Pomcor

OpenID Providers Invited to Join in an NSTIC Pilot Proposal

Written by

user

in

, ,

NSTIC has
announced funding for pilot projects.
Preliminary proposals are due by March 7 and full proposals by April 23.
There will be a
proposer’s conference
on February 15, which will be webcast live.

We are planning to submit a proposal and are inviting OpenID identity
providers to join us. The proposed pilot will demonstrate a
completely password-free method of user authentication where the
relying party is an ordinary OpenID relying party. The identity
provider will issue a public key certificate to the user, and later
use it to authenticate the user upon redirection from the relying
party. The relying party will not see the certificate.
Since the certificate will be verified by the same party that
issued it, there will be no need for certificate revocation lists.
Certificate issuance will be automatic, using an extension of the
HTML5 keygen mechanism that Pomcor will implement on an extension of
the open source Firefox browser.

There will be two privacy features:

  1. The identity provider will supply different identifiers to
    different relying parties, as in the
    ICAM
    OpenID 2.0 Profile    .
  2. Before authenticating the user, the identity provider will inform
    the user of the value of the DNT (Do Not Track) header sent by the
    browser, and will not track the user if the value of the header is 1.

The identity provider will:

  1. Implement a facility for issuing certificates to users, taking
    advantage of the keygen element of HTML5. The identity
    provider will obtain a public key from keygen, create a certificate
    that binds the public key to the user’s local identity, and download
    the certificate in an ad-hoc HTTP header. Pomcor will supply a
    Firefox extension that will import the certificate automatically.
  2. Use the certificate to authenticate the user upon redirection
    from the relying party. The browser will submit the certificate as a
    TLS client certificate. The mod_ssl module of Apache supports the use
    of a client certificate and makes data from the certificate available
    to high-level server-side programming environments such as PHP via
    environment variables.

For additional information you may write to us using the
contact
page
of this site.

Comments

One response to “OpenID Providers Invited to Join in an NSTIC Pilot Proposal”

  1. Francisco Corella Avatar
    Francisco Corella

    This blog post was discussed in the OpenID General Discussion Mailing List and the Identity Commons Mailing List.

More posts