[Muscle] OpenID for PC/SC Lite / MuscleCard

David Corcoran david.corcoran at trustbearer.com
Mon Feb 18 13:19:55 PST 2008 

Hi Peter,

Did you get my last mail ?  I think we would be interested in doing  
this - I would like to learn more.

Thanks,
Dave


----------------------------------------------------------
TrustBearer Labs
  3201 Stellhorn Road		260-399-1648
  Fort Wayne, IN 46815

      TrustBearer Enabled OpenID at
         https://openid.trustbearer.com
----------------------------------------------------------



On Feb 17, 2008, at 2:40 AM, Peter Williams wrote:

>
> what language/platform did you write it in? Hopefully, its  
> Java, .NET or PHP.
>
> If I paid your firm $1000 a month for 3 months, would you run an  
> experimental, live OP service for us - with low volume usage?
>
> I'd need a couple of changes, if the answer is yes: having received  
> the request and before presenting the user with the per-RP page on  
> whether or not to release certain personal data items, Id need the  
> site to engage in an additional round of browser redirects/postbacks  
> - use the SAML2 protocol to ping our attribute store rather than use  
> your own. The redirect request is little more than a 302 URL  
> including the openid of the user. The redirect response is just a  
> POSTED AES-protected token in an IETF-disclosed format - one that  
> requires adding and using its decoding/decrypting library to your  
> site (obviously I give you this!). Rather than have you use a native  
> SAML2 open source library, Id want this token used as it remotely  
> binds to a SAML2 server whose endpoints are certified to ensure the  
> OP has a complete set of *advanced* SAML2 "name management/ 
> provisioning" features that I really need for the experiment - which  
> the open source "websso-centric" tookits rarely implement.
>
> Within openid Im promoting the idea of openid as a pure protocol  
> gateway, rather than a complete solution. One of the protocol's  
> shortfalls, compared to SAML design, is it lacks a bridging/proxying/ 
> cascading model and associated technical security controls. By  
> having openid front the saml2 websso model (exploiting SAML2's  
> formal proxying controls) I'm essentially lobbying for the addition  
> of these features to openid 3 - by showcasing the benefits. At each  
> proxy, different authentication management policies can be imposed,  
> creating a composition of authentication acts (viewing the proxy  
> chain as a chain of authentication steps). At your site, you'd get  
> to impose optionally the trustbearer scheme, based on testing for a  
> CAC or PIV card, based on the result of negotiating with our  
> upstream proxy.
>
> In time terms, this will take about 1 to 2 day's programming, 1 days  
> testing. Then we see where it goes. If your openid2 portocol support  
> is pretty complete and highly interoperable, perhaps we just license  
> your server after the trial is over! (We have a large community of  
> muscle cards users, having made our own USB token that was a variant  
> of the CAC)
>
> Peter.
>
>
>
>
> > Date: Fri, 15 Feb 2008 14:51:22 -0500
> > From: thomas.harning at trustbearer.com
> > To: muscle at lists.musclecard.com
> > Subject: Re: [Muscle] OpenID for PC/SC Lite / MuscleCard
> >
> > Peter Williams wrote:
> > > is it openid1 or openid2?
> > >
> > > if its openid2, what is the "pape" value that a relying party can
> > > request, to ensure that it's a "trustbearer" authentication  
> between
> > > user/device and the OP?
> > >
> > > is trustbearer mechanism of user auth actually a. SSL client  
> cert auth,
> > > using a cert on the device? b. 7816 authentication? c. ICC  
> proprietary
> > > authentication (e.g. GlobalPlatform), or something else?
> > >
> > OpenID 1 and 2 capable
> >
> > We respond that its level 4 due to the hardware token involved +  
> policies demarking
> > phishing protection, multi-factor & multi-factor physical.
> >
> > User auth is being performed using challenge-response based on the  
> certificate from the
> > token. Pre-registration is necessary since effectively, only the  
> public key is used for
> > our setup.
> >
> > --
> > Thomas Harning @ TrustBearer Labs (http://www.trustbearer.com)
> > Secure OpenID: https://openid.trustbearer.com/harningt
> > 3201 Stellhorn Road 260-399-1656
> > Fort Wayne, IN 46815
> > _______________________________________________
> > Muscle mailing list
> > Muscle at lists.musclecard.com
> > http://lists.drizzle.com/mailman/listinfo/muscle
>
>
> Shed those extra pounds with MSN and The Biggest Loser! Learn  
> more._______________________________________________
> Muscle mailing list
> Muscle at lists.musclecard.com
> http://lists.drizzle.com/mailman/listinfo/muscle

More information about the Muscle mailing list