OpenID-Artifact Binding

From IIW

Session: Tuesday Session 4 Space O

Conference: IIW 10 May 17-19, 2009 this is the complete Complete Set of Notes

Topic: OpenID Artifact Binding

Convener: Nat, Breno, John.B

  • AB designs for scalable and stateless. It works with mobile phones.
  • With AB, OpenID can support up to NIST SP800-63(rev1) L2 - L4 because the assertions are sent in the direct communication channel between OP and RP.
  • Asymmetric key signing and encryption will protect the threat defined in L3 - L4.
  • RP can choose 2 types of the request mode:

1. Push: Encoded request messsage sent to OP (POST)

2. Pull: Prepare RPF(JSON) msg and let know OP only the URL to the msg

  • The Assertion is also in JSON instead of key-value form encoding in 2.0.
  • OP implementation in PHP is now around 400 lines of code! RP is 200 including even HTML part.
  • For digital signing, "Magic Signature" is used. (to get LoA 2 - 3).
  • Encryption:

1. Symmetric key encryption for encrypting "Artifact".

2. Asymmetric key encryption for encrypting "Assertion".

  • URL for RPF can be published in XRDS.
  • RPF can be cached in OP until updated.
  • The "Holder of Key" parameter in the assertion for storing user's cert used for PKI based authentication. (In order to meet LoA4)
  • The "Pull" mode is required for mobile phone not capable for JavaScript.