PROTECTED] On
Behalf Of john kemp
Sent: Thursday, February 01, 2007 7:13 PM
To: Granqvist, Hans
Cc: OpenID specs list
Subject: Re: Proposal: An anti-phishing compromise
Granqvist, Hans wrote:
Proposed Change
===
Add a single, required, boolean field to the authentication response
Hi Josh,
In addition to the protocol parameter that you have proposed, I'd hope
that we can add something like what you wrote below as part of the
security considerations section of the OpenID 2.0 Auth specification, as
this text seems to capture quite succinctly the issues that RPs and OPs
Johnny Bufu wrote:
On 2-Feb-07, at 7:05 AM, George Fletcher wrote:
but I'm still not sure how this helps with the phishing problem. As
you pointed out John, the issue is a rogue RP redirecting to a rogue
OP. So the rogue OP just steals the credentials and returns whatever
it wants.
In
Josh Hoyt wrote:
On 2/2/07, john kemp [EMAIL PROTECTED] wrote:
Don't get me wrong - I think it's a good idea for the OP to make a
statement about the authentication method used (although I would prefer
it to say something like
authn_method=urn:openid:2.0:aqe:method:password, rather than
Dick Hardt wrote:
On 16-Nov-06, at 11:41 PM, Matt Pelletier wrote:
On Nov 17, 2006, at 1:24 AM, Dick Hardt wrote:
Hi John
So that a message can be more then 2K of data.
Is it possible to update the language so 1) we don't deprecate HTTP
redirects and 2) the form redirect method is
Dick Hardt wrote:
Supporting payloads larger then 2K is a requirement.
I guess I don't understand what this 2K limit is (and this is not
mentioned in the spec) - are you talking about limits on the URL size
when doing an HTTP GET?
yes
If so, why not use POST instead?
Now I am really
Hi,
Sorry I'm just reading this, but I just wanted to put in a point very
much in favour of NOT deprecating support for HTTP redirects in OpenID 2.0.
I'll note that requiring the user to press a 'submit' button to push
seems like a dodgy UI strategy. So then you require JavaScript to
produce a
in various lights and
have multiple names (roles!).)
FWIW,
Eve
John Kemp wrote:
Hi Drummond,
Drummond Reed wrote:
So why, indeed, is there so much interest in OpenID? I believe it's
because
of the trust model. To the best of my knowledge, it is radically
different
than the trust
] [mailto:[EMAIL PROTECTED] On Behalf
Of Recordon, David
Sent: Monday, November 06, 2006 11:46 AM
To: Dick Hardt; John Kemp; Patrick Harding
Cc: specs@openid.net
Subject: IdP vs OP (WAS: RE: Editors Conference Call)
I see both sides of this discussion. I think John is correct that the
role
Dick Hardt wrote:
On 7-Nov-06, at 7:59 AM, John Kemp wrote:
I don't believe that trust is a differentiator between SAML
specifications and OpenID Authentication specifications.
It is AFAICT, in both cases, simply out of scope.
I should have been more clear, IdP is a Federation term
Eve L. Maler wrote:
On balance I prefer identity provider because
it's intuitive in an English sense, it's used in several technology
contexts (not just SAML and OpenID), and it avoids a terminological
branding that would otherwise seem to suggest a conceptual
divergence that doesn't --
Hi Dick,
It would be nice to see a clear definition of an OP in order to
determine the exact differences between such an entity and an IdP, but,
in the absence of such, some questions:
Dick Hardt wrote:
Thanks David! ;-)
Patrick, as you point out, Identity Provider is a well understood
Dick Hardt wrote:
It would be nice to see a clear definition of an OP in order to
determine the exact differences between such an entity and an IdP, but,
in the absence of such, some questions:
Dick Hardt wrote:
Thanks David! ;-)
Patrick, as you point out, Identity Provider is a well
13 matches
Mail list logo