<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en"><head><title>Draft: OpenID Information Cards 1.0 - Draft 01</title>
<meta http-equiv="Expires" content="Fri, 10 Aug 2007 22:14:57 +0000">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="description" content="OpenID Information Cards 1.0 - Draft 01">
<meta name="generator" content="xml2rfc v1.31 (http://xml.resource.org/)">
<style type='text/css'><!--
        body {
                font-family: verdana, charcoal, helvetica, arial, sans-serif;
                font-size: small; color: #000; background-color: #FFF;
                margin: 2em;
        }
h1, h2, h3, h4, h5, h6 {
                font-family: helvetica, monaco, "MS Sans Serif", arial, sans-serif;
                font-weight: bold; font-style: normal;
        }
        h1 { color: #900; background-color: transparent; text-align: right; }
        h3 { color: #333; background-color: transparent; }
        td.RFCbug {
                font-size: x-small; text-decoration: none;
                width: 30px; height: 30px; padding-top: 2px;
                text-align: justify; vertical-align: middle;
                background-color: #000;
        }
        td.RFCbug span.RFC {
                font-family: monaco, charcoal, geneva, "MS Sans Serif", helvetica, verdana, sans-serif;
                font-weight: bold; color: #666;
        }
        td.RFCbug span.hotText {
                font-family: charcoal, monaco, geneva, "MS Sans Serif", helvetica, verdana, sans-serif;
                font-weight: normal; text-align: center; color: #FFF;
        }
        table.TOCbug { width: 30px; height: 15px; }
        td.TOCbug {
                text-align: center; width: 30px; height: 15px;
                color: #FFF; background-color: #900;
        }
        td.TOCbug a {
                font-family: monaco, charcoal, geneva, "MS Sans Serif", helvetica, sans-serif;
                font-weight: bold; font-size: x-small; text-decoration: none;
                color: #FFF; background-color: transparent;
        }
        td.header {
                font-family: arial, helvetica, sans-serif; font-size: x-small;
                vertical-align: top; width: 33%;
                color: #FFF; background-color: #666;
        }
        td.author { font-weight: bold; font-size: x-small; margin-left: 4em; }
        td.author-text { font-size: x-small; }
        /* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
        a.info {
                /* This is the key. */
                position: relative;
                z-index: 24;
                text-decoration: none;
        }
        a.info:hover {
                z-index: 25;
                color: #FFF; background-color: #900;
        }
        a.info span { display: none; }
        a.info:hover span.info {
                /* The span will display just on :hover state. */
                display: block;
                position: absolute;
                font-size: smaller;
                top: 2em; left: -5em; width: 15em;
                padding: 2px; border: 1px solid #333;
                color: #900; background-color: #EEE;
                text-align: left;
        }
        a { font-weight: bold; }
        a:link { color: #900; background-color: transparent; }
        a:visited { color: #633; background-color: transparent; }
        a:active { color: #633; background-color: transparent; }
        p { margin-left: 2em; margin-right: 2em; }
        p.copyright { font-size: x-small; }
        p.toc { font-size: small; font-weight: bold; margin-left: 3em; }
        table.toc { margin: 0 0 0 3em; padding: 0; border: 0; vertical-align: text-top; }
        td.toc { font-size: small; font-weight: bold; vertical-align: text-top; }
        ol.text { margin-left: 2em; margin-right: 2em; }
        ul.text { margin-left: 2em; margin-right: 2em; }
        li { margin-left: 3em; }
        /* RFC-2629 <spanx>s and <artwork>s. */
        em { font-style: italic; }
        strong { font-weight: bold; }
        dfn { font-weight: bold; font-style: normal; }
        cite { font-weight: normal; font-style: normal; }
        tt { color: #036; }
tt, pre, pre dfn, pre em, pre cite, pre span {
                font-family: "Courier New", Courier, monospace; font-size: small;
        }
        pre {
                text-align: left; padding: 4px;
                color: #000; background-color: #CCC;
        }
        pre dfn { color: #900; }
        pre em { color: #66F; background-color: #FFC; font-weight: normal; }
        pre .key { color: #33C; font-weight: bold; }
        pre .id { color: #900; }
        pre .str { color: #000; background-color: #CFF; }
        pre .val { color: #066; }
        pre .rep { color: #909; }
        pre .oth { color: #000; background-color: #FCF; }
        pre .err { background-color: #FCC; }
        /* RFC-2629 <texttable>s. */
        table.full, table.headers, table.none {
                font-size: small; text-align: center; border-width: 2px;
                vertical-align: top; border-collapse: collapse;
        }
        table.full { border-style: solid; border-color: black; }
        table.headers, table.none { border-style: none; }
        th {
                font-weight: bold; border-color: black;
                border-width: 2px 2px 3px 2px;
        }
        table.full th { border-style: solid; }
        table.headers th { border-style: none none solid none; }
        table.none th { border-style: none; }
        table.full td {
                border-style: solid; border-color: #333;
                border-width: 1px 2px;
        }
        table.headers td, table.none td { border-style: none; }
        hr { height: 1px; }
        hr.insert {
                width: 80%; border-style: none; border-width: 0;
                color: #CCC; background-color: #CCC;
        }
--></style>
</head>
<body>
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<table summary="layout" width="66%" border="0" cellpadding="0" cellspacing="0"><tr><td><table summary="layout" width="100%" border="0" cellpadding="2" cellspacing="1">
<tr><td class="header">Draft</td><td class="header">D. Hardt</td></tr>
<tr><td class="header"> </td><td class="header">J. Bufu</td></tr>
<tr><td class="header"> </td><td class="header">Sxip Identity</td></tr>
<tr><td class="header"> </td><td class="header">August 10, 2007</td></tr>
</table></td></tr></table>
<h1><br />OpenID Information Cards 1.0 - Draft 01</h1>
<h3>Abstract</h3>
<p>
This document defines a method of performing OpenID
Authentication using Information Cards for transferring
OpenID claims from an Information Card-enabled OpenID Provider
to an Information Card-enabled OpenID Relying Party.
</p><a name="toc"></a><br /><hr />
<h3>Table of Contents</h3>
<p class="toc">
<a href="#anchor1">1.</a>
Terminology<br />
<a href="#anchor2">1.1.</a>
Definitions and Conventions<br />
<a href="#anchor3">2.</a>
Protocol Flow<br />
<a href="#requirements">3.</a>
Requirements<br />
<a href="#rp-requirements">3.1.</a>
Relying Party<br />
<a href="#op-requirements">3.2.</a>
Information Card-Enabled OpenID Provider<br />
<a href="#infocard-selector">3.3.</a>
Information Card Selector<br />
<a href="#anchor4">4.</a>
Information Model<br />
<a href="#openid-infocard">4.1.</a>
OpenID Information Cards<br />
<a href="#infocard-invocation">4.2.</a>
Identity Selector Invocation<br />
<a href="#openid-object">4.2.1.</a>
The Information Card OBJECT Element<br />
<a href="#xhtml-syntax">4.2.2.</a>
XHTML Information Card Syntax<br />
<a href="#openid-token">4.3.</a>
OpenID Tokens<br />
<a href="#openid-token-types">4.3.1.</a>
OpenID Token Types<br />
<a href="#openid-token-reference">4.3.2.</a>
OpenID Token References<br />
<a href="#openid-token-example">4.3.3.</a>
OpenID Token Example<br />
<a href="#openid-token-schema">4.3.4.</a>
OpenIDToken Schema<br />
<a href="#openid-claim">4.4.</a>
OpenID Identifier Claim Type<br />
<a href="#attribute-claims">4.5.</a>
Attribute Claims<br />
<a href="#examples">5.</a>
Protocol Flow Example Messages<br />
<a href="#object-example">5.1.</a>
Relying Party Requests Authentication With an OpenID Information Card<br />
<a href="#rst-example">5.2.</a>
Request Security Token Example<br />
<a href="#rstr-example">5.3.</a>
Request Security Token Response Example<br />
<a href="#xmltoken-example">5.4.</a>
XMLToken Example<br />
<a href="#anchor5">6.</a>
Security Considerations<br />
<a href="#anchor6">7.</a>
Acknowledgements<br />
<a href="#rfc.references1">8.</a>
Normative References<br />
<a href="#rfc.authors">§</a>
Authors' Addresses<br />
</p>
<br clear="all" />
<a name="anchor1"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.1"></a><h3>1.
Terminology</h3>
<p>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described
in <a class='info' href='#RFC2119'>[RFC2119]<span> (</span><span class='info'>Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.</span><span>)</span></a>.
</p>
<a name="anchor2"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.1.1"></a><h3>1.1.
Definitions and Conventions</h3>
<p>
</p>
<blockquote class="text"><dl>
<dt>User:</dt>
<dd>
Also referred to as "End User". A person with a digital
identity who participates in OpenID-based identity
information exchanges using their client software.
</dd>
<dt>Information Card Identity Selector</dt>
<dd>
Also called "Identity Selector". The client software used
by the user to perform identity selection based on
Information Cards. See <a class='info' href='#infocard.reference-1.0'>[infocard.reference‑1.0]<span> (</span><span class='info'>Nanda, A., “Identity Selector Interoperability Profile V1.0,” April 2007.</span><span>)</span></a>.
</dd>
<dt>OpenID Provider:</dt>
<dd>
Also called "OP". An OpenID Authentication server on
which a Relying Party relies for an assertion
that the end user controls an Identifier. See
<a class='info' href='#OpenID.authentication-2.0'>[OpenID.authentication‑2.0]<span> (</span><span class='info'>Recordon, D., Hoyt, J., Fitzpatrick, B., and D. Hardt, “OpenID Authentication 2.0 - Draft 11,” January 2007.</span><span>)</span></a>.
</dd>
<dt>Relying Party:</dt>
<dd>
Also called "RP". A Web application that wants proof that
the end user controls an Identifier, and requests identity
data associated with the end user.
See <a class='info' href='#OpenID.authentication-2.0'>[OpenID.authentication‑2.0]<span> (</span><span class='info'>Recordon, D., Hoyt, J., Fitzpatrick, B., and D. Hardt, “OpenID Authentication 2.0 - Draft 11,” January 2007.</span><span>)</span></a>.
</dd>
<dt>Security Token</dt>
<dd>
Also called "token". A statement, typically signed,
carrying claims about a user. A token is used in the
payload of the messages sent to a Relying Party to
transfer claims about a user.
See <a class='info' href='#infocard.reference-1.0'>[infocard.reference‑1.0]<span> (</span><span class='info'>Nanda, A., “Identity Selector Interoperability Profile V1.0,” April 2007.</span><span>)</span></a>.
</dd>
<dt>Security Token Service</dt>
<dd>
Also called "STS". A server endpoint that can issue
tokens. See <a class='info' href='#infocard.reference-1.0'>[infocard.reference‑1.0]<span> (</span><span class='info'>Nanda, A., “Identity Selector Interoperability Profile V1.0,” April 2007.</span><span>)</span></a>.
</dd>
<dt>Request Security Token</dt>
<dd>
Also called "RST". A message through which an Identity
Selector requests a token from an STS endpoint.
See <a class='info' href='#infocard.reference-1.0'>[infocard.reference‑1.0]<span> (</span><span class='info'>Nanda, A., “Identity Selector Interoperability Profile V1.0,” April 2007.</span><span>)</span></a>.
</dd>
<dt>Request Security Token Response</dt>
<dd>
Also called "RSTR". A response message sent from an STS
endpoint to an Identity Selector, containing a token.
See <a class='info' href='#infocard.reference-1.0'>[infocard.reference‑1.0]<span> (</span><span class='info'>Nanda, A., “Identity Selector Interoperability Profile V1.0,” April 2007.</span><span>)</span></a>.
</dd>
</dl></blockquote><p>
</p>
<p>
Throughout this document references to
<a class='info' href='#OpenID.authentication-2.0'>[OpenID.authentication‑2.0]<span> (</span><span class='info'>Recordon, D., Hoyt, J., Fitzpatrick, B., and D. Hardt, “OpenID Authentication 2.0 - Draft 11,” January 2007.</span><span>)</span></a> also apply to
<a class='info' href='#OpenID.authentication-1.1'>[OpenID.authentication‑1.1]<span> (</span><span class='info'>Recordon, D. and B. Fitzpatrick, “OpenID Authentication 1.1,” May 2006.</span><span>)</span></a> unless explicitly
noted otherwise.
</p>
<a name="anchor3"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.2"></a><h3>2.
Protocol Flow</h3>
<p>
</p>
<ol class="text">
<li>
User acquires an OpenID Information Card from their
Information Card-enabled OP.
</li>
<li>
User browses to an OpenID RP.
</li>
<li>
User invokes an element on the page to send an OpenID token
to the Relying Party.
</li>
<li>
Identity Selector detects the "application/x-informationCard"
<OBJECT> element on the RP's login page, requesting an
OpenID token.
</li>
<li>
User selects an OpenID Information Card to use.
</li>
<li>
Identity Selector sends a Request Security Token (RST) to the
Security Token Service (STS) endpoint of the OP that issued the
card.
</li>
<li>
OP issues an OpenID Authentication Response, encodes that
response in an OpenID token, and encapsulates the token
in a Request Security Token Response (RSTR).
</li>
<li>
OP returns the RSTR to the Identity Selector.
</li>
<li>
Identity Selector POSTs the response back to the RP.
</li>
<li>
RP extracts the OpenID Authentication response from the OpenID
token and returns to the normal OpenID verification flow as
specified by <a class='info' href='#OpenID.authentication-2.0'>[OpenID.authentication‑2.0]<span> (</span><span class='info'>Recordon, D., Hoyt, J., Fitzpatrick, B., and D. Hardt, “OpenID Authentication 2.0 - Draft 11,” January 2007.</span><span>)</span></a>.
In particular, the signature verification must be verified
with a direct call to the OpenID Provider.
</li>
</ol><p>
</p>
<a name="requirements"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.3"></a><h3>3.
Requirements</h3>
<p>
This section describes what is needed on top of an OpenID
implementation for OpenID Information Cards support.
</p>
<a name="rp-requirements"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.3.1"></a><h3>3.1.
Relying Party</h3>
<p>
In order to support OpenID Information Cards, Relying Parties MUST:
</p>
<blockquote class="text">
<p>
Request an OpenID token, by invoking an
Information Card Identity Selector as described in
<a class='info' href='#infocard.web-interop'>[infocard.web‑interop]<span> (</span><span class='info'>Jones, M., “A Guide to Using the Identity Selector Interoperability Profile V1.0 within Web Applications and Browsers,” April 2007.</span><span>)</span></a>. This can be
accomplished either with an "application/x-informationCard"
<OBJECT> element or using XHTML syntax.
See <a class='info' href='#infocard-invocation'>Section 4.2<span> (</span><span class='info'>Identity Selector Invocation</span><span>)</span></a>.
</p>
<p>
Extract the OpenID Authentication response from the RSTR /
OpenID token.
</p>
</blockquote><p>
</p>
<a name="op-requirements"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.3.2"></a><h3>3.2.
Information Card-Enabled OpenID Provider</h3>
<p>
In order to support OpenID Information Cards, OpenID Providers
MUST:
</p>
<blockquote class="text">
<p>
Issue OpenID Information Cards.
</p>
<p>
Provide an STS endpoint for issuing OpenID tokens.
</p>
</blockquote><p>
</p>
<a name="infocard-selector"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.3.3"></a><h3>3.3.
Information Card Selector</h3>
<p>
The tokens are opaque to Identity Selectors, so any selector
implementation will support OpenID Information Cards.
</p>
<a name="anchor4"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4"></a><h3>4.
Information Model</h3>
<a name="openid-infocard"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4.1"></a><h3>4.1.
OpenID Information Cards</h3>
<p>
An OpenID Information Card is an Information Card issued by an
Information Card-enabled OP with the following properties:
</p>
<blockquote class="text">
<p>
MUST support OpenID tokens.
</p>
<p>
MUST support the OpenID Identifier claim.
</p>
<p>
MUST contain the RequireAppliesTo element, so that the
Identity Selector passes the URL of the RP to the OP.
</p>
</blockquote><p>
</p>
<a name="infocard-invocation"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4.2"></a><h3>4.2.
Identity Selector Invocation</h3>
<p>
Relying parties have the following options for invoking an
Identity Selector on their login pages, as specified in
<a class='info' href='#infocard.web-interop'>[infocard.web‑interop]<span> (</span><span class='info'>Jones, M., “A Guide to Using the Identity Selector Interoperability Profile V1.0 within Web Applications and Browsers,” April 2007.</span><span>)</span></a>:
</p>
<blockquote class="text">
<p>
An <OBJECT> element of the type
"application/x-informationCard".
</p>
<p>
XHTML Information Card syntax.
</p>
</blockquote><p>
Optionally, Relying Parties MAY use browser scripting languages
to dynamically detect the availability of an Identity Selector
and choose whether to present an Information Card <OBJECT>
element, Information Card XHTML syntax, or a standard OpenID
login form.
</p>
<a name="openid-object"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4.2.1"></a><h3>4.2.1.
The Information Card OBJECT Element</h3>
<p>
An OpenID token can be requested using an
<OBJECT> element with the following properties:
</p>
<blockquote class="text">
<p>
The "type" attribute MUST have the value
"application/x-informationCard".
</p>
<p>
The "tokenType" parameter MUST have the value of an
<a class='info' href='#openid-token'>OpenID token<span> (</span><span class='info'>OpenID Tokens</span><span>)</span></a>
</p>
<p>
The "requiredClaims" parameter MUST contain the
"http://schema.openid.net/2007/05/claims/identifier" URI.
</p>
</blockquote><p>
</p>
<p>Example:
</p><div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>
<OBJECT type="application/x-informationCard" name="xmlToken">
<PARAM Name="tokenType" Value="http://specs.openid.net/auth/2.0">
<PARAM Name="requiredClaims"
Value="http://schema.openid.net/2007/05/claims/identifier">
</OBJECT>
</pre></div>
<a name="xhtml-syntax"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4.2.2"></a><h3>4.2.2.
XHTML Information Card Syntax</h3>
<p>
An Information Card token can be requested using an
<ic:informationCard> element with the following
properties:
</p>
<blockquote class="text">
<p>
The "name" attribute MUST have the value "xmlToken".
</p>
<p>
The "tokenType" attribute MUST have the value of an
<a class='info' href='#openid-token'>OpenID token<span> (</span><span class='info'>OpenID Tokens</span><span>)</span></a>
</p>
<p>
An <add> element with the "claimType" attribute
having as value of the
"http://schema.openid.net/2007/05/claims/identifier" URI
and the "optional" attribute set to "false" MUST be present.
</p>
</blockquote><p>
Note that not all browsers provide full support for XHTML.
</p>
<p>Example:
</p><div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>
<ic:informationCard name='xmlToken'
style='behavior:url(#default#informationCard)'
tokenType="http://specs.openid.net/auth/2.0">
<ic:add claimType=
"http://schema.openid.net/2007/05/claims/identifier"
optional="false"/>
</ic:informationCard>
</pre></div>
<a name="openid-token"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4.3"></a><h3>4.3.
OpenID Tokens</h3>
<p>
OpenID tokens are used to encapsulate and transfer
OpenID Authentication responses using Information Cards.
OpenID messages MUST be encoded in the key-value form
defined in <a class='info' href='#OpenID.authentication-2.0'>[OpenID.authentication‑2.0]<span> (</span><span class='info'>Recordon, D., Hoyt, J., Fitzpatrick, B., and D. Hardt, “OpenID Authentication 2.0 - Draft 11,” January 2007.</span><span>)</span></a>.
</p>
<p>
The key-value form encoded OpenID Authentication response
MUST be enclosed in a <OpenIDToken> element in the
"http://specs.openid.net/auth/2.0" namespace. The XML
schema for the OpenIDToken element is defined in
<a class='info' href='#openid-token-schema'>Section 4.3.4<span> (</span><span class='info'>OpenIDToken Schema</span><span>)</span></a>.
</p>
<p>
Verification of OpenID Positive Assertions (claims) MUST
be performed as specified in the "Verifying Assertions"
section of <a class='info' href='#OpenID.authentication-2.0'>[OpenID.authentication‑2.0]<span> (</span><span class='info'>Recordon, D., Hoyt, J., Fitzpatrick, B., and D. Hardt, “OpenID Authentication 2.0 - Draft 11,” January 2007.</span><span>)</span></a>
</p>
<p>
In the OpenID Information Cards protocol flow the RP cannot
perform the optional OpenID association step; therefore,
Relying Parties MUST perform the signature verification by
sending a direct request to the OpenID Provider, as specified
in the "Verifying Directly with the OpenID Provider"
section of <a class='info' href='#OpenID.authentication-2.0'>[OpenID.authentication‑2.0]<span> (</span><span class='info'>Recordon, D., Hoyt, J., Fitzpatrick, B., and D. Hardt, “OpenID Authentication 2.0 - Draft 11,” January 2007.</span><span>)</span></a>
</p>
<a name="openid-token-types"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4.3.1"></a><h3>4.3.1.
OpenID Token Types</h3>
<p>
Two URIs are defined to identify the following versions of
the OpenID protocol; these URIs MUST be used when referring
to OpenID token types in WS-* protocols.
</p><br /><hr class="insert" />
<table class="full" align="center" border="0" cellpadding="2" cellspacing="2">
<col align="left"><col align="left">
<tr><th align="left">Token URI</th><th align="left">OpenID Protocol Version</th></tr>
<tr>
<td align="left">http://specs.openid.net/auth/2.0</td>
<td align="left">
<a class='info' href='#OpenID.authentication-2.0'>[OpenID.authentication‑2.0]<span> (</span><span class='info'>Recordon, D., Hoyt, J., Fitzpatrick, B., and D. Hardt, “OpenID Authentication 2.0 - Draft 11,” January 2007.</span><span>)</span></a>
</td>
</tr>
<tr>
<td align="left">http://specs.openid.net/auth/1.1</td>
<td align="left">
<a class='info' href='#OpenID.authentication-1.1'>[OpenID.authentication‑1.1]<span> (</span><span class='info'>Recordon, D. and B. Fitzpatrick, “OpenID Authentication 1.1,” May 2006.</span><span>)</span></a>
</td>
</tr>
</table>
<table border="0" cellpadding="0" cellspacing="2" align="center"><tr><td align="center"><font face="monaco, MS Sans Serif" size="1"><b> OpenID tokens URIs </b></font><br /></td></tr></table><hr class="insert" />
<a name="openid-token-reference"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4.3.2"></a><h3>4.3.2.
OpenID Token References</h3>
<p>
Tokens transferred with Information Card transactions need to
be referenced for the purpose of performing security
operations, such as encryption and signature calculation. In
order for the Identity Selectors to be token-agnostic and be
able to transfer and reference tokens of any type, the Security
Token Services must provide the descriptors for how the tokens
should be referenced. This is accomplished by including
RequestedAttachedReference and RequestedUnattachedReference
elements in RSTR messages, as described in WS-Trust and
<a class='info' href='#infocard.reference-1.0'>[infocard.reference‑1.0]<span> (</span><span class='info'>Nanda, A., “Identity Selector Interoperability Profile V1.0,” April 2007.</span><span>)</span></a>.
</p>
<p>
When issuing OpenID Tokens, an Information Card-enabled OpenID
Provider MUST include the <RequestedAttachedReference>
and <RequestedUnattachedReference> elements in the RSTR
message. Both references MUST contain identical values in the
form of <KeyIdentifier> security token references with
the following characteristics:
</p>
<blockquote class="text">
<p>
The ValueType attribute of the <KeyIdentifier>
element MUST have the value of
"http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1".
</p>
<p>
The text value of the <KeyIdentifier> element MUST
be the base64 encoded value of the SHA1 hash of the raw
octets consituting the OpenID message encoded in
key-value form.
</p>
</blockquote><p>
Example:
</p>
<div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>
<wsse:SecurityTokenReferene xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">
d1pgA15raYAIMAJ3CMCZ64qU02g=
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</pre></div><p>
</p>
<p>
See <a class='info' href='#rstr-example'>Section 5.3<span> (</span><span class='info'>Request Security Token Response Example</span><span>)</span></a> for a full Request Security
Token Response example.
</p>
<a name="openid-token-example"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4.3.3"></a><h3>4.3.3.
OpenID Token Example</h3>
<div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>
<openid:OpenIDToken xmlns:openid="http://specs.openid.net/auth/2.0">
openid.ns:http://specs.openid.net/auth/2.0
openid.mode:id_res
openid.op_endpoint:https://example-op.com/openid-server/
openid.claimed_id:https://example-op.com/johndoe/
openid.identity:https://example-op.com/johndoe/
openid.return_to:https://example-rp.com/openid-infocard-endpoint/
openid.response_nonce:2007-06-28T22:16:58Z0
openid.assoc_handle:d38f38e8166443cb
openid.signed:op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle
openid.sig:PZNucb3/5KnEHsOXEMFkg1FJAnGD+UbGR1LqsscVvEc=
</openid:OpenIDToken>
</pre></div>
<a name="openid-token-schema"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4.3.4"></a><h3>4.3.4.
OpenIDToken Schema</h3>
<p>
The XML schema definition for the <OpenIDToken> element
is as follows:
</p><div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>
<?xml version="1.0" encoding="UTF-8"?>
<!-- XML Schema for OpenIDToken -->
<xs:schema
targetNamespace="http://specs.openid.net/auth/2.0"
xmlns:openid="http://specs.openid.net/auth/2.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified" blockDefault="#all">
<xs:element name="OpenIDToken" type="openid:OpenIDTokenType"/>
<xs:complexType name="OpenIDTokenType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:anyAttribute namespace="##any" processContents="lax" />
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:schema>
</pre></div>
<a name="openid-claim"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4.4"></a><h3>4.4.
OpenID Identifier Claim Type</h3>
<p>
OpenID Information Cards are used to acquire and supply OpenID
Authentication claims to a Relying Party. This type of claims
is identified in Information Card transactions by the following URI:
</p>
<div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>
http://schema.openid.net/2007/05/claims/identifier
</pre></div><p>
</p>
<a name="attribute-claims"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4.5"></a><h3>4.5.
Attribute Claims</h3>
<p>
Additional attribute claims MAY be requested by the Relying
Party by listing the corresponding URIs in the Information Card
OBJECT element or by using XHTML Information Card Syntax, as
specified in <a class='info' href='#infocard.web-interop'>[infocard.web‑interop]<span> (</span><span class='info'>Jones, M., “A Guide to Using the Identity Selector Interoperability Profile V1.0 within Web Applications and Browsers,” April 2007.</span><span>)</span></a>. In this
case the OpenID 2.0 namespace URI,
"http://specs.openid.net/auth/2.0" MUST be one of the requested
token types.
</p>
<p>
If such claims are supported by a managed OpenID Information
Card and an Information Card-Enabled OpenID Provider, the
protocol used to encode the response claims containing the
attribute values MUST be <a class='info' href='#OpenID.attribute-exchange'>OpenID Attribute Exchange<span> (</span><span class='info'>Hardt, D., Bufu, J., and J. Hoyt, “OpenID Attribute Exchange,” January 2007.</span><span>)</span></a> [OpenID.attribute‑exchange].
</p>
<p>
Specifically, an OpenID Attribute Exchange Fetch Response
extension MUST be added the OpenID Authentication response
encapsulated in the OpenID 2.0 Information Card token.
</p>
<p>
See <a class='info' href='#examples'>Section 5<span> (</span><span class='info'>Protocol Flow Example Messages</span><span>)</span></a> for a set of example messages
that illustrate the protocol flow.
</p>
<a name="examples"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.5"></a><h3>5.
Protocol Flow Example Messages</h3>
<p>
Non normative.
</p>
<a name="object-example"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.5.1"></a><h3>5.1.
Relying Party Requests Authentication With an OpenID Information Card</h3>
<div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>
<OBJECT type="application/x-informationCard" name="xmlToken">
<PARAM Name="tokenType" Value="http://specs.openid.net/auth/2.0">
<PARAM Name="requiredClaims"
Value="http://schema.openid.net/2007/05/claims/identifier">
<PARAM Name="optionalClaims"
Value="http://axschema.org/namePerson/first http://axschema.org/namePerson/last http://axschema.org/contact/email">
</OBJECT>
</pre></div>
<p>
Besides the OpenID token type and the OpenID identifier
claim type, optional email address, first and last name
attribute claims are also requested.
</p>
<a name="rst-example"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.5.2"></a><h3>5.2.
Request Security Token Example</h3>
<p>
Request Security Token (RST) message sent by the Information Card
selector to the Information Card-enabled OpenID Provider / STS:
</p><div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>
<s:Envelope
xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security
s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:UsernameToken u:Id="uuid-9f7afd9b-dfc0-4a11-9066-0ea82dbd36b2-2">
<o:Username>exampleUser</o:Username>
<o:Password
o:Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">
examplePassword
</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<wst:RequestSecurityToken Context="ProcessRequestSecurityToken"
xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
</wst:RequestType>
<wsid:InformationCardReference
xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity">
<wsid:CardId>
https://example-op.com/sts/card/CBB63122-E541-7F40-961B-BB0A8079110B
</wsid:CardId>
<wsid:CardVersion>1</wsid:CardVersion>
</wsid:InformationCardReference>
<wst:Claims>
<wsid:ClaimType
Uri="http://schema.openid.net/2007/05/claims/identifier"
xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity"/>
<wsid:ClaimType
Uri="http://axschema.org/namePerson/first"
xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity"
Optional="true"/>
<wsid:ClaimType
Uri="http://axschema.org/namePerson/last"
xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity"
Optional="true"/>
<wsid:ClaimType
Uri="http://axschema.org/contact/email"
xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity"
Optional="true"/>
</wst:Claims>
<wst:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey
</wst:KeyType>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<EndpointReference
xmlns="http://schemas.microsoft.com/ws/2005/05/addressing/none">
https://example-rp.com/openid-infocard-endpoint/
</EndpointReference>
</wsp:AppliesTo>
<wst:TokenType>http://specs.openid.net/auth/2.0</wst:TokenType>
<wsid:RequestDisplayToken xml:lang="en"
xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity"/>
</wst:RequestSecurityToken>
</s:Body>
</s:Envelope>
</pre></div>
<p>
No proof key is used in this example. A username/password
credential included in the RST is used as the method of
authentication to the Information Card-enabled OpenID Provider.
</p>
<a name="rstr-example"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.5.3"></a><h3>5.3.
Request Security Token Response Example</h3>
<p>
Request Security Token Response (RSTR) sent by the STS back
to the Identity Selector:
</p><div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>
<soap:Envelope xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity"
xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header/>
<soap:Body>
<wst:RequestSecurityTokenResponse Context="ProcessRequestSecurityToken">
<wst:TokenType>http://specs.openid.net/auth/2.0</wst:TokenType>
<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
</wst:RequestType>
<wst:RequestedSecurityToken>
<openid:OpenIDToken xmlns:openid="http://specs.openid.net/auth/2.0">
openid.ns:http://specs.openid.net/auth/2.0
openid.mode:id_res
openid.op_endpoint:https://example-op.com/openid-server/
openid.claimed_id:https://example-op.com/johndoe/
openid.identity:https://example-op.com/johndoe/
openid.return_to:https://example-rp.com/openid-infocard-endpoint/
openid.response_nonce:2007-06-28T22:16:58Z0
openid.assoc_handle:d38f38e8166443cb
openid.signed:op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle
openid.sig:PZNucb3/5KnEHsOXEMFkg1FJAnGD+UbGR1LqsscVvEc=
openid.ns.ext1:http://openid.net/srv/ax/1.0
openid.ext1.mode:fetch_response
openid.ext1.type.FirstName:http://axschema.org/namePerson/first
openid.ext1.value.FirstName:John
openid.ext1.type.LastName:http://axschema.org/namePerson/last
openid.ext1.value.LastName:Doe
openid.ext1.type.email:http://axschema.org/contact/email
openid.ext1.value.email:johndoe@example.com
</openid:OpenIDToken>
</wst:RequestedSecurityToken>
<wst:RequestedAttachedReference>
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">
d1pgA15raYAIMAJ3CMCZ64qU02g=
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</wst:RequestedAttachedReference>
<wst:RequestedUnattachedReference>
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">
d1pgA15raYAIMAJ3CMCZ64qU02g=
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</wst:RequestedUnattachedReference>
<ic:RequestedDisplayToken>
<ic:DisplayToken xml:lang="en">
<ic:DisplayClaim
Uri="http://axschema.org/namePerson/first">
<ic:DisplayTag>Given Name</ic:DisplayTag>
<ic:DisplayValue>John</ic:DisplayValue>
</ic:DisplayClaim>
<ic:DisplayClaim
Uri="http://axschema.org/namePerson/last">
<ic:DisplayTag>Surname</ic:DisplayTag>
<ic:DisplayValue>Doe</ic:DisplayValue>
</ic:DisplayClaim>
<ic:DisplayClaim
Uri="http://axschema.org/contact/email">
<ic:DisplayTag>Email</ic:DisplayTag>
<ic:DisplayValue>johndoe@example.com</ic:DisplayValue>
</ic:DisplayClaim>
<ic:DisplayClaim
Uri="http://schema.openid.net/2007/05/claims/identifier">
<ic:DisplayTag>OpenID</ic:DisplayTag>
<ic:DisplayValue>https://example-op.com/johndoe/
</ic:DisplayValue>
</ic:DisplayClaim>
</ic:DisplayToken>
</ic:RequestedDisplayToken>
</wst:RequestSecurityTokenResponse>
</soap:Body>
</soap:Envelope>
</pre></div>
<a name="xmltoken-example"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.5.4"></a><h3>5.4.
XMLToken Example</h3>
<p>
Data sent by the Information Card selector to the Relying Party
with a HTTP POST, as the value of the "xmltoken" parameter:
</p><div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>
<openid:OpenIDToken xmlns:openid="http://specs.openid.net/auth/2.0">
openid.ns:http://specs.openid.net/auth/2.0
openid.mode:id_res
openid.op_endpoint:https://example-op.com/openid-server/
openid.claimed_id:https://example-op.com/johndoe/
openid.identity:https://example-op.com/johndoe/
openid.return_to:https://example-rp.com/openid-infocard-endpoint/
openid.response_nonce:2007-06-28T22:16:58Z0
openid.assoc_handle:d38f38e8166443cb
openid.signed:op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle
openid.sig:PZNucb3/5KnEHsOXEMFkg1FJAnGD+UbGR1LqsscVvEc=
openid.ns.ext1:http://openid.net/srv/ax/1.0
openid.ext1.mode:fetch_response
openid.ext1.type.FirstName:http://axschema.org/namePerson/first
openid.ext1.value.FirstName:John
openid.ext1.type.LastName:http://axschema.org/namePerson/last
openid.ext1.value.LastName:Doe
openid.ext1.type.email:http://axschema.org/contact/email
openid.ext1.value.email:johndoe@example.com
</openid:OpenIDToken>
</pre></div>
<a name="anchor5"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.6"></a><h3>6.
Security Considerations</h3>
<p>
Using of OpenID Information Cards eliminates the "Rogue Relying
Party Proxying" attack described in the Security Consideration
section of <a class='info' href='#OpenID.authentication-2.0'>[OpenID.authentication‑2.0]<span> (</span><span class='info'>Recordon, D., Hoyt, J., Fitzpatrick, B., and D. Hardt, “OpenID Authentication 2.0 - Draft 11,” January 2007.</span><span>)</span></a>.
</p>
<a name="anchor6"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.7"></a><h3>7.
Acknowledgements</h3>
<p>
Arun Nanda and Mike Jones.
</p>
<a name="rfc.references1"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<h3>8. Normative References</h3>
<table width="99%" border="0">
<tr><td class="author-text" valign="top"><a name="OpenID.attribute-exchange">[OpenID.attribute-exchange]</a></td>
<td class="author-text"><a href="mailto:dick@sxip.com">Hardt, D.</a>, <a href="mailto:johnny@sxip.com">Bufu, J.</a>, and <a href="mailto:josh@janrain.com">J. Hoyt</a>, “OpenID Attribute Exchange,” January 2007 (<a href="http://openid.net/specs/openid-attribute-exchange-1_0-04.txt">TXT</a>, <a href="http://openid.net/specs/openid-attribute-exchange-1_0-04.html">HTML</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="OpenID.authentication-1.1">[OpenID.authentication-1.1]</a></td>
<td class="author-text"><a href="mailto:drecordon@verisign.com">Recordon, D.</a> and <a href="mailto:brad@danga.com">B. Fitzpatrick</a>, “OpenID Authentication 1.1,” May 2006 (<a href="http://www.openid.net/specs/openid-authentication-1_1.txt">TXT</a>, <a href="http://www.openid.net/specs/openid-authentication-1_1.html">HTML</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="OpenID.authentication-2.0">[OpenID.authentication-2.0]</a></td>
<td class="author-text"><a href="mailto:drecordon@verisign.com">Recordon, D.</a>, <a href="mailto:josh@janrain.com">Hoyt, J.</a>, <a href="mailto:brad@danga.com">Fitzpatrick, B.</a>, and <a href="mailto:dick@sxip.com">D. Hardt</a>, “OpenID Authentication 2.0 - Draft 11,” January 2007 (<a href="http://www.openid.net/specs/openid-authentication-2_0-11.txt">TXT</a>, <a href="http://www.openid.net/specs/openid-authentication-2_0-11.html">HTML</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="RFC2119">[RFC2119]</a></td>
<td class="author-text"><a href="mailto:sob@harvard.edu">Bradner, S.</a>, “<a href="ftp://ftp.isi.edu/in-notes/rfc2119.txt">Key words for use in RFCs to Indicate Requirement Levels</a>,” BCP 14, RFC 2119, March 1997 (<a href="ftp://ftp.isi.edu/in-notes/rfc2119.txt">TXT</a>, <a href="http://xml.resource.org/public/rfc/html/rfc2119.html">HTML</a>, <a href="http://xml.resource.org/public/rfc/xml/rfc2119.xml">XML</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="infocard.reference-1.0">[infocard.reference-1.0]</a></td>
<td class="author-text">Nanda, A., “<a href="http://download.microsoft.com/download/1/1/a/11ac6505-e4c0-4e05-987c-6f1d31855cd2/Identity-Selector-Interop-Profile-v1.pdf">Identity Selector Interoperability Profile V1.0</a>,” April 2007.</td></tr>
<tr><td class="author-text" valign="top"><a name="infocard.web-interop">[infocard.web-interop]</a></td>
<td class="author-text">Jones, M., “<a href="http://download.microsoft.com/download/1/1/a/11ac6505-e4c0-4e05-987c-6f1d31855cd2/Identity-Selector-Interop-Profile-v1-Web-Guide.pdf">A Guide to Using the Identity Selector Interoperability
Profile V1.0 within Web Applications and Browsers</a>,” April 2007.</td></tr>
</table>
<a name="rfc.authors"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<h3>Authors' Addresses</h3>
<table width="99%" border="0" cellpadding="0" cellspacing="0">
<tr><td class="author-text"> </td>
<td class="author-text">Dick Hardt</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">Sxip Identity</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">798 Beatty Street</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">Vancouver, BC V6B 2M1</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">CA</td></tr>
<tr><td class="author" align="right">Email: </td>
<td class="author-text"><a href="mailto:dick@sxip.com">dick@sxip.com</a></td></tr>
<tr><td class="author" align="right">URI: </td>
<td class="author-text"><a href="http://sxip.com/">http://sxip.com/</a></td></tr>
<tr cellpadding="3"><td> </td><td> </td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">Johnny Bufu</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">Sxip Identity</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">798 Beatty Street</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">Vancouver, BC V6B 2M1</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">CA</td></tr>
<tr><td class="author" align="right">Email: </td>
<td class="author-text"><a href="mailto:johnny@sxip.com">johnny@sxip.com</a></td></tr>
<tr><td class="author" align="right">URI: </td>
<td class="author-text"><a href="http://sxip.com/">http://sxip.com/</a></td></tr>
</table>
</body></html>