Introduction to OpenID TX proposed extension
-
Upload
nat-sakimura -
Category
Technology
-
view
3.217 -
download
1
description
Transcript of Introduction to OpenID TX proposed extension
![Page 1: Introduction to OpenID TX proposed extension](https://reader035.fdocuments.net/reader035/viewer/2022081821/549c1eeeb47959d4318b4667/html5/thumbnails/1.jpg)
An Introduction to OpenID TXver. 1.4
Nat Sakimura (=nat)
Nov. 11, 2008
![Page 2: Introduction to OpenID TX proposed extension](https://reader035.fdocuments.net/reader035/viewer/2022081821/549c1eeeb47959d4318b4667/html5/thumbnails/2.jpg)
Copyright ( C ) 2008 Nomura Research Institute, Ltd. All rights reserved.
2
Preface
This document is composed to give a brief overview of the Trust Exchange Extension for OpenID.
As it is easy to illustrate, it is using internet payment as a use case, this is just an example and can be used for other purpose as well. It essentially is a general purpose public key signed contract exchange protocol and contract format.
As you can see, the most basic pattern “Synchronous+POST binding” goes completely with the OpenID 2.0 AuthN. It is just bunch of extra messages added onto it via name space extension mechanism.
Asynchronous+POST binding is slightly different in the sense that there is a callback defined so that it can cope with delayed signing, which is a pretty common case in many contract.
There is an Artifact binding defined here as well. You can regard an artifact as reference or transaction number for the proposal and contract. By using the artifact, we can push the actual contract communication to the direct communication so that it will be mobile friendly.
Signature method used here are public key based to comply with the digital signature laws and asurance frameworks in many countries.
The tag names are not final. They are most likely to be changed.
![Page 3: Introduction to OpenID TX proposed extension](https://reader035.fdocuments.net/reader035/viewer/2022081821/549c1eeeb47959d4318b4667/html5/thumbnails/3.jpg)
Copyright ( C ) 2008 Nomura Research Institute, Ltd. All rights reserved.
3
Contents
Why TX
Highlites
OpenID TX Contract Negotiation (POST binding)
Synchronous Case
Asynchronous Case
TX Data Transfer (optional)
OpenID TX Contract Negotiation (Artifact binding)
Deployment Status
Appendix
Contract Proposal Example
Contract Example
![Page 4: Introduction to OpenID TX proposed extension](https://reader035.fdocuments.net/reader035/viewer/2022081821/549c1eeeb47959d4318b4667/html5/thumbnails/4.jpg)
Copyright ( C ) 2008 Nomura Research Institute, Ltd. All rights reserved.
4
Why TX?
“OpenID will continue to be implemented widely, but it will be relegated to low-risk applications unless security weaknesses are addressed and stronger authentication options and secure attribute exchange functionalities are added.”
“Avoid OpenID for use in financial transactions and other transactions involving sensitive information unless augmented with stronger authentication methods
and other controls (such as transaction anomaly detection).” ~ Gregg Kreizman, Ray Wagner, Oct.10, 2008, Gartner Research ID: G00161878
OpenID Needs “Better Security”
for
“more sensitive/higher value” transactions
Contract Driven Data Exchange = Trust Exchange (TX)
![Page 5: Introduction to OpenID TX proposed extension](https://reader035.fdocuments.net/reader035/viewer/2022081821/549c1eeeb47959d4318b4667/html5/thumbnails/5.jpg)
Copyright ( C ) 2008 Nomura Research Institute, Ltd. All rights reserved.
5
Highlight
Somewhat similar in spirit to WS-Trust.
Instead of SOAP message, it uses Key=Value pairs and RESTful API, so it goes well as OpenID Extension.
Trust Tokens/Contracts are to be stored as legally binding “contract” that can be produced to authority when necessary.
This imposes the form of signature; e.g., RSA1024bit, DSA, ECDSA, etc.
Token Types, Signature Types are deliberately limited to make the implementation simple.
Two bindings (POST and Artifact) to meet both broadband and mobile requirement.
Simple default secure data transfer method is defined, but any method can be employed as long as it is specified in the contract.
![Page 6: Introduction to OpenID TX proposed extension](https://reader035.fdocuments.net/reader035/viewer/2022081821/549c1eeeb47959d4318b4667/html5/thumbnails/6.jpg)
Copyright ( C ) 2008 Nomura Research Institute, Ltd. All rights reserved.
6
OpenID Login + Payment (synchronous)
OP(Level 1)User (Browser) XRDSOP(Level 2 +
Payment)RP(Shopping)
Click “Login to check out” button
Find the service for level 1auth and Level 2+Payment
auth
Redirect to the Level 1auth OP
AuthN with Username and password etc.
Positive Assertion
Show Order Form
Click on “Buy” button
Positive Assertion +[TX] Contract
Autn with 2nd factor etc.
“Thanks!” screen
Login to CheckoutLogin to
Checkout
taro123
*****
BuyBuy
暗証番号
Thanks!
Approval
Signing
Legend
OpenID Authentication
User AuthN
OpenID (TX)
Approval/SigningPOST Binding
Redirect to L2+Payment OPwith [TX]POST Contract Proposal
Proposal
Signing
![Page 7: Introduction to OpenID TX proposed extension](https://reader035.fdocuments.net/reader035/viewer/2022081821/549c1eeeb47959d4318b4667/html5/thumbnails/7.jpg)
Copyright ( C ) 2008 Nomura Research Institute, Ltd. All rights reserved.
7
OpenID Login + Payment (synchronous)
OP(Level 1)User (Browser) XRDSOP(Level 2 +
Payment)RP(Shopping)
Click “Login to check out” button
Find the service for level 1auth and Level 2+Payment
auth
Redirect to the Level 1auth OP
AuthN with Username and password etc.
Positive Assertion
Show Order Form
Click on “Buy” button
Positive Assertion +tx.c.tatus=Pending
Autn with 2nd factor etc.
“Thanks!” screen
Login to CheckoutLogin to
Checkout
taro123
*****
BuyBuy
暗証番号
Thanks!
Approval
Signing
Legend
OpenID Authentication
User AuthN
OpenID (TX)
Approval/SigningPOST Binding
Redirect to L2+Payment OPwith [TX]POST Contract Proposal
Proposal
Signing
![Page 8: Introduction to OpenID TX proposed extension](https://reader035.fdocuments.net/reader035/viewer/2022081821/549c1eeeb47959d4318b4667/html5/thumbnails/8.jpg)
Copyright ( C ) 2008 Nomura Research Institute, Ltd. All rights reserved.
8
Notification
OP(Level 1)User (Browser) XRDSOP(Level 2 +
Payment)RP(Shopping)
[TX] send Contract based Request
[TX] Receive Data
Legend
OpenID Authentication
User AuthN
OpenID (TX)
Approval/Signing
[TX] Notification (status)
Status: Contract Complete, Data Changed, Contract terminated, ID removed
[TX] Notification
OP to RP notification
RP to OP notification
![Page 9: Introduction to OpenID TX proposed extension](https://reader035.fdocuments.net/reader035/viewer/2022081821/549c1eeeb47959d4318b4667/html5/thumbnails/9.jpg)
Copyright ( C ) 2008 Nomura Research Institute, Ltd. All rights reserved.
9
Data Transfer (Optional)
OP(Level 1)User (Browser) XRDSOP(Level 2 +
Payment)RP(Shopping)
[TX] GET with Contract ID + Signature
[TX] Receive Data
Legend
OpenID Authentication
User AuthN
OpenID (TX)
Approval/Signing
N.B. Although TX defines a default Data Transfer protocol, it can be substituted by any other methods as long as it is specified in the Contract.
![Page 10: Introduction to OpenID TX proposed extension](https://reader035.fdocuments.net/reader035/viewer/2022081821/549c1eeeb47959d4318b4667/html5/thumbnails/10.jpg)
Copyright ( C ) 2008 Nomura Research Institute, Ltd. All rights reserved.
10
OpenID Login + Payment (synchronous)
OP(Level 1)User (Browser) XRDSOP(Level 2 +
Payment)RP(Shopping)
Click “Login to check out” button
Find the service for level 1auth and Level 2+Payment
auth
Redirect to the Level 1auth OP
AuthN with Username and password etc.
Positive Assertion
Show Order Form
Click on “Buy” button
Redirect to L2+Payment OPwith Transaction ID
Positive Assertion +Contract ID
Autn with 2nd factor etc.
“Thanks!” screen
Login to CheckoutLogin to
Checkout
taro123
*****
BuyBuy
暗証番号
Thanks!
Approval
Signing
[TX]POST Contract Proposal
[TX] Transaction ID
[TX] send Contract ID
[TX] Receive Contract
Legend
OpenID Authentication
User AuthN
OpenID (TX)
Approval/SigningArtifact Binding
Proposal Signing
![Page 11: Introduction to OpenID TX proposed extension](https://reader035.fdocuments.net/reader035/viewer/2022081821/549c1eeeb47959d4318b4667/html5/thumbnails/11.jpg)
Copyright ( C ) 2008 Nomura Research Institute, Ltd. All rights reserved.
11
OpenID Login + Payment (asynchronous)
OP(Level 1)User (Browser) XRDSOP(Level 2 +
Payment)RP(Shopping)
Click “Login to check out” button
Find the service for level 1auth and Level 2+Payment
auth
Redirect to the Level 1auth OP
AuthN with Username and password etc.
Positive Assertion
Show Order Form
Click on “Buy” button
Redirect to L2+Payment OPwith Transaction ID
Positive Assertion +tx.c.tatus=Pending
Autn with 2nd factor etc.
“Thanks!” screen
Login to CheckoutLogin to
Checkout
taro123
*****
BuyBuy
暗証番号
Thanks!
Approval
Signing
[TX]POST Contract Proposal
[TX] Transaction ID
[TX] send Contract ID
[TX] Receive Contract
Legend
OpenID Authentication
User AuthN
OpenID (TX)
Approval/Signing
[TX] Completion Notification
Artifact Binding
Proposal Signing
![Page 12: Introduction to OpenID TX proposed extension](https://reader035.fdocuments.net/reader035/viewer/2022081821/549c1eeeb47959d4318b4667/html5/thumbnails/12.jpg)
Copyright ( C ) 2008 Nomura Research Institute, Ltd. All rights reserved.
12
Appendix: example proposal
tx.proposal.id=123tx.proposal.term=Base64 text representation of the human readable text of the contract terms.tx.proposal.return_to=http://merchant.com/tx/retunr_to.phptx.proposal.dataid=http://payment.net/authcapturetx.proposal.notify=http://merchant.com/tx/pingme.phptx.proposal.proposerid=http://merchant.com/salestx.proposal.subjectid=http://specs.openid.net/auth/2.0/identifier_selecttx.proposal.signerid=http://merchant.com/salestx.proposal.amt.receive.unit=http://specs.openid.net/tx/1.0/iso4217/JPYtx.proposal.amt.receive=10000tx.proposal.amt.pay_unit=http://merchant.com/milagetx.proposal.amt.pay=10tx.propsoal.created=2008-10-16T09:00:00Ztx.proposal.expiry=2009-10-16T09:00:00Ztx.proposal.cert=-----BEGIN CERTIFICATE-----%0D%0AMIIB+DCCAaICCQCHrF5YNUISgTANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMC%0D%0ASlAxDjAMBgNVBAgTBVRva3lvMQ4wDAYDVQQHEwVUb2t5bzESMBAGA1UEChMJaGRr%0D%0AbnIuY29tMQwwCgYDVQQLEwNzeXMxEjAQBgNVBAMTCWhka25yLmNvbTEdMBsGCSqG%0D%0ASIb3DQEJARYObWFpbEBoZGtuci5jb20wHhcNMDgwNTMwMDI0ODU0WhcNMDgwNjI5%0D%0AMDI0ODU0WjCBgjELMAkGA1UEBhMCSlAxDjAMBgNVBAgTBVRva3lvMQ4wDAYDVQQH%0D%0AEwVUb2t5bzESMBAGA1UEChMJaGRrbnIuY29tMQwwCgYDVQQLEwNzeXMxEjAQBgNV%0D%0ABAMTCWhka25yLmNvbTEdMBsGCSqGSIb3DQEJARYObWFpbEBoZGtuci5jb20wXDAN%0D%0ABgkqhkiG9w0BAQEFAANLADBIAkEAuyV30isbJTRsM4E2BlPLNqYrUYs3DD35cm4r%0D%0ALG1o6WwWpBuIHvA0UPALGBZyAJcNpNBY0bi1roehdL6LMX0xTQIDAQABMA0GCSqG%0D%0ASIb3DQEBBQUAA0EAbhBenOXHXc6vkS5ITd8LcS9ERT0gkrYeGl5csue9rcEkaQYw%0D%0A45f91W9O7aqP9yZVUaEyAuOcpndGd+XeK4TFRw==%0D%0A-----END CERTIFICATE-----tx.proposal.sigalg=rsatx.proposal.signed=id,term,return_to,dataid,notify,proposalid,subjectid,signerid,amt_receive.unit,amt_receive,amt_pay.unit,amt_pay,created,expiry,cert,sigalgtx.proposal.signature=ja+zaxRymdd+ACVRQtch+04osmIvlczz6FLig9mY9eAPPwAuQX/QMrpiMZVP2GkEZj4+kuuQq7JcDuIXxXD4Aw==
NOTE: This is a bit out-of-date
See http://sourceforge.jp/projects/openidtx/
![Page 13: Introduction to OpenID TX proposed extension](https://reader035.fdocuments.net/reader035/viewer/2022081821/549c1eeeb47959d4318b4667/html5/thumbnails/13.jpg)
Copyright ( C ) 2008 Nomura Research Institute, Ltd. All rights reserved.
13
Appendix: example contract
tx.proposal.id=123… [entire proposal here]tx.proposal.signature=ja+zaxRymdd+ACVRQtch+04osmIvlczz6FLig9mY9eAPPwAuQX/QMrpiMZVP2GkEZj4+kuuQq7JcDuIXxXD4Aw==tx.contract.id=1432456tx.contract.subjectid=http://payment.net/user/45342432tx.contract.amt.receive.unit=http://specs.openid.net/tx/1.0/iso4217/JPYtx.contract.amt.receive=10000tx.contract.amt.pay_unit=http://merchant.com/milagetx.contract.amt.pay=10tx.contract.created=2008-10-16T09:00:10Ztx.contract.expiry=2009-10-16T09:00:00Ztx.contract.signerid=http://payment.net/authzsvctx.contract.cert=-----BEGIN CERTIFICATE-----%0D%0AMIIBhjCCATACCQCcpktIZP6hxzANBgkqhkiG9w0BAQUFADBKMRMwEQYDVQQDEwpn%0D%0AYWllbi5uZXQgMRcwFQYDVQQLEw5zeXMuZ2FpZW4ubmV0IDENMAsGA1UEChMEc3lz%0D%0AIDELMAkGA1UEBhMCSlAwHhcNMDgxMDEwMDQ0MzIwWhcNMDgxMTA5MDQ0MzIwWjBK%0D%0AMRMwEQYDVQQDEwpnYWllbi5uZXQgMRcwFQYDVQQLEw5zeXMuZ2FpZW4ubmV0IDEN%0D%0AMAsGA1UEChMEc3lzIDELMAkGA1UEBhMCSlAwXDANBgkqhkiG9w0BAQEFAANLADBI%0D%0AAkEAsZtBs9BWwNDs7w67Y85SCajNr5RyvXM2uzg6hgbQvHANpUrbxmtePEuYdWvq%0D%0A4hlzNUerqhTjc2xm6SKxCpQwnQIDAQABMA0GCSqGSIb3DQEBBQUAA0EAA5Xgz7UW%0D%0A9XYWEpRG4CDgqLqYy9od0DrJseEEDNOULc/wEG+93wYCMwXDUra4SRTw8CW60ZfQ%0D%0AklmHJiX6pebhBw==tx.contract.signed=proposal.signature,id,subjectid,amt_receive.unit,amt.receive,amt_pay.unit,amt.pay,created,expiry,signerid,certtx.contract.signature=g/BKhLjC4JbPVs+X3hfH3eqC8tlKu5DxIoBj+Qmjp7/rPLu9lprt4p9LYf+ihSd4OYBU1rlpHX2pYucU58YUYw==
NOTE: This is a bit out-of-date
See http://sourceforge.jp/projects/openidtx/