Ben Laurie observed: > David Recordan said: >> This is one thing which is known to be a challenge to see OpenID scale >> into higher levels of assurance. The ultimate answer for these sorts >> of use cases is not only the user trusting their provider, but the >> relying party having some form of trust in the provider as well. > > That's only one ultimate answer. Another is for the user to sign stuff.
Yes, and thus the web sso protocol (and profile(s) thereof) needs to specify conveyance of such.
e.g... SAML V2.0 Holder-of-Key Web Browser SSO Profile http://www.oasis-open.org/committees/download.php/34965/sstc-saml-holder-of-key-browser-sso-cd-03.pdf SAML V2.0 Holder-of-Key Assertion Profile http://www.oasis-open.org/committees/download.php/34962/sstc-saml2-holder-of-key-cd-03.pdf =JeffH _______________________________________________ security mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-security
