Log in

No account? Create an account

Previous Entry | Next Entry

OpenID Assertion Quality Extension

So a few weeks ago Avery Glasser and I were talking about describing meta-data around OpenID Authentication assertions. Today I'm happy to announce that Avery, Paul Madsen, and I have co-authored the first public draft of the OpenID Assertion Quality Extension. One of the really interesting things this shows, is the start of convergence between OpenID and SAML. This theme is becoming increasingly important as OpenID becomes more complex, SAML more light-weight, and the right solution somewhere in the middle.

This extension to the OpenID Authentication protocol provides means for a Relying Party to request additional information about the specifics by which a user enrolled and/or authenticated to the OpenID Provider, as well as for an OpenID Provider to add such information into assertions.
Such information may be necessary for use cases in which, for an RP to make an assessment of the quality of an assertion from a OP, the OP's identity is not on its alone sufficient (as might be the case were an OP capable of authenticating a user through various authentication mechanisms).

While there are other aspects of lifecycle management that may bear on the resultant quality of an OpenID Authentication assertion - enrollment and authentication are generally the two characteristics that are most useful in distinguishing authentication quality. Consequently, we focus on these aspects here. We expect that other aspects (e.g. security characteristics, credential provisioning, etc) could be dealt with in the future.

As an extension, it requires no changes to either the Yadis protocol or the OpenID Authentication protocol and is viewed as an optional extension though its use is certainly recommended.

We acknowledge that, while none of the information expressed via this extension can be verified by the Relying Party in a technological fashion, this need not be viewed as an issue. The lack of an inherent trust model within OpenID allows for Relying Parties to decide which OPs they trust using whatever criteria they choose - likewise RPs will decide whether or not to trust claims as to authentication quality from such OPs as well.

Draft: http://openid.net/specs/openid-assertion-quality-extension-1_0-01.html
Post: http://openid.net/pipermail/specs/2006-November/000964.html