Re: [OAUTH-WG] [Openid-specs-ab] Simple Web Discovery

Anthony Nadalin <tonynad@microsoft.com> Thu, 28 October 2010 23:40 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4B1303A6801 for <oauth@core3.amsl.com>; Thu, 28 Oct 2010 16:40:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.35
X-Spam-Level:
X-Spam-Status: No, score=-10.35 tagged_above=-999 required=5 tests=[AWL=0.248, BAYES_00=-2.599, FUZZY_CPILL=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SwIHFeGz6-QB for <oauth@core3.amsl.com>; Thu, 28 Oct 2010 16:40:46 -0700 (PDT)
Received: from smtp.microsoft.com (mailb.microsoft.com [131.107.115.215]) by core3.amsl.com (Postfix) with ESMTP id E326F3A676A for <oauth@ietf.org>; Thu, 28 Oct 2010 16:40:45 -0700 (PDT)
Received: from TK5EX14HUBC104.redmond.corp.microsoft.com (157.54.80.25) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Thu, 28 Oct 2010 16:42:33 -0700
Received: from TK5EX14MBXC117.redmond.corp.microsoft.com ([169.254.8.222]) by TK5EX14HUBC104.redmond.corp.microsoft.com ([157.54.80.25]) with mapi id 14.01.0255.003; Thu, 28 Oct 2010 16:42:33 -0700
From: Anthony Nadalin <tonynad@microsoft.com>
To: the Connect work group <openid-specs-connect@lists.openid.net>
Thread-Topic: [Openid-specs-ab] [OAUTH-WG] Simple Web Discovery
Thread-Index: AQHLdmrtt4/el9ZvDEaQ4UyC5JkUSZNWdqdggAB+4wCAABB+4A==
Date: Thu, 28 Oct 2010 23:42:31 +0000
Message-ID: <180155C5EA10854997314CA5E063D18FE59464@TK5EX14MBXC117.redmond.corp.microsoft.com>
References: <20101027013941.E742F21F40@mail.zxidp.org> <180155C5EA10854997314CA5E063D18FE573EE@TK5EX14MBXC117.redmond.corp.microsoft.com> <79DB6BC1-62CA-4B84-8B45-5E01044CFC4F@ve7jtb.com>
In-Reply-To: <79DB6BC1-62CA-4B84-8B45-5E01044CFC4F@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.123.12]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "sampo@zxidp.org" <sampo@zxidp.org>, "openid-specs-ab@lists.openid.net" <openid-specs-ab@lists.openid.net>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [Openid-specs-ab] Simple Web Discovery
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Oct 2010 23:40:47 -0000

So not sure that this would be handled by the SWD itself but as pointed out in the SWD specification is that the SWD may be accompanied by an authorization header and this is where I would expect that to happen

-----Original Message-----
From: openid-specs-connect-bounces@lists.openid.net [mailto:openid-specs-connect-bounces@lists.openid.net] On Behalf Of John Bradley
Sent: Thursday, October 28, 2010 8:41 AM
To: the Connect work group
Cc: sampo@zxidp.org; openid-specs-ab@lists.openid.net; oauth@ietf.org
Subject: Re: [Openid-specs-ab] [OAUTH-WG] Simple Web Discovery

In the case where the user logs in to a RP with a PPID type identifier.  

How could the person then allow the RP to discover their service endpoints.
Also conversely would publishing the endpoint provide a way for the RP to correlate the user without permission.

One common practice for openID PPID is that the IdP generates the PPID via AES128(actual ID + RP or sector identifier).

In that case the RP could do an oauth flow to the IdP discovery endpoint to get permission to see the user endpoints.
The IdP could decrypt the opaque identifier to determine the actual subject.

That would protect the non correlation unless the user decides to permit discovery.

The model if not the details seem similar to some work that is being submitted to the ITU-T as I understand it.

John B.


On 2010-10-28, at 12:07 PM, Anthony Nadalin wrote:

> Sampo, can you give a usecase of how you would use the pairwise
> 
> -----Original Message-----
> From: openid-specs-ab-bounces@lists.openid.net 
> [mailto:openid-specs-ab-bounces@lists.openid.net] On Behalf Of 
> sampo@zxidp.org
> Sent: Tuesday, October 26, 2010 6:40 PM
> To: Mike Jones
> Cc: sampo@zxidp.org; openid-specs-ab@lists.openid.net; oauth@ietf.org; 
> openid-specs-connect@lists.openid.net
> Subject: Re: [Openid-specs-ab] [OAUTH-WG] Simple Web Discovery
> 
> Simple enough spec. I like the notion of service type. However some questions to answer:
> 
> How would one convey saml2:Assertion as the "principal"? Or how would one convey a saml2:NameID as the "principal"?
> 
> Or in more generic sense, how would one convey a pairwise pseudonym as principal?
> 
> Cheers,
> --Sampo
> 
> Mike Jones <Michael.Jones@microsoft.com> said:
>> Having a simple discovery method for services and resources is key to enabling many Internet scenarios that require interactions among parties that do not have pre-established relationships.  For instance, if Joe, with e-mail address joe@example.com, wants to share his calendar with Mary, then Mary's calendar service, in the general case, will need to discover the location of Joe's calendar service.  For example, Mary's calendar service might discover that Joe's calendar service is located at http://calendars.proseware.com/calendar/joseph by doing discovery for a service named urn:adatum.com:calendar  at example.com for the account joe.
>> 
>> Yaron Goland<http://www.goland.org/> and I are submitting this Simple Web Discovery (SWD)<http://self-issued.info/docs/draft-jones-simple-web-discovery-00.html> draft (attached and at http://self-issued.info/docs/draft-jones-simple-web-discovery-00.html) for consideration by the community to address this need.  SWD is simple to understand and implement, enables different permissions to be applied to discovery of different services, and is JSON-based.  I look forward to discussing this with many of you next week at IIW<http://www.internetidentityworkshop.com/iiwxi-11-in-mountain-view/>w/>.
>> 
>>                                                                -- 
>> Mike
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab@lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> 
> _______________________________________________
> openid-specs-connect mailing list
> openid-specs-connect@lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-connect