I have not been reporting this, but apart from TechNight and BizDay, we are having several discussion groups going on and meetings are getting more like “weekly” than “monthly”. OK. That is not an excuse not writing them here. I will try to be more timely.

Today, I want to report the following:

OpenID BizDay #4

Date: Sept. 25, 2009 (Fri) 14:30 - 16:30
Venue: Vila Fontaine Shiodome Meeting room 2,3
1-9-2 Shinbashi, Minato-ku, Tokyo 105-0021
JAPAN
http://www.sumitomo-rd.co.jp/vf/shiodome/conference/map.html

Program:
“Application of OpenID at NTTCom”
Kazuhiro Kitamura, General Manager, Net Business Div.
NTT Communications Corp.

“gooID that grows with customers”
Yasushi Tsuruki, Manager, Service Dept., Media Div.
NTT Resonant Inc.

So I was designing OpenID Authn Artifact Binding based on OAuth.
OAuth pushes request token (RT) to the Service Provider (saml:responder, openid:op).

Then, I looked back at the saml artifact binding.

It is the opposite. It sends the artifact first and the SP/responder pulls the data from Consumer/requester. Why?

It has got to do with the scale.

When the SP/Responder is big, chances are that the servers are distributed and there will be a big sync up problem among them. Thus, when the RT/message is sent there and the user arrives through browser redirect, the RT/message itself may not be accessible from the server that the user landed.

In case of SAML flow, the requester creates the artifact, and in the artifact, there is a node index included. Then, user arrives to the responder with artifact, and the responder pulls the data using this artifact. When requester receives the artifact, it knows where the RT/message is stored, so it can reliably fetch it.

So, SAML actually is kinder to a large scale providers.

On the other hand, OAuth has its own edge. In case of OAuth, the Requester always makes the action. It does not matter if it is behind the firewall or something. Typically, if it is an application living on a PC or Phone or something like that, the chances are that SP/Responder/OP cannot reach the client because it has got a private address. Since OAuth had such use case from the beginning, I suppose, the current choice was made.

So, coming back to OpenID Artifact Binding: Which design should we chose?

To Pull, or to Push: That is the question.

This afternoon, I attended UMA WG session at Kantara Initiative. UMA stands for User Managed Access, formally known as ProtectServe.

The purpose of this Work Group is to develop a set of draft specifications that enable an individual to control the authorization of data sharing and service access made between online services on the individual’s behalf, and to facilitate the development of interoperable implementations of these specifications by others.

Thus, it roughly is equal to CX in it’s concept.

A little bit of comparison was done in today’s session.
Most notably:

In CX, contract proposal is sent from the data consumer to the data provider (user) while in UMA, the proposal is being sent from the data provider (user) to the data consumer.

This is subtle but important distinction, at least, philosophically.

In fact, when I started discussing CX among my friends, we first consider the user providing the policy just like UMA. It was because it is closer to the VRM like setting. Then, after a while, we made a conscious decision to do the other way round.

Why?

In most cases, the data consumer is actually web service. It is a machine. On the other hand, on the data provider side, there is the user, the human being, who makes the decision.

If we offer a contract proposal from the user side, the machine has to negotiate it automagically. It is hard.
It looked like it is an daunting task to do it over a wide range of possible use cases.

On the other hand, the other way round is easy. You show the user the condition and terms, and it is this human being parsing that proposal and making decision. This seemed like a reasonably easy thing to achieve technically.

To approximate user providing the acceptable policy, we can create a common repository of contract proposals and the user can publish the URL in his XRD, so that the data consumer can pick an acceptable policy.

I believe this approach saves us from the hard question of designing negotiation protocol and still achieve something roughly the same. Also, note that we do not have to agree on the syntax of the machine readable condition. It is up to the application to decide it(*1).

We are right now doing CX WG at OpenID Foundation. However, CX is not only for OpenID. I consider it as an OpenID Binding of CX. It can equally be done for OAuth or some other protocol.

UMA’s approach is definitely interesting, but I still do not know how it can be achieved. It is a “must track” kind of thing for me right now.

(*1) There was yet another reason to do it this way: I was not comfortable floating around a contract proposal signed by me waiting for some unknown party to counter-sign floating around. From the “consumer protection” (note different use of the term “consumer") perspective, IMHO, the user should be the last one to sign.