Session: Tuesday Session 4 Space O
Topic: OpenID Artifact Binding
Convener: Nat, Breno, John.B
- AB designs for scalable and stateless. It works with mobile phones.
- With AB, OpenID can support up to NIST SP800-63(rev1) L2 - L4 because the assertions are sent in the direct communication channel between OP and RP.
- Asymmetric key signing and encryption will protect the threat defined in L3 - L4.
- RP can choose 2 types of the request mode:
1. Push: Encoded request messsage sent to OP (POST)
2. Pull: Prepare RPF(JSON) msg and let know OP only the URL to the msg
- The Assertion is also in JSON instead of key-value form encoding in 2.0.
- OP implementation in PHP is now around 400 lines of code! RP is 200 including even HTML part.
- For digital signing, "Magic Signature" is used. (to get LoA 2 - 3).
1. Symmetric key encryption for encrypting "Artifact".
2. Asymmetric key encryption for encrypting "Assertion".
- URL for RPF can be published in XRDS.
- RPF can be cached in OP until updated.
- The "Holder of Key" parameter in the assertion for storing user's cert used for PKI based authentication. (In order to meet LoA4)