Allowing sites to renew information
Having watched a Simon Willison presentation on OpenID, I had the following idea, which I present for your consideration: If you log in to a site using OpenID, and it requests access to your information (e.g. postcode) using the Simple Registration Extension, and you grant it, then it should be possible for the site to re-get that information at the time of any future login without needing to ask you. This solves the I've moved; now I need to update my address preferences with 40 different e-commerce sites by hand problem. If this is possible at the moment, my apologies for wasting your time. Please CC me on any replies; I am not subscribed to the list. Gerv ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Request for comments: Sorting fields in signature generation
On 9/26/06, Barry Ferg [EMAIL PROTECTED] wrote: The signature generation algorithm specifies that the fields to be signed be ordered in byte order form. It seems to be implied that the ordering is based on using the field names as sorting keys I think the real topic of this discussion is whether or not multiple parameters with the same name should be allowed by the specification. I *strongly* prefer tightening the specification by *disallowing* duplicate parameter names. PHP is one environment in which the implementation will be problematic, but other common environments (e.g. Rails) do not easily support this idiom. There is *no deployed code* that depends on duplicated parameter names, and I'd like to keep it that way. Keep it simple if possible. I agree that the language in the specification should be clarified so that the sort order is fully explicit. I would resolve this issue by stating that the pairs must be sorted by key. On another note: Pass-through (or echo) parameters and potentially some OpenID extension parameters may include fields with multiple values in order to communicate arrays of data, etc. Attribute exchange and other extensions can *easily* be designed not to require multiple parameters with the same name. Pass-through parameters are *not part of any OpenID specification.* Even if they were, I don't think it would be too great of a restriction to disallow duplicate parameter names. Josh ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Allowing sites to renew information
Good point David, I was referring to school of thought #1. #2 should certainly be possible with AX as well. On 26-Sep-06, at 3:58 PM, Recordon, David wrote: I think that is slightly different from what Gerv was referring to. With Simple Registration, there is nothing stopping a relying party from requesting the email address with every authentication request. Most implementations however don't seem to do this, rather only request data if they don't have it. In a sense, I think there are two schools of thought: 1) IdP pushes new data to each RP 2) Each RP pulls new data in each authentication request In a sense, I think the IdP pushing data is more robust. If you update your email address in your IdP, I'd imagine it would have tracked what RPs you've given it to, and then offer to send the updated address to them. In the end though, I don't think this is something specifications will necessarily dictate. Rather I'd hope to see the specs support both methods and then implementations choose what is best given their requirements. --David ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: Request for comments: Sorting fields in signature generation
Well, then +1 to disallowing such multiplicity! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Hoyt Sent: Tuesday, September 26, 2006 4:15 PM To: Granqvist, Hans Cc: Barry Ferg; specs@openid.net Subject: Re: Request for comments: Sorting fields in signature generation On 9/26/06, Granqvist, Hans [EMAIL PROTECTED] wrote: Does this problem exist if SIGNALL goes away? If there are multiple parameters with the same name, the problem is there, with or without SIGNALL, unfortunately. Josh ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Request for comments: Sorting fields in signature generation
On 9/26/06, Marius Scurtescu [EMAIL PROTECTED] wrote: Pass-through parameters are *not part of any OpenID specification.* They are not, but in order to be able to pass them through you have to be able to deal with them. Also, you may have to sign them as well. No one has written a proposal for pass-through arguments and it's not in any specification, so it's hard to answer your objection. If someone were to propose adding pass-through parameters to the specification, I would argue that: a) Including the pass-through arguments in the OpenID signature is not necessary (or constructive!) b) It is quite reasonable to restrict them to only one value per parameter name. Josh ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs