I am in full agreement. Indeed, the proposed charter for the WG has always
indicated that the deliverable would be a guidance document, not a separate
spec.
It should be up to the 2.1 authentication WG to later decide if the guidance
document should be published as a separate spec, or if instead i
Hey Breno,
I think this is a good point and judging from this thread already,
there seems to be a group of people really interested in working on
discovery for OpenID. If we can frame the working group in the right
way (David Fuelling framed it well as "I guess I'm more of the opinion
tha
Great feedback. I took the liberty to add this to the "Discussion Points"
on the wiki page.
http://wiki.openid.net/OpenID-Discovery
On Tue, Jun 9, 2009 at 8:43 PM, Allen Tom wrote:
> My primary concern with changing OpenID Discovery is the upgrade path to
> the new discovery mechanism. It took
My bad -- I errantly thought you were advocating the opposite.
On Tue, Jun 9, 2009 at 9:15 PM, Breno de Medeiros wrote:
> And I agree with you. My view is that in the absence of an OpenID discovery
> WG there will be _more_ uncertainty about future directions for the spec,
> not less.
>
>
__
And I agree with you. My view is that in the absence of an OpenID discovery
WG there will be _more_ uncertainty about future directions for the spec,
not less.
On Tue, Jun 9, 2009 at 2:13 PM, David Fuelling wrote:
> On Tue, Jun 9, 2009 at 7:09 PM, Breno de Medeiros wrote:
>
>> If we start the pr
On Tue, Jun 9, 2009 at 7:09 PM, Breno de Medeiros wrote:
> If we start the process to form a WG for discovery now, most likely the
> process would only be completed in 6 months, even if there was considerable
> agreement and stable technologies to draw from.
>
> Right now, there is quite a bit of
On Tue, Jun 9, 2009 at 7:00 PM, Santosh Rajan wrote:
>
> We need to remember that XRD only addreses discovery for URL identifiers.
This is not really true. The XRD document schema only demands that an
identifier be a URI, both for the XRD document's "subject" (i.e., the
canonical-id) and the X
David,
Great questions -- see my thoughts/opinions inline...
david
On Tue, Jun 9, 2009 at 6:36 PM, David Recordon wrote:
> Hey David,I've been following some of the discovery work the past few
> months, but don't have a clear picture if the various components are
> actually solid enough to beg
avid Fuelling mailto:sappe...@gmail.com>>
*Date: *June 9, 2009 10:07:20 AM PDT
*To: *Allen Tom mailto:a...@yahoo-inc.com>>
*Cc: *secur...@openid.net <mailto:secur...@openid.net>,
gene...@openid.net <mailto:gene...@openid.net>
*Subject: **Re: [security] OpenID Security Best Practi
If we start the process to form a WG for discovery now, most likely the
process would only be completed in 6 months, even if there was considerable
agreement and stable technologies to draw from.
Right now, there is quite a bit of momentum and excitement about Webfinger.
The XRI TC is hoping to pu
> Thoughts?
>
> Thanks,
> --David
>
> Begin forwarded message:
>
>> From: David Fuelling
>> Date: June 9, 2009 10:07:20 AM PDT
>> To: Allen Tom
>> Cc: secur...@openid.net, gene...@openid.net
>> Subject: Re: [security] OpenID Security Best Prac
my belief that we're
still just not ready to redefine how OpenID's discovery process should
work.
Thoughts?
Thanks,
--David
Begin forwarded message:
From: David Fuelling
Date: June 9, 2009 10:07:20 AM PDT
To: Allen Tom
Cc: secur...@openid.net, gene...@openid.net
Subject: Re: [
Likewise, the protocol can be defined as weak where someone may
apply additive security on top of it. Kinda like doing SMTP over TLS
and/or S/MIME.
Is that what Ben Laurie meant in the footnote?
http://openid.net/pipermail/security/2008-August/000404.html
A given implementation of OpenID *might
-Original Message-
From: Peter Watkins [mailto:pet...@tux.org]
Sent: Friday, February 06, 2009 8:29 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: OpenID Security
>> What do you mean, "the" implementation? There is no "the"
implementation
On Fri, Feb 06, 2009 at 03:43:30PM -0500, McGovern, James F (HTSC, IT) wrote:
> 2. Which is worse, having to sort through false positives or to not
> perform static analysis at all and have OpenID fail once some bad guy
> busts the implementation so badly that everyone runs away from OpenID?
What
ty Compass (http://www.securitycompass.com) Artec
> (http://www.artecgroup.net) and Cigital (http://www.cigital.com)
>
> Date: Thu, 5 Feb 2009 15:48:06 -0500
> From: Darren Bounds
> Subject: Re: OpenID Security
> To: "McGovern, James F (HTSC, IT)"
> Cc: specs@openid.ne
:48:06 -0500
From: Darren Bounds
Subject: Re: OpenID Security
To: "McGovern, James F (HTSC, IT)"
Cc: specs@openid.net
Message-ID:
<26563eca0902051248o446aa21br23aeb19f743ae...@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
I do not believe OWASP presently does any a
on't have to worry
>> about licensing as OWASP (http://www.owasp.org) will scan at no cost...
>>
>> ------
>>
>> Message: 1
>> Date: Fri, 6 Feb 2009 01:34:33 +0900
>> From: Nat Sakimura
>> Subject: Re: OpenID Security
>> To: "McGovern, James F (HTSC, IT)
Yes. I think the protocol testing site idea is already on the table.
=nat
On Fri, Feb 6, 2009 at 7:34 AM, SitG Admin
wrote:
>> If OIDF wants to certify something, it should certify compliance to the
>> OpenID standard.
>
> +1; different parties employing OpenID might have/practice/need different
If OIDF wants to certify something, it should certify compliance to the
OpenID standard.
+1; different parties employing OpenID might have/practice/need
different security standards, too (let the first people to want
OWASP, submit the libraries they're thinking of using to OWASP).
-Shade
___
On Fri, Feb 06, 2009 at 01:34:33AM +0900, Nat Sakimura wrote:
> It might be worthwhile for somebody like OIDF to buy a
> license and run a certification program out of it.
If OIDF wants to certify something, it should certify compliance to the
OpenID standard. It would be good for OIDF to make an
.org) will scan at no cost...
>
> --
>
> Message: 1
> Date: Fri, 6 Feb 2009 01:34:33 +0900
> From: Nat Sakimura
> Subject: Re: OpenID Security
> To: "McGovern, James F (HTSC, IT)"
> Cc: specs@openid.net
> Message-ID:
>
> Content-Type: text
t: Re: OpenID Security
To: "McGovern, James F (HTSC, IT)"
Cc: specs@openid.net
Message-ID:
Content-Type: text/plain; charset=ISO-8859-1
Yeah. Fortify is nice. I do not know what would be the licensing terms
now, but before, it used to have a "traveling" kind of license
Yeah. Fortify is nice. I do not know what would be the licensing terms
now, but before, it used to have a "traveling" kind of license that
allowed consultants to do the evaluation for the projects of their
customers. It might be worthwhile for somebody like OIDF to buy a
license and run a certifica
OpenID certainly has security features but are all the libraries out
there written to secure coding practices? Wouldn't it be great if all
the library creators could have their code reviewed for security
defects? Check out http://owasp.fortify.com/
*
25 matches
Mail list logo