An Introduction to OpenID TX ver. 1.4 Nat Sakimura (=nat)‏ Nov. 11, 2008
Preface This document is composed to give a brief overview of the Trust Exchange Extension for OpenID.  As it is easy to illustrate, it is using internet payment as a use case, this is just an example and can be used for other purpose as well. It essentially is a general purpose public key signed contract exchange protocol and contract format.  As you can see, the most basic pattern “Synchronous+POST binding” goes completely with the OpenID 2.0 AuthN. It is just bunch of extra messages added onto it via name space extension mechanism.  Asynchronous+POST binding is slightly different in the sense that there is a callback defined so that it can cope with delayed signing, which is a pretty common case in many contract.  There is an Artifact binding defined here as well. You can regard an artifact as reference or transaction number for the proposal and contract. By using the artifact, we can push the actual contract communication to the direct communication so that it will be mobile friendly.  Signature method used here are public key based to comply with the digital signature laws and asurance frameworks in many countries.  The tag names are not final. They are most likely to be changed.
Contents Why TX Highlites OpenID TX Contract Negotiation (POST binding)‏ Synchronous Case Asynchronous Case TX Data Transfer (optional)‏ OpenID TX Contract Negotiation (Artifact binding)‏ Deployment Status Appendix Contract Proposal Example Contract Example
Why TX? “ OpenID will continue to be implemented widely, but it will be relegated to low-risk applications  unless  security weaknesses are addressed and stronger authentication options and  secure attribute exchange functionalities are added .” “ Avoid OpenID  for use in financial transactions and other transactions involving sensitive information unless augmented with stronger authentication methods and other controls (such as transaction anomaly detection).”   ~  Gregg Kreizman, Ray Wagner, Oct.10, 2008, Gartner Research ID: G00161878 OpenID Needs “Better Security”   for  “ more sensitive/higher value” transactions Contract Driven Data Exchange =  Trust Exchange (TX)‏
Highlight Somewhat similar in spirit to WS-Trust.  Instead of SOAP message, it uses Key=Value pairs and RESTful API, so it goes well as OpenID Extension.  Trust Tokens/Contracts are to be stored as legally binding “contract” that can be produced to authority when necessary.  This imposes the form of signature; e.g., RSA1024bit, DSA, ECDSA, etc.  Token Types, Signature Types are deliberately limited to make the implementation simple.  Two bindings (POST and Artifact) to meet both broadband and mobile requirement.  Simple default secure data transfer method is defined, but any method can be employed as long as it is specified in the contract.
OpenID Login + Payment (synchronous)‏ OP(Level 1)‏ User (Browser)‏ XRDS OP(Level 2 + Payment)‏ RP(Shopping)‏ Click “Login to  check out” button Find the service for level 1 auth and Level 2+Payment  auth Redirect to the Level 1 auth OP AuthN with Username  and password etc.  Positive Assertion Show Order Form Click on “Buy” button Positive Assertion +[TX] Contract Autn with 2 nd  factor etc. “ Thanks!” screen Login to Checkout taro123 ***** Buy 暗証番号 Thanks! Approval Signing Legend OpenID Authentication User AuthN OpenID (TX)‏ Approval/Signing POST Binding Redirect to L2+Payment OP with [TX]POST Contract Proposal Proposal Signing
OpenID Login + Payment (synchronous)‏ OP(Level 1)‏ User (Browser)‏ XRDS OP(Level 2 + Payment)‏ RP(Shopping)‏ Click “Login to  check out” button Find the service for level 1 auth and Level 2+Payment  auth Redirect to the Level 1 auth OP AuthN with Username  and password etc.  Positive Assertion Show Order Form Click on “Buy” button Positive Assertion + tx.c.tatus=Pending Autn with 2 nd  factor etc. “ Thanks!” screen Login to Checkout taro123 ***** Buy 暗証番号 Thanks! Approval Signing Legend OpenID Authentication User AuthN OpenID (TX)‏ Approval/Signing POST Binding Redirect to L2+Payment OP with [TX]POST Contract Proposal Proposal Signing
Notification OP(Level 1)‏ User (Browser)‏ XRDS OP(Level 2 + Payment)‏ RP(Shopping)‏ [TX] send Contract based Request [TX] Receive Data Legend OpenID Authentication User AuthN OpenID (TX)‏ Approval/Signing [TX] Notification (status)‏ Status: Contract Complete, Data Changed, Contract terminated,    ID removed [TX] Notification OP to RP notification RP to OP notification
Data Transfer (Optional)‏ OP(Level 1)‏ User (Browser)‏ XRDS OP(Level 2 + Payment)‏ RP(Shopping)‏ [TX] GET with Contract ID + Signature [TX] Receive Data Legend OpenID Authentication User AuthN OpenID (TX)‏ Approval/Signing N.B. Although TX defines a default Data Transfer  protocol, it can be substituted by any other methods  as long as it is specified in the Contract.
OpenID Login + Payment (synchronous)‏ OP(Level 1)‏ User (Browser)‏ XRDS OP(Level 2 + Payment)‏ RP(Shopping)‏ Click “Login to  check out” button Find the service for level 1 auth and Level 2+Payment  auth Redirect to the Level 1 auth OP AuthN with Username  and password etc.  Positive Assertion Show Order Form Click on “Buy” button Redirect to L2+Payment OP with Transaction ID Positive Assertion +Contract ID Autn with 2 nd  factor etc. “ Thanks!” screen Login to Checkout taro123 ***** Buy 暗証番号 Thanks! Approval Signing [TX]POST Contract Proposal [TX] Transaction ID [TX] send Contract ID [TX] Receive Contract Legend OpenID Authentication User AuthN OpenID (TX)‏ Approval/Signing Artifact Binding Proposal Signing
OpenID Login + Payment (asynchronous)‏ OP(Level 1)‏ User (Browser)‏ XRDS OP(Level 2 + Payment)‏ RP(Shopping)‏ Click “Login to  check out” button Find the service for level 1 auth and Level 2+Payment  auth Redirect to the Level 1 auth OP AuthN with Username  and password etc.  Positive Assertion Show Order Form Click on “Buy” button Redirect to L2+Payment OP with Transaction ID Positive Assertion + tx.c.tatus=Pending Autn with 2 nd  factor etc. “ Thanks!” screen Login to Checkout taro123 ***** Buy 暗証番号 Thanks! Approval Signing [TX]POST Contract Proposal [TX] Transaction ID [TX] send Contract ID [TX] Receive Contract Legend OpenID Authentication User AuthN OpenID (TX)‏ Approval/Signing [TX] Completion Notification Artifact Binding Proposal Signing
Appendix: example proposal tx.proposal.id=123 tx.proposal.term=Base64 text representation of the human readable text of the contract terms. tx.proposal.return_to=http://merchant.com/tx/retunr_to.php tx.proposal.dataid=http://payment.net/authcapture tx.proposal.notify=http://merchant.com/tx/pingme.php tx.proposal.proposerid=http://merchant.com/sales tx.proposal.subjectid=http://specs.openid.net/auth/2.0/identifier_select tx.proposal.signerid=http://merchant.com/sales tx.proposal.amt.receive.unit=http://specs.openid.net/tx/1.0/iso4217/JPY tx.proposal.amt.receive=10000 tx.proposal.amt.pay_unit=http://merchant.com/milage tx.proposal.amt.pay=10 tx.propsoal.created=2008-10-16T09:00:00Z tx.proposal.expiry=2009-10-16T09:00:00Z tx.proposal.cert=-----BEGIN CERTIFICATE-----%0D%0AMIIB+DCCAaICCQCHrF5YNUISgTANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMC%0D%0ASlAxDjAMBgNVBAgTBVRva3lvMQ4wDAYDVQQHEwVUb2t5bzESMBAGA1UEChMJaGRr%0D%0AbnIuY29tMQwwCgYDVQQLEwNzeXMxEjAQBgNVBAMTCWhka25yLmNvbTEdMBsGCSqG%0D%0ASIb3DQEJARYObWFpbEBoZGtuci5jb20wHhcNMDgwNTMwMDI0ODU0WhcNMDgwNjI5%0D%0AMDI0ODU0WjCBgjELMAkGA1UEBhMCSlAxDjAMBgNVBAgTBVRva3lvMQ4wDAYDVQQH%0D%0AEwVUb2t5bzESMBAGA1UEChMJaGRrbnIuY29tMQwwCgYDVQQLEwNzeXMxEjAQBgNV%0D%0ABAMTCWhka25yLmNvbTEdMBsGCSqGSIb3DQEJARYObWFpbEBoZGtuci5jb20wXDAN%0D%0ABgkqhkiG9w0BAQEFAANLADBIAkEAuyV30isbJTRsM4E2BlPLNqYrUYs3DD35cm4r%0D%0ALG1o6WwWpBuIHvA0UPALGBZyAJcNpNBY0bi1roehdL6LMX0xTQIDAQABMA0GCSqG%0D%0ASIb3DQEBBQUAA0EAbhBenOXHXc6vkS5ITd8LcS9ERT0gkrYeGl5csue9rcEkaQYw%0D%0A45f91W9O7aqP9yZVUaEyAuOcpndGd+XeK4TFRw==%0D%0A-----END CERTIFICATE----- tx.proposal.sigalg=rsa tx.proposal.signed=id,term,return_to,dataid,notify,proposalid,subjectid,signerid,amt_receive.unit,amt_receive,amt_pay.unit,amt_pay,created,expiry,cert,sigalg tx.proposal.signature=ja+zaxRymdd+ACVRQtch+04osmIvlczz6FLig9mY9eAPPwAuQX/QMrpiMZVP2GkEZj4+kuuQq7JcDuIXxXD4Aw== NOTE: This is a bit out-of-date See http://sourceforge.jp/projects/openidtx/
Appendix: example contract tx.proposal.id=123 …  [entire proposal here] tx.proposal.signature=ja+zaxRymdd+ACVRQtch+04osmIvlczz6FLig9mY9eAPPwAuQX/QMrpiMZVP2GkEZj4+kuuQq7JcDuIXxXD4Aw== tx.contract.id=1432456 tx.contract.subjectid=http://payment.net/user/45342432 tx.contract.amt.receive.unit=http://specs.openid.net/tx/1.0/iso4217/JPY tx.contract.amt.receive=10000 tx.contract.amt.pay_unit=http://merchant.com/milage tx.contract.amt.pay=10 tx.contract.created=2008-10-16T09:00:10Z tx.contract.expiry=2009-10-16T09:00:00Z tx.contract.signerid=http://payment.net/authzsvc tx.contract.cert=-----BEGIN CERTIFICATE-----%0D%0AMIIBhjCCATACCQCcpktIZP6hxzANBgkqhkiG9w0BAQUFADBKMRMwEQYDVQQDEwpn%0D%0AYWllbi5uZXQgMRcwFQYDVQQLEw5zeXMuZ2FpZW4ubmV0IDENMAsGA1UEChMEc3lz%0D%0AIDELMAkGA1UEBhMCSlAwHhcNMDgxMDEwMDQ0MzIwWhcNMDgxMTA5MDQ0MzIwWjBK%0D%0AMRMwEQYDVQQDEwpnYWllbi5uZXQgMRcwFQYDVQQLEw5zeXMuZ2FpZW4ubmV0IDEN%0D%0AMAsGA1UEChMEc3lzIDELMAkGA1UEBhMCSlAwXDANBgkqhkiG9w0BAQEFAANLADBI%0D%0AAkEAsZtBs9BWwNDs7w67Y85SCajNr5RyvXM2uzg6hgbQvHANpUrbxmtePEuYdWvq%0D%0A4hlzNUerqhTjc2xm6SKxCpQwnQIDAQABMA0GCSqGSIb3DQEBBQUAA0EAA5Xgz7UW%0D%0A9XYWEpRG4CDgqLqYy9od0DrJseEEDNOULc/wEG+93wYCMwXDUra4SRTw8CW60ZfQ%0D%0AklmHJiX6pebhBw== tx.contract.signed=proposal.signature,id,subjectid,amt_receive.unit,amt.receive,amt_pay.unit,amt.pay,created,expiry,signerid,cert tx.contract.signature=g/BKhLjC4JbPVs+X3hfH3eqC8tlKu5DxIoBj+Qmjp7/rPLu9lprt4p9LYf+ihSd4OYBU1rlpHX2pYucU58YUYw== NOTE: This is a bit out-of-date See http://sourceforge.jp/projects/openidtx/

Introduction to OpenID TX proposed extension

  • 1.
    An Introduction toOpenID TX ver. 1.4 Nat Sakimura (=nat)‏ Nov. 11, 2008
  • 2.
    Preface This documentis composed to give a brief overview of the Trust Exchange Extension for OpenID. As it is easy to illustrate, it is using internet payment as a use case, this is just an example and can be used for other purpose as well. It essentially is a general purpose public key signed contract exchange protocol and contract format. As you can see, the most basic pattern “Synchronous+POST binding” goes completely with the OpenID 2.0 AuthN. It is just bunch of extra messages added onto it via name space extension mechanism. Asynchronous+POST binding is slightly different in the sense that there is a callback defined so that it can cope with delayed signing, which is a pretty common case in many contract. There is an Artifact binding defined here as well. You can regard an artifact as reference or transaction number for the proposal and contract. By using the artifact, we can push the actual contract communication to the direct communication so that it will be mobile friendly. Signature method used here are public key based to comply with the digital signature laws and asurance frameworks in many countries. The tag names are not final. They are most likely to be changed.
  • 3.
    Contents Why TXHighlites OpenID TX Contract Negotiation (POST binding)‏ Synchronous Case Asynchronous Case TX Data Transfer (optional)‏ OpenID TX Contract Negotiation (Artifact binding)‏ Deployment Status Appendix Contract Proposal Example Contract Example
  • 4.
    Why TX? “OpenID will continue to be implemented widely, but it will be relegated to low-risk applications unless security weaknesses are addressed and stronger authentication options and secure attribute exchange functionalities are added .” “ Avoid OpenID for use in financial transactions and other transactions involving sensitive information unless augmented with stronger authentication methods and other controls (such as transaction anomaly detection).” ~ Gregg Kreizman, Ray Wagner, Oct.10, 2008, Gartner Research ID: G00161878 OpenID Needs “Better Security” for “ more sensitive/higher value” transactions Contract Driven Data Exchange = Trust Exchange (TX)‏
  • 5.
    Highlight Somewhat similarin spirit to WS-Trust. Instead of SOAP message, it uses Key=Value pairs and RESTful API, so it goes well as OpenID Extension. Trust Tokens/Contracts are to be stored as legally binding “contract” that can be produced to authority when necessary. This imposes the form of signature; e.g., RSA1024bit, DSA, ECDSA, etc. Token Types, Signature Types are deliberately limited to make the implementation simple. Two bindings (POST and Artifact) to meet both broadband and mobile requirement. Simple default secure data transfer method is defined, but any method can be employed as long as it is specified in the contract.
  • 6.
    OpenID Login +Payment (synchronous)‏ OP(Level 1)‏ User (Browser)‏ XRDS OP(Level 2 + Payment)‏ RP(Shopping)‏ Click “Login to check out” button Find the service for level 1 auth and Level 2+Payment auth Redirect to the Level 1 auth OP AuthN with Username and password etc. Positive Assertion Show Order Form Click on “Buy” button Positive Assertion +[TX] Contract Autn with 2 nd factor etc. “ Thanks!” screen Login to Checkout taro123 ***** Buy 暗証番号 Thanks! Approval Signing Legend OpenID Authentication User AuthN OpenID (TX)‏ Approval/Signing POST Binding Redirect to L2+Payment OP with [TX]POST Contract Proposal Proposal Signing
  • 7.
    OpenID Login +Payment (synchronous)‏ OP(Level 1)‏ User (Browser)‏ XRDS OP(Level 2 + Payment)‏ RP(Shopping)‏ Click “Login to check out” button Find the service for level 1 auth and Level 2+Payment auth Redirect to the Level 1 auth OP AuthN with Username and password etc. Positive Assertion Show Order Form Click on “Buy” button Positive Assertion + tx.c.tatus=Pending Autn with 2 nd factor etc. “ Thanks!” screen Login to Checkout taro123 ***** Buy 暗証番号 Thanks! Approval Signing Legend OpenID Authentication User AuthN OpenID (TX)‏ Approval/Signing POST Binding Redirect to L2+Payment OP with [TX]POST Contract Proposal Proposal Signing
  • 8.
    Notification OP(Level 1)‏User (Browser)‏ XRDS OP(Level 2 + Payment)‏ RP(Shopping)‏ [TX] send Contract based Request [TX] Receive Data Legend OpenID Authentication User AuthN OpenID (TX)‏ Approval/Signing [TX] Notification (status)‏ Status: Contract Complete, Data Changed, Contract terminated, ID removed [TX] Notification OP to RP notification RP to OP notification
  • 9.
    Data Transfer (Optional)‏OP(Level 1)‏ User (Browser)‏ XRDS OP(Level 2 + Payment)‏ RP(Shopping)‏ [TX] GET with Contract ID + Signature [TX] Receive Data Legend OpenID Authentication User AuthN OpenID (TX)‏ Approval/Signing N.B. Although TX defines a default Data Transfer protocol, it can be substituted by any other methods as long as it is specified in the Contract.
  • 10.
    OpenID Login +Payment (synchronous)‏ OP(Level 1)‏ User (Browser)‏ XRDS OP(Level 2 + Payment)‏ RP(Shopping)‏ Click “Login to check out” button Find the service for level 1 auth and Level 2+Payment auth Redirect to the Level 1 auth OP AuthN with Username and password etc. Positive Assertion Show Order Form Click on “Buy” button Redirect to L2+Payment OP with Transaction ID Positive Assertion +Contract ID Autn with 2 nd factor etc. “ Thanks!” screen Login to Checkout taro123 ***** Buy 暗証番号 Thanks! Approval Signing [TX]POST Contract Proposal [TX] Transaction ID [TX] send Contract ID [TX] Receive Contract Legend OpenID Authentication User AuthN OpenID (TX)‏ Approval/Signing Artifact Binding Proposal Signing
  • 11.
    OpenID Login +Payment (asynchronous)‏ OP(Level 1)‏ User (Browser)‏ XRDS OP(Level 2 + Payment)‏ RP(Shopping)‏ Click “Login to check out” button Find the service for level 1 auth and Level 2+Payment auth Redirect to the Level 1 auth OP AuthN with Username and password etc. Positive Assertion Show Order Form Click on “Buy” button Redirect to L2+Payment OP with Transaction ID Positive Assertion + tx.c.tatus=Pending Autn with 2 nd factor etc. “ Thanks!” screen Login to Checkout taro123 ***** Buy 暗証番号 Thanks! Approval Signing [TX]POST Contract Proposal [TX] Transaction ID [TX] send Contract ID [TX] Receive Contract Legend OpenID Authentication User AuthN OpenID (TX)‏ Approval/Signing [TX] Completion Notification Artifact Binding Proposal Signing
  • 12.
    Appendix: example proposaltx.proposal.id=123 tx.proposal.term=Base64 text representation of the human readable text of the contract terms. tx.proposal.return_to=http://merchant.com/tx/retunr_to.php tx.proposal.dataid=http://payment.net/authcapture tx.proposal.notify=http://merchant.com/tx/pingme.php tx.proposal.proposerid=http://merchant.com/sales tx.proposal.subjectid=http://specs.openid.net/auth/2.0/identifier_select tx.proposal.signerid=http://merchant.com/sales tx.proposal.amt.receive.unit=http://specs.openid.net/tx/1.0/iso4217/JPY tx.proposal.amt.receive=10000 tx.proposal.amt.pay_unit=http://merchant.com/milage tx.proposal.amt.pay=10 tx.propsoal.created=2008-10-16T09:00:00Z tx.proposal.expiry=2009-10-16T09:00:00Z tx.proposal.cert=-----BEGIN CERTIFICATE-----%0D%0AMIIB+DCCAaICCQCHrF5YNUISgTANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMC%0D%0ASlAxDjAMBgNVBAgTBVRva3lvMQ4wDAYDVQQHEwVUb2t5bzESMBAGA1UEChMJaGRr%0D%0AbnIuY29tMQwwCgYDVQQLEwNzeXMxEjAQBgNVBAMTCWhka25yLmNvbTEdMBsGCSqG%0D%0ASIb3DQEJARYObWFpbEBoZGtuci5jb20wHhcNMDgwNTMwMDI0ODU0WhcNMDgwNjI5%0D%0AMDI0ODU0WjCBgjELMAkGA1UEBhMCSlAxDjAMBgNVBAgTBVRva3lvMQ4wDAYDVQQH%0D%0AEwVUb2t5bzESMBAGA1UEChMJaGRrbnIuY29tMQwwCgYDVQQLEwNzeXMxEjAQBgNV%0D%0ABAMTCWhka25yLmNvbTEdMBsGCSqGSIb3DQEJARYObWFpbEBoZGtuci5jb20wXDAN%0D%0ABgkqhkiG9w0BAQEFAANLADBIAkEAuyV30isbJTRsM4E2BlPLNqYrUYs3DD35cm4r%0D%0ALG1o6WwWpBuIHvA0UPALGBZyAJcNpNBY0bi1roehdL6LMX0xTQIDAQABMA0GCSqG%0D%0ASIb3DQEBBQUAA0EAbhBenOXHXc6vkS5ITd8LcS9ERT0gkrYeGl5csue9rcEkaQYw%0D%0A45f91W9O7aqP9yZVUaEyAuOcpndGd+XeK4TFRw==%0D%0A-----END CERTIFICATE----- tx.proposal.sigalg=rsa tx.proposal.signed=id,term,return_to,dataid,notify,proposalid,subjectid,signerid,amt_receive.unit,amt_receive,amt_pay.unit,amt_pay,created,expiry,cert,sigalg tx.proposal.signature=ja+zaxRymdd+ACVRQtch+04osmIvlczz6FLig9mY9eAPPwAuQX/QMrpiMZVP2GkEZj4+kuuQq7JcDuIXxXD4Aw== NOTE: This is a bit out-of-date See http://sourceforge.jp/projects/openidtx/
  • 13.
    Appendix: example contracttx.proposal.id=123 … [entire proposal here] tx.proposal.signature=ja+zaxRymdd+ACVRQtch+04osmIvlczz6FLig9mY9eAPPwAuQX/QMrpiMZVP2GkEZj4+kuuQq7JcDuIXxXD4Aw== tx.contract.id=1432456 tx.contract.subjectid=http://payment.net/user/45342432 tx.contract.amt.receive.unit=http://specs.openid.net/tx/1.0/iso4217/JPY tx.contract.amt.receive=10000 tx.contract.amt.pay_unit=http://merchant.com/milage tx.contract.amt.pay=10 tx.contract.created=2008-10-16T09:00:10Z tx.contract.expiry=2009-10-16T09:00:00Z tx.contract.signerid=http://payment.net/authzsvc tx.contract.cert=-----BEGIN CERTIFICATE-----%0D%0AMIIBhjCCATACCQCcpktIZP6hxzANBgkqhkiG9w0BAQUFADBKMRMwEQYDVQQDEwpn%0D%0AYWllbi5uZXQgMRcwFQYDVQQLEw5zeXMuZ2FpZW4ubmV0IDENMAsGA1UEChMEc3lz%0D%0AIDELMAkGA1UEBhMCSlAwHhcNMDgxMDEwMDQ0MzIwWhcNMDgxMTA5MDQ0MzIwWjBK%0D%0AMRMwEQYDVQQDEwpnYWllbi5uZXQgMRcwFQYDVQQLEw5zeXMuZ2FpZW4ubmV0IDEN%0D%0AMAsGA1UEChMEc3lzIDELMAkGA1UEBhMCSlAwXDANBgkqhkiG9w0BAQEFAANLADBI%0D%0AAkEAsZtBs9BWwNDs7w67Y85SCajNr5RyvXM2uzg6hgbQvHANpUrbxmtePEuYdWvq%0D%0A4hlzNUerqhTjc2xm6SKxCpQwnQIDAQABMA0GCSqGSIb3DQEBBQUAA0EAA5Xgz7UW%0D%0A9XYWEpRG4CDgqLqYy9od0DrJseEEDNOULc/wEG+93wYCMwXDUra4SRTw8CW60ZfQ%0D%0AklmHJiX6pebhBw== tx.contract.signed=proposal.signature,id,subjectid,amt_receive.unit,amt.receive,amt_pay.unit,amt.pay,created,expiry,signerid,cert tx.contract.signature=g/BKhLjC4JbPVs+X3hfH3eqC8tlKu5DxIoBj+Qmjp7/rPLu9lprt4p9LYf+ihSd4OYBU1rlpHX2pYucU58YUYw== NOTE: This is a bit out-of-date See http://sourceforge.jp/projects/openidtx/