RE: [higgins-dev] AW: How should selectors advertise themselves?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

RE: [higgins-dev] AW: How should selectors advertise themselves?

From: Anthony Nadalin <drsecure@xxxxxxxxxx>
Date: Fri, 4 Jan 2008 13:14:59 -0600
Delivered-to: higgins-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>
List-help: <mailto:higgins-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=unsubscribe>

I would hate to have to have folks keep up with all the brands and versions, and I'm not sure the brand and version would do anything for interop

Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122

"Paul Trevithick" ---01/04/2008 12:10:20 PM---We should include both capabilities-based values and brand&version-based

From:	"Paul Trevithick" <paul@xxxxxxxxxxxxxxxxx>
To:	"'Higgins \(Trust Framework\) Project developer discussions'" <higgins-dev@xxxxxxxxxxx>
Cc:	Michael.Jones@xxxxxxxxxxxxx
Date:	01/04/2008 12:10 PM
Subject:	RE: [higgins-dev] AW: How should selectors advertise themselves?

We should include both capabilities-based values and brand&version-based values. The former appeals to the optimist in me. The latter to the pragmatist. > -----Original Message----- > From: higgins-dev-bounces@xxxxxxxxxxx [mailto:higgins-dev-> bounces@xxxxxxxxxxx] On Behalf Of Nennker, Axel > Sent: Friday, January 04, 2008 12:44 PM > To: higgins-dev@xxxxxxxxxxx > Cc: Michael.Jones@xxxxxxxxxxxxx > Subject: AW: [higgins-dev] AW: How should selectors advertise themselves? > > Thanks for suggesting capability indicating headers though I still think > that these are difficult to agree on. My experience is that these kind of > protocols end in negotiating capabilties of both sides and that "vendors" > tend to invent their own values... > > > But, anyways. I hope that there will be more comments regarding the > capability headers. > > -Axel > > ps.: The STS owned by RP stuff is not very well understood. At least not > by me ;-) > There was recently a post in the CardSpace team blog regarding this, but > its lenght alone is an indication of the complexity of the matter. I > remember that Mike Jones told me about the fact that RP and STS could have > a shared symmetric key which is specified in the RP's policy. This would > be a capability that the openinfocard selector would (probably) not be > able to handle. We have some code regarding this but was never tested. The > capability headers might get very complex. > > > -----Ursprüngliche Nachricht----- > > Von: higgins-dev-bounces@xxxxxxxxxxx > > [mailto:higgins-dev-bounces@xxxxxxxxxxx] Im Auftrag von > > Michael McIntosh > > Gesendet: Freitag, 4. Januar 2008 16:50 > > An: Higgins (Trust Framework) Project developer discussions > > Cc: higgins-dev@xxxxxxxxxxx; higgins-dev-bounces@xxxxxxxxxxx > > Betreff: Re: [higgins-dev] AW: How should selectors advertise > > themselves? > > > > Nennker, Axel wrote on 01/04/2008 06:01:35 AM: > > > > <snip/> > > > > > > I see problems with the capabilities because it is unclear who > > > > defines the interop standards and who decides whether a > > selctor is > > > > allowed to claim interoperability. > > > > I think these problems are orthogonal to whether we advertise > > "capability" > > vs. "product". If a browser advertises a capability, but does > > not support it, it (browser) will not work. A product based > > advertisement requires Relying Party's to somehow > > discover/track which browsers support which features, and if > > they guess wrong the browser won't work. How is that better? > > > > > > The openinfocard selector for example does not support symmetric > > > > binding and does not support issuerPolicy. > > > > Let me take these separately: > > a) "symmetric binding" is in the contract between the > > Selector and the IdP and is expressed in the Metadata of the > > IdP. Nothing the RP does impacts this. If your selector > > doesn't want to support this it can reject import of cards > > that require it. > > b) issuerPolicy implies a scenario where the RP "owns" the > > STS. This one is tricky, on the one hand, conceptually it > > semes no different from asking for a token from an Issuer for > > which you have no cards. On the other hand it does require a > > new message exchange pattern in the selector. Support for > > this is a capability of the selector, right? > > > > > > Therefore I would not sent the rpInterop part of the http > > header but > > > > the name and selectorVersion parts only. > > > > But other selectors might claim interoperability while > > they are not. > > > > <ContentPreviouslySentOffList> > > > > I guess before deciding on a solution, we should decide on > > some important requirements. Some of mine would be: > > 1) Relying Party sites should be able to detect > > capabilities of Client/Selector in order to formulate > > appropriate markup.> > > 2) A new Client/Selector should be able to be supported > > without changes to existing Relying Party sites. > > 3) A new capability added to a Client/Selector should > > be able to be ignored by Relying Party sites that do not yet > > support it. > > > > Therefore, I believe that its better for a Relying Party site > > to know the capabilities of a Client/Selector than to know > > the "brand"/product/version. > > In the CardSpace 1.0 world, there are three main capabilities > > related to content provided to browsers/selectors: > > a) OBJECT tag for Type-application/x-informationCard, > > b) INFORMATIONCARD/ADD behavior, > > c) Scriptable invocation of the Helper object. > > Additionally, there may be a dependency on support for: > > d) Relying Party/STS > > e) Identity Provider/STS > > > > So I would prefer something like HTTP headers with: > > x-Accept-Identity-Markup: Object-x-informationCard; > > InformationCard-Behavior; Scriptable-Helper > > x-Accept-Identity-Service: IdP; RP > > > > </ContentPreviouslySentOffList>; > > > > > > > > > > > > have fun > > > > Axel > > > > > > > > ps.: Why are you sending this only to higgins-dev but not to the > > > > google group? > > > > By sending messages to this list we agree to Eclipse terms > > wrt content of our messages. It is unclear what terms are > > implied by messages sent received on a google list. > > > > <snip/> > > > > _______________________________________________ > > higgins-dev mailing list > > higgins-dev@xxxxxxxxxxx > >https://dev.eclipse.org/mailman/listinfo/higgins-dev> > > _______________________________________________ > higgins-dev mailing list > higgins-dev@xxxxxxxxxxx >https://dev.eclipse.org/mailman/listinfo/higgins-dev_______________________________________________ higgins-dev mailing list higgins-dev@xxxxxxxxxxxhttps://dev.eclipse.org/mailman/listinfo/higgins-dev

References:
- [higgins-dev] AW: How should selectors advertise themselves?
  - From: Nennker, Axel
- Re: [higgins-dev] AW: How should selectors advertise themselves?
  - From: Michael McIntosh
- AW: [higgins-dev] AW: How should selectors advertise themselves?
  - From: Nennker, Axel
- RE: [higgins-dev] AW: How should selectors advertise themselves?
  - From: Paul Trevithick

Prev by Date: Re: [higgins-dev] changesforhttps://bugs.eclipse.org/bugs/show_bug.cgi?id=197665
Next by Date: Re: [higgins-dev]changesforhttps://bugs.eclipse.org/bugs/show_bug.cgi?id=197665
Previous by thread: AW: [higgins-dev] AW: How should selectors advertisethemselves?
Next by thread: [higgins-dev] 1.0 dates
Index(es):
- Date
- Thread

Breadcrumbs