[Muscle] OpenID for PC/SC Lite / MuscleCard

Peter Williams home_pw at msn.com
Mon Feb 18 13:25:01 PST 2008 

yes. Ill get back to it tomorrow, once the monday rush is over.

was the part of the site that does that protocol engine for openid the bit 
in java, .net or php?

I have the decoding library in all three platforms. I can simply send a php 
package, for example, or a jar... or a .dll

--------------------------------------------------
From: "David Corcoran" <david.corcoran at trustbearer.com>
Sent: Monday, February 18, 2008 1:19 PM
To: <peter at ventavia.com>; "MUSCLE" <muscle at lists.musclecard.com>
Subject: Re: [Muscle] OpenID for PC/SC Lite / MuscleCard

> Hi Peter,
>
> Did you get my last mail ?  I think we would be interested in doing 
>  this - I would like to learn more.
>
> Thanks,
> Dave
>
>
> ----------------------------------------------------------
> TrustBearer Labs
>  3201 Stellhorn Road 260-399-1648
>  Fort Wayne, IN 46815
>
>      TrustBearer Enabled OpenID at
>         https://openid.trustbearer.com
> ----------------------------------------------------------
>
>
>
> On Feb 17, 2008, at 2:40 AM, Peter Williams wrote:
>
>>
>> what language/platform did you write it in? Hopefully, its  Java, .NET or 
>> PHP.
>>
>> If I paid your firm $1000 a month for 3 months, would you run an 
>> experimental, live OP service for us - with low volume usage?
>>
>> I'd need a couple of changes, if the answer is yes: having received  the 
>> request and before presenting the user with the per-RP page on  whether 
>> or not to release certain personal data items, Id need the  site to 
>> engage in an additional round of browser redirects/postbacks  - use the 
>> SAML2 protocol to ping our attribute store rather than use  your own. The 
>> redirect request is little more than a 302 URL  including the openid of 
>> the user. The redirect response is just a  POSTED AES-protected token in 
>> an IETF-disclosed format - one that  requires adding and using its 
>> decoding/decrypting library to your  site (obviously I give you this!). 
>> Rather than have you use a native  SAML2 open source library, Id want 
>> this token used as it remotely  binds to a SAML2 server whose endpoints 
>> are certified to ensure the  OP has a complete set of *advanced* SAML2 
>> "name management/ provisioning" features that I really need for the 
>> experiment - which  the open source "websso-centric" tookits rarely 
>> implement.
>>
>> Within openid Im promoting the idea of openid as a pure protocol 
>> gateway, rather than a complete solution. One of the protocol's 
>> shortfalls, compared to SAML design, is it lacks a bridging/proxying/ 
>> cascading model and associated technical security controls. By  having 
>> openid front the saml2 websso model (exploiting SAML2's  formal proxying 
>> controls) I'm essentially lobbying for the addition  of these features to 
>> openid 3 - by showcasing the benefits. At each  proxy, different 
>> authentication management policies can be imposed,  creating a 
>> composition of authentication acts (viewing the proxy  chain as a chain 
>> of authentication steps). At your site, you'd get  to impose optionally 
>> the trustbearer scheme, based on testing for a  CAC or PIV card, based on 
>> the result of negotiating with our  upstream proxy.
>>
>> In time terms, this will take about 1 to 2 day's programming, 1 days 
>> testing. Then we see where it goes. If your openid2 portocol support  is 
>> pretty complete and highly interoperable, perhaps we just license  your 
>> server after the trial is over! (We have a large community of  muscle 
>> cards users, having made our own USB token that was a variant  of the 
>> CAC)
>>
>> Peter.
>>
>>
>>
>>
>> > Date: Fri, 15 Feb 2008 14:51:22 -0500
>> > From: thomas.harning at trustbearer.com
>> > To: muscle at lists.musclecard.com
>> > Subject: Re: [Muscle] OpenID for PC/SC Lite / MuscleCard
>> >
>> > Peter Williams wrote:
>> > > is it openid1 or openid2?
>> > >
>> > > if its openid2, what is the "pape" value that a relying party can
>> > > request, to ensure that it's a "trustbearer" authentication
>> between
>> > > user/device and the OP?
>> > >
>> > > is trustbearer mechanism of user auth actually a. SSL client
>> cert auth,
>> > > using a cert on the device? b. 7816 authentication? c. ICC
>> proprietary
>> > > authentication (e.g. GlobalPlatform), or something else?
>> > >
>> > OpenID 1 and 2 capable
>> >
>> > We respond that its level 4 due to the hardware token involved +
>> policies demarking
>> > phishing protection, multi-factor & multi-factor physical.
>> >
>> > User auth is being performed using challenge-response based on the
>> certificate from the
>> > token. Pre-registration is necessary since effectively, only the
>> public key is used for
>> > our setup.
>> >
>> > --
>> > Thomas Harning @ TrustBearer Labs (http://www.trustbearer.com)
>> > Secure OpenID: https://openid.trustbearer.com/harningt
>> > 3201 Stellhorn Road 260-399-1656
>> > Fort Wayne, IN 46815
>> > _______________________________________________
>> > Muscle mailing list
>> > Muscle at lists.musclecard.com
>> > http://lists.drizzle.com/mailman/listinfo/muscle
>>
>>
>> Shed those extra pounds with MSN and The Biggest Loser! Learn 
>> more._______________________________________________
>> Muscle mailing list
>> Muscle at lists.musclecard.com
>> http://lists.drizzle.com/mailman/listinfo/muscle
>
> _______________________________________________
> Muscle mailing list
> Muscle at lists.musclecard.com
> http://lists.drizzle.com/mailman/listinfo/muscle
>

More information about the Muscle mailing list