RE: Tiny RDF Schema at openid.net?
I'm not an RDF/OWL expert, though that looks reasonable to me. How do we deal with Auth 1.x which uses openid.server and openid.delegate versus Auth 2.0 which uses openid2.provider and openid2.local_id? --David -Original Message- From: Benjamin Nowack [mailto:[EMAIL PROTECTED] Sent: Monday, January 29, 2007 10:13 AM To: Recordon, David; Scott Kveton; specs@openid.net Cc: [EMAIL PROTECTED] Subject: RE: Tiny RDF Schema at openid.net? On 29.01.2007 07:53:15, Recordon, David wrote: I'd be happy to do it; I think we were talking about using xmlns.openid.net/foo as a format. Awesome :) I think the next step would be sending a copy of the RDF file for people here to look over. :) I've attached a draft which contains already some nice2haves (e.g. the OWL and isDefinedBy bits which may be helpful but are not strictly necessary), I'm not 100% sure about the prose, and I guess DanC will have a comment or two as well. (The resource/about/ID attributes work similar to HTML's href/id, they use the doc's URL as base, i.e. if the file was published at http://xmlns.openid.net/auth, the full term URIs would be http://xmlns.openid.net/auth#server etc.) [[[ ?xml version=1.0? rdf:RDF xmlns:rdf=http://www.w3.org/1999/02/22-rdf-syntax-ns#; xmlns:rdfs=http://www.w3.org/2000/01/rdf-schema#; xmlns:owl=http://www.w3.org/2002/07/owl#; owl:Ontology rdf:about= rdfs:labelOpenID Authentication Schema/rdfs:label owl:versionInfo2007-01-29/owl:versionInfo rdfs:comment A basic schema for core OpenID authentication terms. /rdfs:comment /owl:Ontology rdf:Property rdf:ID=server rdf:type rdf:resource=http://www.w3.org/2002/07/owl#ObjectProperty/ rdfs:labelserver/rdfs:label rdfs:comment The OpenID Identity Provider to be used for authentication. /rdfs:comment rdfs:isDefinedBy rdf:resource=http://openid.net/specs/openid-authentication-1_1.html; / /rdf:Property rdf:Property rdf:ID=delegate rdf:type rdf:resource=http://www.w3.org/2002/07/owl#ObjectProperty/ rdfs:labeldelegate/rdfs:label rdfs:comment The delegated OpenID Identifier to be used for authentication. /rdfs:comment rdfs:isDefinedBy rdf:resource=http://openid.net/specs/openid-authentication-1_1.html; / /rdf:Property /rdf:RDF ]]] Best, Ben Thanks, --David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Kveton Sent: Monday, January 29, 2007 7:42 AM To: Benjamin Nowack; specs@openid.net Cc: [EMAIL PROTECTED] Subject: Re: Tiny RDF Schema at openid.net? With just a quick look at this, it seems like a good idea. I'd like to see it happen somehow. Anybody see any problems with doing this? - Scott On 1/29/07 2:13 AM, Benjamin Nowack [EMAIL PROTECTED] wrote: Hi, I was wondering if you guys could be persuaded to host a little RDF Schema file on the openid.net site. As far as I can tell, there is great support for OpenID among SemWeb folks as it can be combined with things like FOAF for all sorts of cool applications. People recently started to write RDF extractors for the OpenID hooks embedded in HTML (openid.server/delegate). As these hooks are in line with the Dublin Core guidelines [1], there are even multiple ways to do this. The only thing we're missing for more widespread use is an agreed-on namespace URI for the core openID terms (server and delegate). And ideally this would be an openid.net one. So here is my request: any chance we could put a little RDF Schema file on the openid server? We would of course provide the file (it'd be just 5-10 lines of XML), and the actual URL/path doesn't really matter. An alternative could be to host it in some other stable URI space, Dan Connolly (CC'd) might be able to provide one at w3.org, not sure. It would be cool to get your blessing either way, though. Cheers in advance for perhaps considering it, Ben -- Benjamin Nowack Kruppstr. 100 45145 Essen, Germany http://www.bnode.org/ [1] http://www.dublincore.org/documents/dcq-html/ ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: OpenID Auth 2.0 security considerations
Is there a wiki page that exists to point to? Josh and Johnny, see any issues with this? Also any wording to propose Johannes? Thanks, --David -Original Message- From: Johannes Ernst [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 23, 2007 12:57 PM To: Recordon, David Cc: specs@openid.net Subject: Re: OpenID Auth 2.0 security considerations Given where we are in time, I would suggest to make the smallest amount of changes possible to the document, i.e. leave everything as is, just add this one link. On Jan 23, 2007, at 11:59, Recordon, David wrote: I don't see a problem with that. Would you propose the majority of the security considerations section in the current draft be moved to the wiki? What would be the balance between spec and wiki page? --David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Johannes Ernst Sent: Monday, January 22, 2007 12:15 PM To: specs@openid.net Subject: OpenID Auth 2.0 security considerations What about a non-normative link from the spec to a place on the wiki where we can collect security considerations for it, and update those in real-time as discussions such as the phishing one progress. ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: DRAFT 11 - FINAL?
The openid2.* links bug me a little.. but due to no openid.ns being defined in the 1.x protocol, maybe there is no other way to specify by HTML discovery that your OP is 2.0 capable. Would it be bad to have a openid.version link instead? Also, the spec mentions AJAX interactions, but I don't see how you can actually use AJAX with OpenID, since none of the responses are in XML format .. it relies entirely on GET or POST redirection, not to mention that you have to make cross-domain requests which XmlHttpRequest will not do without extra security privileges. (Or am I missing something?) -Rowan ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: DRAFT 11 - FINAL?
Yeah, I'm not a big fan of openid2.* though it was the simplest method of fixing up HTML discovery to work with multiple protocol versions. I know Josh thought about this more than I did though. From what I've seen people do, it is AJAX between your server and application, then OpenID's checkid_immediate between the server and OP, with an AJAX response from your server to application. --David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rowan Kerr Sent: Tuesday, January 30, 2007 2:02 PM To: specs@openid.net Subject: Re: DRAFT 11 - FINAL? The openid2.* links bug me a little.. but due to no openid.ns being defined in the 1.x protocol, maybe there is no other way to specify by HTML discovery that your OP is 2.0 capable. Would it be bad to have a openid.version link instead? Also, the spec mentions AJAX interactions, but I don't see how you can actually use AJAX with OpenID, since none of the responses are in XML format .. it relies entirely on GET or POST redirection, not to mention that you have to make cross-domain requests which XmlHttpRequest will not do without extra security privileges. (Or am I missing something?) -Rowan ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: DRAFT 11 - FINAL?
On 1/30/07, Recordon, David [EMAIL PROTECTED] wrote: Yeah, I'm not a big fan of openid2.* though it was the simplest method of fixing up HTML discovery to work with multiple protocol versions. I know Josh thought about this more than I did though. 1. Before authentication is initiated, the RP needs to determine what the protocol is. This could be done via discovery on the OP, but there has been general rejection of adding yet another discovery step. 2. A user may have one service that provides OpenID 1 and another that provides OpenID 2. If this is the case, then the version information needs to be bound to the link tag that contains the information. Given (1), the information needs to be embedded in the HTML markup. Given (2), the information needs to be tied to the specific link tag. For example: link rel=openid.server href=http://op.example.com/openid1; link rel=openid2.provider href=http://op.example.com/openid2; vs. link rel=openid.server href=http://op.example.com/openid1; link rel=openid.provider href=http://op.example.com/openid2; link rel=openid.protocol_version href=http://specs.openid.net/auth/2.0; While it is true that since the link relationship names changed, the openid2 is technically redundant, I think it is much clearer to everybody what is going on if the link relationship contains the version number. If the protocol version were to keep changing, I'd argue for a different solution. Josh ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs