[WG-OTTO] FW: [TAC-InC] Fwd: [deployment-profile] OpenID FastFed working group
keith.hazelton at wisc.edu
Wed Oct 26 10:46:45 CDT 2016
Interesting challenges to current proposals. --Keith
On 26, 10:34, "tac-request at incommon.org on behalf of Cantor, Scott" <tac-request at incommon.org on behalf of cantor.2 at osu.edu> wrote:
> process. I would think this group fills a (perhaps not too small) niche
> between this Google/Facebook OP model and what Roland has started to
> figure out how we could build multilateral federations on top of OIDC.
They're targeting bilateral cloud integration / non-federated applications and trying to replace SAML metadata with something that's leap-of-faith of TLS to grab a JSON provisioning document that would handle both SAML and OIDC. Since there's virtually no B2B usage of OIDC, they have to focus on SAML if they want to do anything in the short run.
Leap of faith works well for initial setup. The change management part seems to be under some debate and will cause problems since doing that takes more than leap of faith security if you want to do more than just blindly trust CAs. It's the ADFS model basically, refreshing unsigned metadata based on an https URL.
Without knowing what the change management story is, I would withhold judgement on the value. Obviously when you have software that already handles that with metadata, this adds nothing functionally, it's just more work to cater to people who don't want to support the existing standard. I'm not terribly sympathetic to that attitude. I should spend my limited resources to reimplement things I solved with an open standard 10 years ago? Not so much. Give me the money, then maybe.
I haven't been all that deep into OIDC, but certainly the market forces behind OIDC assume a very small number of OPs (Google, Facebook, and a few others) that would have anything close to a global scope, and that RPs would register directly with the specific OPs they decide to use. That is, RPs don't need metadata, and OPs distribute their metadata through the registration process. I would think this group fills a (perhaps not too small) niche between this Google/Facebook OP model and what Roland has started to figure out how we could build multilateral federations on top of OIDC.
On 10/25/2016 03:02 PM, Nicholas Roy wrote:
On 10/25/16 3:56 PM, Paul Caskey wrote:
- He’s been around quite a while. Formerly at Microsoft, then started his own company – Sxip Identity – based on reputational identity, but I haven’t heard from him in a while…
- FWIW, the term “pair wise federation” seems to be an oxymoron…
I thought that orchestrating bilateral exchange of needed metadata between an OP and RP was the primary driving force behind OIDC? If so, why does this new WG even exist?
More information about the WG-OTTO