Introduction to OpenID TX proposed extension

An Introduction to OpenID TXver. 1.4

Nat Sakimura (=nat)

Nov. 11, 2008

Copyright （ C ） 2008 Nomura Research Institute, Ltd. All rights reserved.

2

Preface

This document is composed to give a brief overview of the Trust Exchange Extension for OpenID.

As it is easy to illustrate, it is using internet payment as a use case, this is just an example and can be used for other purpose as well. It essentially is a general purpose public key signed contract exchange protocol and contract format.

As you can see, the most basic pattern “Synchronous+POST binding” goes completely with the OpenID 2.0 AuthN. It is just bunch of extra messages added onto it via name space extension mechanism.

Asynchronous+POST binding is slightly different in the sense that there is a callback defined so that it can cope with delayed signing, which is a pretty common case in many contract.

There is an Artifact binding defined here as well. You can regard an artifact as reference or transaction number for the proposal and contract. By using the artifact, we can push the actual contract communication to the direct communication so that it will be mobile friendly.

Signature method used here are public key based to comply with the digital signature laws and asurance frameworks in many countries.

The tag names are not final. They are most likely to be changed.


3

Contents

Why TX

Highlites

OpenID TX Contract Negotiation (POST binding)

Synchronous Case

Asynchronous Case

TX Data Transfer (optional)

OpenID TX Contract Negotiation (Artifact binding)

Deployment Status

Appendix

Contract Proposal Example

Contract Example


4

Why TX?

“OpenID will continue to be implemented widely, but it will be relegated to low-risk applications unless security weaknesses are addressed and stronger authentication options and secure attribute exchange functionalities are added.”

“Avoid OpenID for use in financial transactions and other transactions involving sensitive information unless augmented with stronger authentication methods

and other controls (such as transaction anomaly detection).” ~ Gregg Kreizman, Ray Wagner, Oct.10, 2008, Gartner Research ID: G00161878

OpenID Needs “Better Security”

for

“more sensitive/higher value” transactions

Contract Driven Data Exchange = Trust Exchange (TX)


5

Highlight

Somewhat similar in spirit to WS-Trust.

Instead of SOAP message, it uses Key=Value pairs and RESTful API, so it goes well as OpenID Extension.

Trust Tokens/Contracts are to be stored as legally binding “contract” that can be produced to authority when necessary.

This imposes the form of signature; e.g., RSA1024bit, DSA, ECDSA, etc.

Token Types, Signature Types are deliberately limited to make the implementation simple.

Two bindings (POST and Artifact) to meet both broadband and mobile requirement.

Simple default secure data transfer method is defined, but any method can be employed as long as it is specified in the contract.


6

OpenID Login + Payment (synchronous)

OP(Level 1)User (Browser) XRDSOP(Level 2 +

Payment)RP(Shopping)

Click “Login to check out” button

Find the service for level 1auth and Level 2+Payment

auth

Redirect to the Level 1auth OP

AuthN with Username and password etc.

Positive Assertion

Show Order Form

Click on “Buy” button

Positive Assertion +[TX] Contract

Autn with 2nd factor etc.

“Thanks!” screen

Login to CheckoutLogin to

Checkout

taro123

*****

BuyBuy

暗証番号

Thanks!

Approval

Signing

Legend

OpenID Authentication

User AuthN

OpenID (TX)

Approval/SigningPOST Binding

Redirect to L2+Payment OPwith [TX]POST Contract Proposal

Proposal

Signing


7






auth



Positive Assertion

Show Order Form


Positive Assertion +tx.c.tatus=Pending




Checkout

taro123

*****

BuyBuy

暗証番号

Thanks!

Approval

Signing

Legend


User AuthN

OpenID (TX)

Approval/SigningPOST Binding

Redirect to L2+Payment OPwith [TX]POST Contract Proposal

Proposal

Signing


8

Notification



[TX] send Contract based Request

[TX] Receive Data

Legend


User AuthN

OpenID (TX)

Approval/Signing

[TX] Notification (status)

Status: Contract Complete, Data Changed, Contract terminated, ID removed

[TX] Notification

OP to RP notification

RP to OP notification


9

Data Transfer (Optional)



[TX] GET with Contract ID + Signature

[TX] Receive Data

Legend


User AuthN

OpenID (TX)

Approval/Signing

N.B. Although TX defines a default Data Transfer protocol, it can be substituted by any other methods as long as it is specified in the Contract.


10






auth



Positive Assertion

Show Order Form


Redirect to L2+Payment OPwith Transaction ID

Positive Assertion +Contract ID




Checkout

taro123

*****

BuyBuy

暗証番号

Thanks!

Approval

Signing

[TX]POST Contract Proposal

[TX] Transaction ID

[TX] send Contract ID

[TX] Receive Contract

Legend


User AuthN

OpenID (TX)

Approval/SigningArtifact Binding

Proposal Signing


11

OpenID Login + Payment (asynchronous)





auth



Positive Assertion

Show Order Form


Redirect to L2+Payment OPwith Transaction ID

Positive Assertion +tx.c.tatus=Pending




Checkout

taro123

*****

BuyBuy

暗証番号

Thanks!

Approval

Signing

[TX]POST Contract Proposal

[TX] Transaction ID

[TX] send Contract ID

[TX] Receive Contract

Legend


User AuthN

OpenID (TX)

Approval/Signing

[TX] Completion Notification

Artifact Binding

Proposal Signing


12

Appendix: example proposal

tx.proposal.id=123tx.proposal.term=Base64 text representation of the human readable text of the contract terms.tx.proposal.return_to=http://merchant.com/tx/retunr_to.phptx.proposal.dataid=http://payment.net/authcapturetx.proposal.notify=http://merchant.com/tx/pingme.phptx.proposal.proposerid=http://merchant.com/salestx.proposal.subjectid=http://specs.openid.net/auth/2.0/identifier_selecttx.proposal.signerid=http://merchant.com/salestx.proposal.amt.receive.unit=http://specs.openid.net/tx/1.0/iso4217/JPYtx.proposal.amt.receive=10000tx.proposal.amt.pay_unit=http://merchant.com/milagetx.proposal.amt.pay=10tx.propsoal.created=2008-10-16T09:00:00Ztx.proposal.expiry=2009-10-16T09:00:00Ztx.proposal.cert=-----BEGIN CERTIFICATE-----%0D%0AMIIB+DCCAaICCQCHrF5YNUISgTANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMC%0D%0ASlAxDjAMBgNVBAgTBVRva3lvMQ4wDAYDVQQHEwVUb2t5bzESMBAGA1UEChMJaGRr%0D%0AbnIuY29tMQwwCgYDVQQLEwNzeXMxEjAQBgNVBAMTCWhka25yLmNvbTEdMBsGCSqG%0D%0ASIb3DQEJARYObWFpbEBoZGtuci5jb20wHhcNMDgwNTMwMDI0ODU0WhcNMDgwNjI5%0D%0AMDI0ODU0WjCBgjELMAkGA1UEBhMCSlAxDjAMBgNVBAgTBVRva3lvMQ4wDAYDVQQH%0D%0AEwVUb2t5bzESMBAGA1UEChMJaGRrbnIuY29tMQwwCgYDVQQLEwNzeXMxEjAQBgNV%0D%0ABAMTCWhka25yLmNvbTEdMBsGCSqGSIb3DQEJARYObWFpbEBoZGtuci5jb20wXDAN%0D%0ABgkqhkiG9w0BAQEFAANLADBIAkEAuyV30isbJTRsM4E2BlPLNqYrUYs3DD35cm4r%0D%0ALG1o6WwWpBuIHvA0UPALGBZyAJcNpNBY0bi1roehdL6LMX0xTQIDAQABMA0GCSqG%0D%0ASIb3DQEBBQUAA0EAbhBenOXHXc6vkS5ITd8LcS9ERT0gkrYeGl5csue9rcEkaQYw%0D%0A45f91W9O7aqP9yZVUaEyAuOcpndGd+XeK4TFRw==%0D%0A-----END CERTIFICATE-----tx.proposal.sigalg=rsatx.proposal.signed=id,term,return_to,dataid,notify,proposalid,subjectid,signerid,amt_receive.unit,amt_receive,amt_pay.unit,amt_pay,created,expiry,cert,sigalgtx.proposal.signature=ja+zaxRymdd+ACVRQtch+04osmIvlczz6FLig9mY9eAPPwAuQX/QMrpiMZVP2GkEZj4+kuuQq7JcDuIXxXD4Aw==

NOTE: This is a bit out-of-date

See http://sourceforge.jp/projects/openidtx/


13

Appendix: example contract

tx.proposal.id=123… [entire proposal here]tx.proposal.signature=ja+zaxRymdd+ACVRQtch+04osmIvlczz6FLig9mY9eAPPwAuQX/QMrpiMZVP2GkEZj4+kuuQq7JcDuIXxXD4Aw==tx.contract.id=1432456tx.contract.subjectid=http://payment.net/user/45342432tx.contract.amt.receive.unit=http://specs.openid.net/tx/1.0/iso4217/JPYtx.contract.amt.receive=10000tx.contract.amt.pay_unit=http://merchant.com/milagetx.contract.amt.pay=10tx.contract.created=2008-10-16T09:00:10Ztx.contract.expiry=2009-10-16T09:00:00Ztx.contract.signerid=http://payment.net/authzsvctx.contract.cert=-----BEGIN CERTIFICATE-----%0D%0AMIIBhjCCATACCQCcpktIZP6hxzANBgkqhkiG9w0BAQUFADBKMRMwEQYDVQQDEwpn%0D%0AYWllbi5uZXQgMRcwFQYDVQQLEw5zeXMuZ2FpZW4ubmV0IDENMAsGA1UEChMEc3lz%0D%0AIDELMAkGA1UEBhMCSlAwHhcNMDgxMDEwMDQ0MzIwWhcNMDgxMTA5MDQ0MzIwWjBK%0D%0AMRMwEQYDVQQDEwpnYWllbi5uZXQgMRcwFQYDVQQLEw5zeXMuZ2FpZW4ubmV0IDEN%0D%0AMAsGA1UEChMEc3lzIDELMAkGA1UEBhMCSlAwXDANBgkqhkiG9w0BAQEFAANLADBI%0D%0AAkEAsZtBs9BWwNDs7w67Y85SCajNr5RyvXM2uzg6hgbQvHANpUrbxmtePEuYdWvq%0D%0A4hlzNUerqhTjc2xm6SKxCpQwnQIDAQABMA0GCSqGSIb3DQEBBQUAA0EAA5Xgz7UW%0D%0A9XYWEpRG4CDgqLqYy9od0DrJseEEDNOULc/wEG+93wYCMwXDUra4SRTw8CW60ZfQ%0D%0AklmHJiX6pebhBw==tx.contract.signed=proposal.signature,id,subjectid,amt_receive.unit,amt.receive,amt_pay.unit,amt.pay,created,expiry,signerid,certtx.contract.signature=g/BKhLjC4JbPVs+X3hfH3eqC8tlKu5DxIoBj+Qmjp7/rPLu9lprt4p9LYf+ihSd4OYBU1rlpHX2pYucU58YUYw==

NOTE: This is a bit out-of-date

See http://sourceforge.jp/projects/openidtx/

Introduction to OpenID TX proposed extension

Technology

Transcript of Introduction to OpenID TX proposed extension