to the client > > > > --- On Tue, 1/4/11, Justin Richer > <jric...@mitre.org<http://mc/compose?to=jric...@mitre.org>> > wrote: > > > > We need a protocol that does both authentication and > > > > authorization. We can take OAuth and adapt it for > > > > authentication, or take OpenID and adapt it for > > > > authorization, or combine OpenID and OAuth (great > > > > solution > > > > for people who love complexity) or... take the best > > > > ideas > > > > from OpenID and OAuth and incorporate them into a new > > > > protocol that's designed from the start for both > > > > authentication and authorization. That's one of my > > > > motivations for proposing PKAuth. > > > > > > Are you aware of OpenIDConnect? > > > > > > http://openidconnect.com/ > > > > And also the latest drafts of OpenID Artifact Binding: > > > > http://wiki.openid.net/w/page/12995134/Artifact-Binding > > I'm not familiar with that, and I haven't been able to find > a draft at the site. > > Francisco > > > > -- Nat Sakimura (=nat) http://www.sakimura.org/en/ http://twitter.com/_nat_en
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
