OpenID-Artifact Binding

Session: Tuesday Session 4 Space O

Conference: IIW 10 May 17-19, 2009 this is the complete Complete Set of Notes

Topic: OpenID Artifact Binding

Convener: Nat, Breno, John.B


 * AB designs for scalable and stateless. It works with mobile phones.
 * With AB, OpenID can support up to NIST SP800-63(rev1) L2 - L4 because the assertions are sent in the direct communication channel between OP and RP.
 * Asymmetric key signing and encryption will protect the threat defined in L3 - L4.
 * RP can choose 2 types of the request mode:

1. Push: Encoded request messsage sent to OP (POST)

2. Pull: Prepare RPF(JSON) msg and let know OP only the URL to the msg


 * The Assertion is also in JSON instead of key-value form encoding in 2.0.
 * OP implementation in PHP is now around 400 lines of code! RP is 200 including even HTML part.
 * For digital signing, "Magic Signature" is used. (to get LoA 2 - 3).
 * Encryption:

1. Symmetric key encryption for encrypting "Artifact". 2. Asymmetric key encryption for encrypting "Assertion".


 * URL for RPF can be published in XRDS.
 * RPF can be cached in OP until updated.
 * The "Holder of Key" parameter in the assertion for storing user's cert used for PKI based authentication. (In order to meet LoA4)
 * The "Pull" mode is required for mobile phone not capable for JavaScript.