xdi message

Subject: RE: [xdi] Link Contract Authentication Requirement

From: "Barnhill, William [USA]" <barnhill_william@bah.com>
To: Michael Schwartz <mike@gluu.org>, OASIS - XDI TC<xdi@lists.oasis-open.org>
Date: Fri, 3 Jun 2011 10:28:18 -0400

I think XDI needs to support PKI (Federal/DoD market, some enterprise market), OAUTH (rest of enterprise market), and none (hobbyists and people learning the technology). I think SAML can be an add on later. What Id' recommend that we focus on a generic token-based credential passing authentication, message signing, and message encryption, and leave the specific mechanisms for a separate document. This lets people with different needs use the same core spec but use different security profiles.

So to sum up:
Core doc: XDI Signing, XDI message based encryption, incorporation of i-name and zero or more authentication tokens
Later (in near term) docs...
.. PKI-based XDI authentication, specifically with details on using a CAC and covering CRLs, etc.
.. OAUTH-based XDI Authentication
.. Web of Trust authentication (Connect.me, PGP, etc.)

-Bill

-----Original Message-----
From: Michael Schwartz [mailto:mike@gluu.org]
Sent: Friday, June 03, 2011 10:04 AM
To: OASIS - XDI TC
Cc: yuriy@gluu.org
Subject: [xdi] Link Contract Authentication Requirement


I think OX needs to support 4 authentication trust models:
   1) None (secure network is trust model)
   2) PKI  (requester publishes public key, and signs messages)
   3) SAML (organization signs message)
   4) OAUTH (requster publishes consumer IDP and username, and
      is re-directed there for authentication)

It think it would be convenient to have XRI vocabulary to express these policies in a Link contract.

Thoughts?

- Mike


--------------------------------------------------------------------------------------

Michael Schwartz
Gluu
Founder, CEO
mike@gluu.org
https://www.gluu.org
+1 646-810-8761

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

Follow-Ups:
- RE: [xdi] Link Contract Authentication Requirement
  - From: Michael Schwartz <mike@gluu.org>

References:
- Minutes: XDI TC Telecon Thursday 1-2:00PM PT 2011-06-02
  - From: Drummond Reed <drummond.reed@xdi.org>
- Link Contract Authentication Requirement
  - From: Michael Schwartz <mike@gluu.org>