Introduction to OpenID TX proposed extension

  • 3,211 views
Uploaded on

Rationale of having \"Contract Negotiation\" protocols and the Basic sequence.

Rationale of having \"Contract Negotiation\" protocols and the Basic sequence.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • It is not complex at all.

    The Artifact Binding (Synchronous) is exactly same as OAuth.
    Are you sure you want to
    Your message goes here
  • It would be nice if you could create a 3 slide presentation with mostly pictures and only a handful of text to make it very clear and understandable, that what is the main problem TX/CX tries to solve, how it does it, and what is the essence of the solution.

    Currently I understand, that TX includes a) a new 'digital contract format' of key/value pairs which can be signed using PKI means b) some clever http-message-fu to be more mobile friendly c) assumption that the OP manages some assets (like money) which the RP can't access itself. The essence of the extension is to provide a way to communicate these contracts in openid messages between RP and OP. Is it correct?

    To be honest I get a bit scared when I look at the very complex flow diagram :)
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
3,211
On Slideshare
0
From Embeds
0
Number of Embeds
4

Actions

Shares
Downloads
30
Comments
2
Likes
3

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. An Introduction to OpenID TX ver. 1.4 Nat Sakimura (=nat)‏ Nov. 11, 2008
  • 2. Preface
    • This document is composed to give a brief overview of the Trust Exchange Extension for OpenID.
    • As it is easy to illustrate, it is using internet payment as a use case, this is just an example and can be used for other purpose as well. It essentially is a general purpose public key signed contract exchange protocol and contract format.
    • As you can see, the most basic pattern “Synchronous+POST binding” goes completely with the OpenID 2.0 AuthN. It is just bunch of extra messages added onto it via name space extension mechanism.
    • Asynchronous+POST binding is slightly different in the sense that there is a callback defined so that it can cope with delayed signing, which is a pretty common case in many contract.
    • There is an Artifact binding defined here as well. You can regard an artifact as reference or transaction number for the proposal and contract. By using the artifact, we can push the actual contract communication to the direct communication so that it will be mobile friendly.
    • Signature method used here are public key based to comply with the digital signature laws and asurance frameworks in many countries.
    • The tag names are not final. They are most likely to be changed.
  • 3. Contents
    • Why TX
    • Highlites
    • OpenID TX Contract Negotiation (POST binding)‏
      • Synchronous Case
      • Asynchronous Case
    • TX Data Transfer (optional)‏
    • OpenID TX Contract Negotiation (Artifact binding)‏
    • Deployment Status
    • Appendix
      • Contract Proposal Example
      • Contract Example
  • 4. Why TX?
    • “ OpenID will continue to be implemented widely, but it will be relegated to low-risk applications unless security weaknesses are addressed and stronger authentication options and secure attribute exchange functionalities are added .”
    • “ Avoid OpenID for use in financial transactions and other transactions involving sensitive information unless augmented with stronger authentication methods and other controls (such as transaction anomaly detection).”
      • ~ Gregg Kreizman, Ray Wagner, Oct.10, 2008, Gartner Research ID: G00161878
      • OpenID Needs “Better Security”
      • for
      • “ more sensitive/higher value” transactions
    Contract Driven Data Exchange = Trust Exchange (TX)‏
  • 5. Highlight
    • Somewhat similar in spirit to WS-Trust.
    • Instead of SOAP message, it uses Key=Value pairs and RESTful API, so it goes well as OpenID Extension.
    • Trust Tokens/Contracts are to be stored as legally binding “contract” that can be produced to authority when necessary.
      • This imposes the form of signature; e.g., RSA1024bit, DSA, ECDSA, etc.
    • Token Types, Signature Types are deliberately limited to make the implementation simple.
    • Two bindings (POST and Artifact) to meet both broadband and mobile requirement.
    • Simple default secure data transfer method is defined, but any method can be employed as long as it is specified in the contract.
  • 6. OpenID Login + Payment (synchronous)‏ OP(Level 1)‏ User (Browser)‏ XRDS OP(Level 2 + Payment)‏ RP(Shopping)‏ Click “Login to check out” button Find the service for level 1 auth and Level 2+Payment auth Redirect to the Level 1 auth OP AuthN with Username and password etc. Positive Assertion Show Order Form Click on “Buy” button Positive Assertion +[TX] Contract Autn with 2 nd factor etc. “ Thanks!” screen Login to Checkout taro123 ***** Buy 暗証番号 Thanks! Approval Signing Legend OpenID Authentication User AuthN OpenID (TX)‏ Approval/Signing POST Binding Redirect to L2+Payment OP with [TX]POST Contract Proposal Proposal Signing
  • 7. OpenID Login + Payment (synchronous)‏ OP(Level 1)‏ User (Browser)‏ XRDS OP(Level 2 + Payment)‏ RP(Shopping)‏ Click “Login to check out” button Find the service for level 1 auth and Level 2+Payment auth Redirect to the Level 1 auth OP AuthN with Username and password etc. Positive Assertion Show Order Form Click on “Buy” button Positive Assertion + tx.c.tatus=Pending Autn with 2 nd factor etc. “ Thanks!” screen Login to Checkout taro123 ***** Buy 暗証番号 Thanks! Approval Signing Legend OpenID Authentication User AuthN OpenID (TX)‏ Approval/Signing POST Binding Redirect to L2+Payment OP with [TX]POST Contract Proposal Proposal Signing
  • 8. Notification OP(Level 1)‏ User (Browser)‏ XRDS OP(Level 2 + Payment)‏ RP(Shopping)‏ [TX] send Contract based Request [TX] Receive Data Legend OpenID Authentication User AuthN OpenID (TX)‏ Approval/Signing [TX] Notification (status)‏ Status: Contract Complete, Data Changed, Contract terminated, ID removed [TX] Notification OP to RP notification RP to OP notification
  • 9. Data Transfer (Optional)‏ OP(Level 1)‏ User (Browser)‏ XRDS OP(Level 2 + Payment)‏ RP(Shopping)‏ [TX] GET with Contract ID + Signature [TX] Receive Data Legend OpenID Authentication User AuthN OpenID (TX)‏ Approval/Signing N.B. Although TX defines a default Data Transfer protocol, it can be substituted by any other methods as long as it is specified in the Contract.
  • 10. OpenID Login + Payment (synchronous)‏ OP(Level 1)‏ User (Browser)‏ XRDS OP(Level 2 + Payment)‏ RP(Shopping)‏ Click “Login to check out” button Find the service for level 1 auth and Level 2+Payment auth Redirect to the Level 1 auth OP AuthN with Username and password etc. Positive Assertion Show Order Form Click on “Buy” button Redirect to L2+Payment OP with Transaction ID Positive Assertion +Contract ID Autn with 2 nd factor etc. “ Thanks!” screen Login to Checkout taro123 ***** Buy 暗証番号 Thanks! Approval Signing [TX]POST Contract Proposal [TX] Transaction ID [TX] send Contract ID [TX] Receive Contract Legend OpenID Authentication User AuthN OpenID (TX)‏ Approval/Signing Artifact Binding Proposal Signing
  • 11. OpenID Login + Payment (asynchronous)‏ OP(Level 1)‏ User (Browser)‏ XRDS OP(Level 2 + Payment)‏ RP(Shopping)‏ Click “Login to check out” button Find the service for level 1 auth and Level 2+Payment auth Redirect to the Level 1 auth OP AuthN with Username and password etc. Positive Assertion Show Order Form Click on “Buy” button Redirect to L2+Payment OP with Transaction ID Positive Assertion + tx.c.tatus=Pending Autn with 2 nd factor etc. “ Thanks!” screen Login to Checkout taro123 ***** Buy 暗証番号 Thanks! Approval Signing [TX]POST Contract Proposal [TX] Transaction ID [TX] send Contract ID [TX] Receive Contract Legend OpenID Authentication User AuthN OpenID (TX)‏ Approval/Signing [TX] Completion Notification Artifact Binding Proposal Signing
  • 12. Appendix: example proposal
    • tx.proposal.id=123
    • tx.proposal.term=Base64 text representation of the human readable text of the contract terms.
    • tx.proposal.return_to=http://merchant.com/tx/retunr_to.php
    • tx.proposal.dataid=http://payment.net/authcapture
    • tx.proposal.notify=http://merchant.com/tx/pingme.php
    • tx.proposal.proposerid=http://merchant.com/sales
    • tx.proposal.subjectid=http://specs.openid.net/auth/2.0/identifier_select
    • tx.proposal.signerid=http://merchant.com/sales
    • tx.proposal.amt.receive.unit=http://specs.openid.net/tx/1.0/iso4217/JPY
    • tx.proposal.amt.receive=10000
    • tx.proposal.amt.pay_unit=http://merchant.com/milage
    • tx.proposal.amt.pay=10
    • tx.propsoal.created=2008-10-16T09:00:00Z
    • tx.proposal.expiry=2009-10-16T09:00:00Z
    • tx.proposal.cert=-----BEGIN CERTIFICATE-----%0D%0AMIIB+DCCAaICCQCHrF5YNUISgTANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMC%0D%0ASlAxDjAMBgNVBAgTBVRva3lvMQ4wDAYDVQQHEwVUb2t5bzESMBAGA1UEChMJaGRr%0D%0AbnIuY29tMQwwCgYDVQQLEwNzeXMxEjAQBgNVBAMTCWhka25yLmNvbTEdMBsGCSqG%0D%0ASIb3DQEJARYObWFpbEBoZGtuci5jb20wHhcNMDgwNTMwMDI0ODU0WhcNMDgwNjI5%0D%0AMDI0ODU0WjCBgjELMAkGA1UEBhMCSlAxDjAMBgNVBAgTBVRva3lvMQ4wDAYDVQQH%0D%0AEwVUb2t5bzESMBAGA1UEChMJaGRrbnIuY29tMQwwCgYDVQQLEwNzeXMxEjAQBgNV%0D%0ABAMTCWhka25yLmNvbTEdMBsGCSqGSIb3DQEJARYObWFpbEBoZGtuci5jb20wXDAN%0D%0ABgkqhkiG9w0BAQEFAANLADBIAkEAuyV30isbJTRsM4E2BlPLNqYrUYs3DD35cm4r%0D%0ALG1o6WwWpBuIHvA0UPALGBZyAJcNpNBY0bi1roehdL6LMX0xTQIDAQABMA0GCSqG%0D%0ASIb3DQEBBQUAA0EAbhBenOXHXc6vkS5ITd8LcS9ERT0gkrYeGl5csue9rcEkaQYw%0D%0A45f91W9O7aqP9yZVUaEyAuOcpndGd+XeK4TFRw==%0D%0A-----END CERTIFICATE-----
    • tx.proposal.sigalg=rsa
    • tx.proposal.signed=id,term,return_to,dataid,notify,proposalid,subjectid,signerid,amt_receive.unit,amt_receive,amt_pay.unit,amt_pay,created,expiry,cert,sigalg
    • tx.proposal.signature=ja+zaxRymdd+ACVRQtch+04osmIvlczz6FLig9mY9eAPPwAuQX/QMrpiMZVP2GkEZj4+kuuQq7JcDuIXxXD4Aw==
    NOTE: This is a bit out-of-date See http://sourceforge.jp/projects/openidtx/
  • 13. Appendix: example contract
    • tx.proposal.id=123
    • … [entire proposal here]
    • tx.proposal.signature=ja+zaxRymdd+ACVRQtch+04osmIvlczz6FLig9mY9eAPPwAuQX/QMrpiMZVP2GkEZj4+kuuQq7JcDuIXxXD4Aw==
    • tx.contract.id=1432456
    • tx.contract.subjectid=http://payment.net/user/45342432
    • tx.contract.amt.receive.unit=http://specs.openid.net/tx/1.0/iso4217/JPY
    • tx.contract.amt.receive=10000
    • tx.contract.amt.pay_unit=http://merchant.com/milage
    • tx.contract.amt.pay=10
    • tx.contract.created=2008-10-16T09:00:10Z
    • tx.contract.expiry=2009-10-16T09:00:00Z tx.contract.signerid=http://payment.net/authzsvc
    • tx.contract.cert=-----BEGIN CERTIFICATE-----%0D%0AMIIBhjCCATACCQCcpktIZP6hxzANBgkqhkiG9w0BAQUFADBKMRMwEQYDVQQDEwpn%0D%0AYWllbi5uZXQgMRcwFQYDVQQLEw5zeXMuZ2FpZW4ubmV0IDENMAsGA1UEChMEc3lz%0D%0AIDELMAkGA1UEBhMCSlAwHhcNMDgxMDEwMDQ0MzIwWhcNMDgxMTA5MDQ0MzIwWjBK%0D%0AMRMwEQYDVQQDEwpnYWllbi5uZXQgMRcwFQYDVQQLEw5zeXMuZ2FpZW4ubmV0IDEN%0D%0AMAsGA1UEChMEc3lzIDELMAkGA1UEBhMCSlAwXDANBgkqhkiG9w0BAQEFAANLADBI%0D%0AAkEAsZtBs9BWwNDs7w67Y85SCajNr5RyvXM2uzg6hgbQvHANpUrbxmtePEuYdWvq%0D%0A4hlzNUerqhTjc2xm6SKxCpQwnQIDAQABMA0GCSqGSIb3DQEBBQUAA0EAA5Xgz7UW%0D%0A9XYWEpRG4CDgqLqYy9od0DrJseEEDNOULc/wEG+93wYCMwXDUra4SRTw8CW60ZfQ%0D%0AklmHJiX6pebhBw==
    • tx.contract.signed=proposal.signature,id,subjectid,amt_receive.unit,amt.receive,amt_pay.unit,amt.pay,created,expiry,signerid,cert
    • tx.contract.signature=g/BKhLjC4JbPVs+X3hfH3eqC8tlKu5DxIoBj+Qmjp7/rPLu9lprt4p9LYf+ihSd4OYBU1rlpHX2pYucU58YUYw==
    NOTE: This is a bit out-of-date See http://sourceforge.jp/projects/openidtx/