Difference between revisions of "OpenID-Artifact Binding"

From IIW
Jump to: navigation, search
(Undo revision 3381 by Igiwydijok (Talk))
 
Line 1: Line 1:
=[http://enececufo.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=
 
 
'''Session:''' Tuesday Session 4 Space O
 
'''Session:''' Tuesday Session 4 Space O
  
Line 19: Line 18:
 
* The Assertion is also in JSON instead of key-value form encoding in 2.0.
 
* The Assertion is also in JSON instead of key-value form encoding in 2.0.
 
* OP implementation in PHP is now around 400 lines of code! RP is 200 including even HTML part.
 
* OP implementation in PHP is now around 400 lines of code! RP is 200 including even HTML part.
* For digital signing, "Magic Signature" is used. (to get LoA 2 - 3).
+
* For digital signing, "Magic Signature" is used. (to get LoA 2 - 3).
 
* Encryption:
 
* Encryption:
  
1. Symmetric key encryption for encrypting "Artifact".
+
1. Symmetric key encryption for encrypting "Artifact".
 
   
 
   
2. Asymmetric key encryption for encrypting "Assertion".
+
2. Asymmetric key encryption for encrypting "Assertion".
  
 
* URL for RPF can be published in XRDS.
 
* URL for RPF can be published in XRDS.
 
* RPF can be cached in OP until updated.
 
* RPF can be cached in OP until updated.
* The "Holder of Key" parameter in the assertion for storing user's cert used for PKI based authentication. (In order to meet LoA4)
+
* The "Holder of Key" parameter in the assertion for storing user's cert used for PKI based authentication. (In order to meet LoA4)
* The "Pull" mode is required for mobile phone not capable for JavaScript.
+
* The "Pull" mode is required for mobile phone not capable for JavaScript.

Latest revision as of 12:39, 7 February 2011

Session: Tuesday Session 4 Space O

Conference: IIW 10 May 17-19, 2009 this is the complete Complete Set of Notes

Topic: OpenID Artifact Binding

Convener: Nat, Breno, John.B

  • AB designs for scalable and stateless. It works with mobile phones.
  • With AB, OpenID can support up to NIST SP800-63(rev1) L2 - L4 because the assertions are sent in the direct communication channel between OP and RP.
  • Asymmetric key signing and encryption will protect the threat defined in L3 - L4.
  • RP can choose 2 types of the request mode:

1. Push: Encoded request messsage sent to OP (POST)

2. Pull: Prepare RPF(JSON) msg and let know OP only the URL to the msg

  • The Assertion is also in JSON instead of key-value form encoding in 2.0.
  • OP implementation in PHP is now around 400 lines of code! RP is 200 including even HTML part.
  • For digital signing, "Magic Signature" is used. (to get LoA 2 - 3).
  • Encryption:

1. Symmetric key encryption for encrypting "Artifact".

2. Asymmetric key encryption for encrypting "Assertion".

  • URL for RPF can be published in XRDS.
  • RPF can be cached in OP until updated.
  • The "Holder of Key" parameter in the assertion for storing user's cert used for PKI based authentication. (In order to meet LoA4)
  • The "Pull" mode is required for mobile phone not capable for JavaScript.