shibboleth-dev - RE: [Shib-Dev] New IETF draft for IdP Discovery ("PingPong")
Subject: Shibboleth Developers
List archive
- From: Peter Williams <>
- To: "" <>
- Subject: RE: [Shib-Dev] New IETF draft for IdP Discovery ("PingPong")
- Date: Thu, 16 Dec 2010 02:12:10 -0800
- Accept-language: en-US
- Acceptlanguage: en-US
It seems to be open season on folks conceiving of discovery mechanisms, that
then augment SAML/openid/OAUTH flows. A nice space is opening up: do it the
[sem]web way, do it the javascript way, do it the XRD way, do it the DNSsec
proxy way...
Strikes me one could do the same kind of sidechannel pingpong with the user's
http proxy (or https proxy, to be more precise). Rather than use cookies and
a javascript process [executing in the user ring of the CPU and on
browsers/OS that don't particularly leverage the memory containment features
of the i386, remember], the formal HTTP(s) proxy builds a model of whether or
not the user has one or more SSL sessions outstanding with one or more of the
n listed IDPs. Then the SSL sessionid(s) are playing the role of the cookie,
the HTTP(S) proxy is playing the role of the javascript, and one has a more
classical hosting model for sensitive functions.
Im hoping that Kantara provides a fair-minded "resolving forum" for some of
this, as its likely that the various religions will be their normal cultish
selves over these kind of developments.
-----Original Message-----
From:
[mailto:]
On Behalf Of Lukas Hämmerle
Sent: Thursday, December 16, 2010 1:09 AM
To: Shibboleth Developer
Subject: [Shib-Dev] New IETF draft for IdP Discovery ("PingPong")
Our colleague Simon Leinen made us aware of a new Internet draft (published
last week) with the title: "PingPong IdP Discovery Protocol"
http://www.ietf.org/id/draft-efazendin-pingpong-idp-discovery-00.txt
Read the title and then guess who is behind this draft ;-) ?
It proposes a profile for figuring out a user's Identity Provider based on
Javascript, IFRAMES and cookies.
Although I usually don't like IFRAME-based solutions and although there are
also some scalability issues, I'm interested to read what others think about
it. Could this become a possible feature of the IdPv3?
I could see this as an extension to the embedded Discovery Service.
However, this would of course require wide adoption on the IdP side.
Kind Regards
Lukas
--
SWITCH
Serving Swiss Universities
--------------------------
Lukas Hämmerle, Software Engineer, Net Services Werdstrasse 2, P.O. Box, 8021
Zurich, Switzerland phone +41 44 268 15 64, fax +41 44 268 15 68
,
http://www.switch.ch
- [Shib-Dev] New IETF draft for IdP Discovery ("PingPong"), Lukas Hämmerle, 12/16/2010
- RE: [Shib-Dev] New IETF draft for IdP Discovery ("PingPong"), Peter Williams, 12/16/2010
- Re: [Shib-Dev] New IETF draft for IdP Discovery ("PingPong"), Peter Schober, 12/16/2010
- Re: [Shib-Dev] New IETF draft for IdP Discovery ("PingPong"), Lukas Hämmerle, 12/17/2010
- RE: [Shib-Dev] New IETF draft for IdP Discovery ("PingPong"), Peter Williams, 12/17/2010
- RE: [Shib-Dev] New IETF draft for IdP Discovery ("PingPong"), Scott Cantor, 12/17/2010
- Re: [Shib-Dev] New IETF draft for IdP Discovery ("PingPong"), Eric Fazendin, 12/17/2010
- RE: [Shib-Dev] New IETF draft for IdP Discovery ("PingPong"), Cantor, Scott E., 12/17/2010
- RE: [Shib-Dev] New IETF draft for IdP Discovery ("PingPong"), Peter Williams, 12/17/2010
- Re: [Shib-Dev] New IETF draft for IdP Discovery ("PingPong"), Paul Hethmon, 12/17/2010
- RE: [Shib-Dev] New IETF draft for IdP Discovery ("PingPong"), Cantor, Scott E., 12/17/2010
- RE: [Shib-Dev] New IETF draft for IdP Discovery ("PingPong"), Cantor, Scott E., 12/17/2010
- Re: [Shib-Dev] New IETF draft for IdP Discovery ("PingPong"), Eric Fazendin, 12/17/2010
- Re: [Shib-Dev] New IETF draft for IdP Discovery ("PingPong"), Lukas Hämmerle, 12/17/2010
- RE: [Shib-Dev] New IETF draft for IdP Discovery ("PingPong"), Cantor, Scott E., 12/16/2010
Archive powered by MHonArc 2.6.16.