Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
RE: [higgins-dev] AW: How should selectors advertise themselves?

I would hate to have to have folks keep up with all the brands and versions, and I'm not sure the brand and version would do anything for interop

Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122

Inactive hide details for "Paul Trevithick" ---01/04/2008 12:10:20 PM---We should include both capabilities-based values and br"Paul Trevithick" ---01/04/2008 12:10:20 PM---We should include both capabilities-based values and brand&version-based


From:

"Paul Trevithick" <paul@xxxxxxxxxxxxxxxxx>

To:

"'Higgins \(Trust Framework\) Project developer discussions'" <higgins-dev@xxxxxxxxxxx>

Cc:

Michael.Jones@xxxxxxxxxxxxx

Date:

01/04/2008 12:10 PM

Subject:

RE: [higgins-dev] AW: How should selectors advertise themselves?




We should include both capabilities-based values and brand&version-based
values. The former appeals to the optimist in me. The latter to the
pragmatist.

> -----Original Message-----
> From: higgins-dev-bounces@xxxxxxxxxxx [
mailto:higgins-dev-
> bounces@xxxxxxxxxxx] On Behalf Of Nennker, Axel
> Sent: Friday, January 04, 2008 12:44 PM
> To: higgins-dev@xxxxxxxxxxx
> Cc: Michael.Jones@xxxxxxxxxxxxx
> Subject: AW: [higgins-dev] AW: How should selectors advertise themselves?
>
> Thanks for suggesting capability indicating headers though I still think
> that these are difficult to agree on. My experience is that these kind of
> protocols end in negotiating capabilties of both sides and that "vendors"
> tend to invent their own values...
>
>
> But, anyways. I hope that there will be more comments regarding the
> capability headers.
>
> -Axel
>
> ps.: The STS owned by RP stuff is not very well understood. At least not
> by me ;-)
> There was recently a post in the CardSpace team blog regarding this, but
> its lenght alone is an indication of the complexity of the matter. I
> remember that Mike Jones told me about the fact that RP and STS could have
> a shared symmetric key which is specified in the RP's policy. This would
> be a capability that the openinfocard selector would (probably) not be
> able to handle. We have some code regarding this but was never tested. The
> capability headers might get very complex.
>
> > -----Ursprüngliche Nachricht-----
> > Von: higgins-dev-bounces@xxxxxxxxxxx
> > [
mailto:higgins-dev-bounces@xxxxxxxxxxx] Im Auftrag von
> > Michael McIntosh
> > Gesendet: Freitag, 4. Januar 2008 16:50
> > An: Higgins (Trust Framework) Project developer discussions
> > Cc: higgins-dev@xxxxxxxxxxx; higgins-dev-bounces@xxxxxxxxxxx
> > Betreff: Re: [higgins-dev] AW: How should selectors advertise
> > themselves?
> >
> > Nennker, Axel wrote on 01/04/2008 06:01:35 AM:
> >
> > <snip/>
> >
> > > > I see problems with the capabilities because it is unclear who
> > > > defines the interop standards and who decides whether a
> > selctor is
> > > > allowed to claim interoperability.
> >
> > I think these problems are orthogonal to whether we advertise
> > "capability"
> > vs. "product". If a browser advertises a capability, but does
> > not support it, it (browser) will not work. A product based
> > advertisement requires Relying Party's to somehow
> > discover/track which browsers support which features, and if
> > they guess wrong the browser won't work. How is that better?
> >
> > > > The openinfocard selector for example does not support symmetric
> > > > binding and does not support issuerPolicy.
> >
> > Let me take these separately:
> > a) "symmetric binding" is in the contract between the
> > Selector and the IdP and is expressed in the Metadata of the
> > IdP. Nothing the RP does impacts this. If your selector
> > doesn't want to support this it can reject import of cards
> > that require it.
> > b) issuerPolicy implies a scenario where the RP "owns" the
> > STS. This one is tricky, on the one hand, conceptually it
> > semes no different from asking for a token from an Issuer for
> > which you have no cards. On the other hand it does require a
> > new message exchange pattern in the selector. Support for
> > this is a capability of the selector, right?
> >
> > > > Therefore I would not sent the rpInterop part of the http
> > header but
> > > > the name and selectorVersion parts only.
> > > > But other selectors might claim interoperability while
> > they are not.
> >
> > <ContentPreviouslySentOffList>
> >
> > I guess before deciding on a solution, we should decide on
> > some important requirements. Some of mine would be:
> >       1) Relying Party sites should be able to detect
> > capabilities of Client/Selector in order to formulate
> > appropriate markup.>
> >       2) A new Client/Selector should be able to be supported
> > without changes to existing Relying Party sites.
> >       3) A new capability added to a Client/Selector should
> > be able to be ignored by Relying Party sites that do not yet
> > support it.
> >
> > Therefore, I believe that its better for a Relying Party site
> > to know the capabilities of a Client/Selector than to know
> > the "brand"/product/version.
> > In the CardSpace 1.0 world, there are three main capabilities
> > related to content provided to browsers/selectors:
> >       a) OBJECT tag for Type-application/x-informationCard,
> >       b) INFORMATIONCARD/ADD behavior,
> >       c) Scriptable invocation of the Helper object.
> > Additionally, there may be a dependency on support for:
> >       d) Relying Party/STS
> >       e) Identity Provider/STS
> >
> > So I would prefer something like HTTP headers with:
> >       x-Accept-Identity-Markup: Object-x-informationCard;
> > InformationCard-Behavior; Scriptable-Helper
> >       x-Accept-Identity-Service: IdP; RP
> >
> > </ContentPreviouslySentOffList>;
> >
> >
> > > >
> > > > have fun
> > > > Axel
> > > >
> > > > ps.: Why are you sending this only to higgins-dev but not to the
> > > > google group?
> >
> > By sending messages to this list we agree to Eclipse terms
> > wrt content of our messages. It is unclear what terms are
> > implied by messages sent received on a google list.
> >
> > <snip/>
> >
> > _______________________________________________
> > higgins-dev mailing list
> > higgins-dev@xxxxxxxxxxx
> >
https://dev.eclipse.org/mailman/listinfo/higgins-dev
> >
> _______________________________________________
> higgins-dev mailing list
> higgins-dev@xxxxxxxxxxx
>
https://dev.eclipse.org/mailman/listinfo/higgins-dev

_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev

GIF image

GIF image


Back to the top