Now that Contract Exchange WG ML has been set up at openid.net, we should be able to start discussing it.
=hdknr is busily preparing the initial document for the current thought now (which is going to be submit around Wednesday), but I will start introducing concept here little by little. (I thought of using wiki.openid.net but I did not know whether I can control the edits so that we do not get exposed to IPR pollution, so I am doing it here.)
The main concept of the Contract Exchange is to exchange the public key signed contract among “parties”. Basic model calls for two parties, with two additional signatories. Under current situation, Signatories are typically servers.
There will be a contract proposal (offer) on the table to start with. It is signed by the Offerer. The signature achieves two things:
1) Non-repudiation: The offerer really made the offer.
2) Integrity: The accepting party cannot change the offer.
Once the accepting party reads the offer and agrees to it, the contract is established, and to signify it, the accepting party will counter-sign the document.
That’s all what it does.
It could subsequently be used as a token to obtain further data or service, i.e., just like an Access Token of OAuth.
The protocol that we have been talking at various venues (such as IIW) is actually very simple. It is almost a simplified version of OAuth with a tweak.
So, now you understand: There are two important parts in CX.
1) Contract Format
2) Protocol to exchange signed contract.
Of the two, 2) is actually easier, as I mentioned above.
In the following posts, I will talk about each.