On 09.11.2008, at 20:51, Nat Sakimura wrote: > As to AX+SAML (or for that matter XAdES) is concerned, that is a > valid approach, but if I were to use SAML, I would use
Just to clarify a technical detail: The XAdES example regarding Estonia you mentioned earlier does not include transporting XAdES payloads over OpenID AX (which seems to be the purpose of the discussed workgroup where the similarities of SAML over AX come in). The special behavior and out of band assurances given by openid.ee does not include anything new on the protocol level, just added semantics to basic OpenID transactions. If we could use PDF signatures as legally valid signatures in Estonia, it could be PDF based signatures instead of XAdES, or ODF signatures, or MS .doc signatures. FYI, openid.ee allows a RP to upload a contract (template) which must be agreed with and digitally signed (legally binding signature resulting in an XAdES document with the filled in contract signed by the user with an ID-card and stored on the OP) before the OP starts issuing positive assertions about the given user to the given RP. The contract could be a document of any kind (PDF, JPG, DOC, TXT) and the only thing that is transferred to the RP over AX is a 'secret url' from where the RP can download the signed contract (XAdES container with the possibly PDF contract in it). The actual assurance (that the user has signed the contract the RP has uploaded) comes from out of band agreements/contracts between OP and RP. The AX attribute is just an extra option, if the RP wishes to automatically fetch and store the signed contract somewhere. Basically it is an advanced and legally binding 'I agree with terms and conditions' checkbox built on top of standard OpenID. With legally binding I mean that it is dead simple in the court: "Here are the terms and conditions you digitally signed and which you have violated" as checking checkboxes and pressing 'continue' is not a legally binding action in Estonia, at least I don't know of any court cases about it. If you need an example use case, think of signing and faxing NDA-s before you can download some simple "secret" product documentation. -- Martin Paljak http://martin.paljak.pri.ee +372.515.6495 _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs