|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: David Corcoran (david.corcoran
trustbearer.com)
Date: Mon Feb 18 2008 - 15:19:55 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Peter,
Did you get my last mail ? I think we would be interested in doing
this - I would like to learn more.
Thanks,
Dave
----------------------------------------------------------
TrustBearer Labs
3201 Stellhorn Road 260-399-1648
Fort Wayne, IN 46815
TrustBearer Enabled OpenID at
https://openid.trustbearer.com
----------------------------------------------------------
On Feb 17, 2008, at 2:40 AM, Peter Williams wrote:
>
> what language/platform did you write it in? Hopefully, its
> Java, .NET or PHP.
>
> If I paid your firm $1000 a month for 3 months, would you run an
> experimental, live OP service for us - with low volume usage?
>
> I'd need a couple of changes, if the answer is yes: having received
> the request and before presenting the user with the per-RP page on
> whether or not to release certain personal data items, Id need the
> site to engage in an additional round of browser redirects/postbacks
> - use the SAML2 protocol to ping our attribute store rather than use
> your own. The redirect request is little more than a 302 URL
> including the openid of the user. The redirect response is just a
> POSTED AES-protected token in an IETF-disclosed format - one that
> requires adding and using its decoding/decrypting library to your
> site (obviously I give you this!). Rather than have you use a native
> SAML2 open source library, Id want this token used as it remotely
> binds to a SAML2 server whose endpoints are certified to ensure the
> OP has a complete set of *advanced* SAML2 "name management/
> provisioning" features that I really need for the experiment - which
> the open source "websso-centric" tookits rarely implement.
>
> Within openid Im promoting the idea of openid as a pure protocol
> gateway, rather than a complete solution. One of the protocol's
> shortfalls, compared to SAML design, is it lacks a bridging/proxying/
> cascading model and associated technical security controls. By
> having openid front the saml2 websso model (exploiting SAML2's
> formal proxying controls) I'm essentially lobbying for the addition
> of these features to openid 3 - by showcasing the benefits. At each
> proxy, different authentication management policies can be imposed,
> creating a composition of authentication acts (viewing the proxy
> chain as a chain of authentication steps). At your site, you'd get
> to impose optionally the trustbearer scheme, based on testing for a
> CAC or PIV card, based on the result of negotiating with our
> upstream proxy.
>
> In time terms, this will take about 1 to 2 day's programming, 1 days
> testing. Then we see where it goes. If your openid2 portocol support
> is pretty complete and highly interoperable, perhaps we just license
> your server after the trial is over! (We have a large community of
> muscle cards users, having made our own USB token that was a variant
> of the CAC)
>
> Peter.
>
>
>
>
> > Date: Fri, 15 Feb 2008 14:51:22 -0500
> > From: thomas.harningtrustbearer.com
> > To: musclelists.musclecard.com
> > Subject: Re: [Muscle] OpenID for PC/SC Lite / MuscleCard
> >
> > Peter Williams wrote:
> > > is it openid1 or openid2?
> > >
> > > if its openid2, what is the "pape" value that a relying party can
> > > request, to ensure that it's a "trustbearer" authentication
> between
> > > user/device and the OP?
> > >
> > > is trustbearer mechanism of user auth actually a. SSL client
> cert auth,
> > > using a cert on the device? b. 7816 authentication? c. ICC
> proprietary
> > > authentication (e.g. GlobalPlatform), or something else?
> > >
> > OpenID 1 and 2 capable
> >
> > We respond that its level 4 due to the hardware token involved +
> policies demarking
> > phishing protection, multi-factor & multi-factor physical.
> >
> > User auth is being performed using challenge-response based on the
> certificate from the
> > token. Pre-registration is necessary since effectively, only the
> public key is used for
> > our setup.
> >
> > --
> > Thomas Harning TrustBearer Labs (http://www.trustbearer.com)
> > Secure OpenID: https://openid.trustbearer.com/harningt
> > 3201 Stellhorn Road 260-399-1656
> > Fort Wayne, IN 46815
> > _______________________________________________
> > Muscle mailing list
> > Musclelists.musclecard.com
> > http://lists.drizzle.com/mailman/listinfo/muscle
>
>
> Shed those extra pounds with MSN and The Biggest Loser! Learn
> more._______________________________________________
> Muscle mailing list
> Musclelists.musclecard.com
> http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
Musclelists.musclecard.com
http://lists.drizzle.com/mailman/listinfo/muscle
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]