Andrew Sun's List: identity

• In brief: When the source of a user's identity and authentication information (identity provider or IdP) is different from where the information is consumed (the service provider or SP, also known as the relying party or RP), certain scenarios require the RP to initiate contact with the IdP in order to accomplish single sign-on or other similar federated identity activities. This requires that the RP know how to locate the IdP. 

  In more detail: SSO is commonly deployed in one of two major styles. An IdP that serves users as a one-stop portal to RP websites (typically a known set of partners) is the simpler style, and because the IdP initiates contact with each RP (called IdP-initiated SSO), it has no discovery problem. A more complex style is SP-initiated SSO, in which users can approach (or bookmark) the website belonging to an RP directly; it is only when a user asks for protected resources at this site that the site must then begin a conversation with the user's IdP. But which IdP, where on the network? That is indeed the problem. 

  • IDP disvovery problem

• • What problem does an IDP discovery method to solve
• So this leads to an interesting question: when I first arrive at a site, how does it know who I’ve chosen to be my IdP? When I turn up at Unicorns-R-Us, how do they know that they should go to Amazon to verify that I’m logged in and that I’m the same guy as shopped there last time?

  • What problem does an IDP discovery method to solve
• A people DNS would be the answer. Essentially, the problem you’re trying to solve is the same problem encountered when people wanted to make the Internet friendly. Folks can’t remember an IP, but then can remember microsoft.com.

  • DNS helps IDP discovery
• • DNS helps IDP discovery

  • dd
• • Browser helps login, similar to the i-card
• the browser, not the web site, prompts you select an ID provider from a list of ID providers known to the browser, or enter a new one.

4 more annotations...

• he inability to do this type of automatic operation is one of the shortcomings in Cardspace's implementation that I think will eventually be fixed.
• The IdP only sees that you have visited a particular relying party. It does not see what you do at the relying party.
• • artifact
• The intention, as Kim surely knows, is to pass a message by reference rather than by value.
• • Purpose of relayState param
• RelayState is designed for the RP to send information to itself, not the IdP, so that it can remember what the user was trying to access when the user is returned to the RP following a successful SSO operation.

4 more annotations...

• You might ask why, given the greater visibility of IP on RP, I didn’t put the redirection protocols at the extreme left of my identity technology privacy spectrum.  The reason is that the probability of RP/RP collusion CAN be greatly reduced when compared to X.509 certificates, as I will show next.

• A long overdue update to the status of the CardSpace Extension 

  • inforCard for firefox

• The YubiKey differs from traditional authentication tokens based on time-variant codes in that it needs no battery and therefore does not rely on an absolute time generated by an accurate time source. No battery means unlimited shelf life, no synchronization and customer support issues, and enables significant cost reduction.   
  

• 传意大利足球明星皮埃罗要起诉Facebook

• 王海举报淘宝网 淘宝网：他不了解网购流程

• 如果确有需要留下个人资料，必要时应与对方约定保密责任

• 网络不是完全虚拟的空间，网络与现实相联系。现实社会不能做的，在网络上也不能做，做了就会受罚