OK. Then, let us start it. What would be the process? Starting WG takes at least 6 weeks and holding the discussion back for the period does not make much sense.
=nat On Fri, Aug 14, 2009 at 2:05 AM, David Recordon <[email protected]> wrote: > I think that it is more of a description of the current state, though if > changed it blurs the difference between OpenID and OAuth even more. It's > worth trying out though. > --David > > On Aug 13, 2009, at 9:05 AM, Nat Sakimura wrote: > > Is this "indirectness" a philosophy or just a description of the current > state? It is not only me who wants to do artifact binding, and it is much > simpler than doing both OpenID and OAuth. > > =nat > > On Fri, Aug 14, 2009 at 12:39 AM, Andrew Arnott <[email protected]>wrote: > >> OpenID extensions must be carried by indirect messages (through the >> browser). If you're looking for ways for server-to-server communication to >> get attributes, I suggest you look at OAuth. Specifically perhaps the >> OpenID+OAuth extension, which could enable the RP to send the request >> directly to the OP for these large payloads you're talking about. >> -- >> Andrew Arnott >> "I [may] not agree with what you have to say, but I'll defend to the death >> your right to say it." - S. G. Tallentyre >> >> >> On Thu, Aug 13, 2009 at 8:03 AM, Nat Sakimura <[email protected]> wrote: >> >>> Hmmm. So, there is no way we can do direct communication in an >>> extension? What I want to do is to send the large payload directly >>> between the servers and move only the reference through OpenID Authn request >>> and response so that >>> >>> 1) mobile clients will not choke. >>> 2) is going to be more secure. >>> >>> In AX, there is a notion of update_url, but is that also used only for >>> indirect communication through browser? >>> >>> I feel that it is extremely limiting if we cannot do the server to server >>> communication. >>> >>> If that is not a possibility, then I should probably do the server to >>> server portion elsewhere, and just do the reference/artifact moving through >>> OpenID AuthN, but that sounds like OpenID strangling itself. >>> >>> =nat >>> >>> On Thu, Aug 13, 2009 at 11:01 PM, James Henstridge >>> <[email protected]>wrote: >>> >>>> On Thu, Aug 13, 2009 at 8:05 AM, Nat Sakimura<[email protected]> >>>> wrote: >>>> > I blogged bout the subject here: >>>> > http://www.sakimura.org/en/modules/wordpress/index.php?p=91 >>>> > >>>> > What would be the consensus here? >>>> >>>> My reading of the spec (and what I believe is the author's intent) is >>>> that OpenID extensions do indeed piggyback on an authentication >>>> request. The note about including the extension's type URI in XRDS is >>>> a way that an OpenID provider can advertise support for the extension. >>>> >>>> Note that in OpenID 2.0, sending openid.identifier in an >>>> authentication request is optional. So you could potentially use an >>>> extension without actually authenticating as a particular user. From >>>> section 9.1: >>>> >>>> """ >>>> "openid.claimed_id" and "openid.identity" SHALL be either both present >>>> or both absent. If neither value is present, the assertion is not >>>> about an identifier, and will contain other information in its >>>> payload, using extensions (Extensions). >>>> """ >>>> >>>> James. >>>> >>> >>> >>> >>> -- >>> Nat Sakimura (=nat) >>> http://www.sakimura.org/en/ >>> >>> _______________________________________________ >>> specs mailing list >>> [email protected] >>> http://lists.openid.net/mailman/listinfo/openid-specs >>> >>> >> > > > -- > Nat Sakimura (=nat) > http://www.sakimura.org/en/ > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs > > > -- Nat Sakimura (=nat) http://www.sakimura.org/en/
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
