... the full
proposal on the OpenID wiki:
<
http://www.lifewiki.net/openid/SeparateIdentifierFromIdPToken
>
I like this. The so-called "normal" case is an
optimization. Optimizations done for the convenience of computers
should be hidden from users.
Cordially, Joaquin
___
I think the 2.0 spec extension mechanism could handle signed
credentials. For example, "credentials=" where is of
a (string) format that contains a type + signature, say
credentials=OATHVIP:WW91IGhhZCB0byBjaGVjaywgZGlkbid0IHlvdT8gOyk=
The format could also further specify mechanism types,
signe
Dick Hardt wrote:
>
> I think "Token" is not a good name, so many other meanings. Perhaps
> "handle"?
>
I agree that "token" is not the best name. "handle" is still not that
specific, but at least it isn't used in too many other places.
(We do already have an "assoc_handle", however.)
_
Dick Hardt wrote:
> I like making all identifiers work the same way. The wording around
> directed identity is somewhat confusing. Would be clearer if there
> was a complete description of what happened. ie. complete the
> transaction. In Directed Identity, the RP needs to do discovery on
>
What does Liberty call it?
(Gabe ducks..)
Some humor for a Friday...
-Gabe
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
> Of Martin Atkins
> Sent: Friday, October 06, 2006 9:42 AM
> To: specs@openid.net
> Subject: Re: [PROPOSAL] Separate Pub
Chris Drake wrote:
> Hi All,
>
> 1. Amazon asks the IdP "Please assert this user is not a Robot"
>How can it trust this occurred?
>
> 2. Amazon asks the IdP "Please re-authenticate this user, via
>two-factor, two-way strong authentication"
>How can it trust *this* occurred?
>
> The I
Dick Hardt wrote:
> On 5-Oct-06, at 4:41 PM, Josh Hoyt wrote:
>
>> On 10/5/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
>>> I think you missed my message arguing why it was important and that
>>> being part of the return_to URL made it hard for the functionality to
>>> be contained in the library
>>
Behavior needs to be specified before it can be recommended.
So the spec MUST specify how to deal with the multiple
parameters before it can set the use thereof as NOT
RECOMMENDED.
Hans
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Recordon,
On 10/6/06, Martin Atkins <[EMAIL PROTECTED]> wrote:
> * The IdP returns a document naming its authentication endpoint (in the
> "URI" field) and a special anonymous token as openid:Token. openid:Token
> may be the same as the public identifier from the previous step, but
> this is not required.
A
+1. Josh is right. Ultimately there are three identifiers involved in all
interactions between the User, the RP, and the IdP:
1) User-Presented-Identifier (UPI): the identifier entered by the User at
the RP.
2) RP-Persisted-Identifier (RPI): the identifier that will be persisted by
the RP in orde
Hi Martin,
This is getting very close to what I believe is the main important
thing we need in the spec to facilitate privacy, true SingleSignOn,
and to help avoid confusing users by getting them to key IdP URLs.
The only "tweak" I would like to see is right at the start, and is
implemented using
On Fri, 2006-10-06 at 13:26 +1000, Chris Drake wrote:
> Is my understanding accurate: OpenID is unable to support single sign
> on. If not - lets assume it's 9am. I just signed on. I can visit
> RP#1 then RP#2 then RP#3 and go back and forth all day without
> hindrance, until I next sign off - y
On Thu, 2006-10-05 at 18:08 -0700, Marius Scurtescu wrote:
> The only problem it seems to solve is that of vanity identifiers.
> Switching IdPs where you had an IdP issued identity for the original
> IdP does not seem to be possible, you have no control over that
> original identity so you c
I'd like to amend my proposal for changing the delegation mechanism:
Revised Proposal
As it stands, "openid.identity" is the identifier by which the IdP
knows the user. There is no parameter by which the RP knows the user.
I propose to add a field called "openid.rp_user_id" in "
CHRIS DRAKE'S PROPOSED FLOW
1) User *enters* UPI, but a Discovery Agent intercepts this: UPI does
*not* get posted to RP
2) Discovery Agent sends UPI to IdP
3) IdP authenticates against UPI
4) IdP selects appropriate RP-specific IPI
5) IdP initiates authentication with RP using IPI
Kind Reg
> ...
> Revised Proposal
>
>
> As it stands, "openid.identity" is the identifier by which
> the IdP knows the user. There is no parameter by which the RP
> knows the user.
>
> I propose to add a field called "openid.rp_user_id" in
> "checkid_*" and "id_res" that defaults to "o
In a conversation with Chris Drake, I realized that I don’t
know definitively if IdP-initiated login is supported in OpenID Authentication
2.0.
In other words, can a user just login to their IdP/i-broker,
lthen follow “OpenID-enabled bookmarks” they have stored there to
be directly logg
On Fri, 2006-10-06 at 12:30 -0700, Drummond Reed wrote:
In other words, can a user just login to their IdP/i-broker, lthen follow “OpenID-enabled bookmarks” they have stored there to be directly logged in to sites where the user has logged in before?
[...]
(I suspect this may be par
>From http://www.lifewiki.net/openid/SeparateIdentifierFromIdPToken
(change #3):
> Impact on XRI-based auth:
>
> An XRI is, for this purpose, a URI that can be resolved into a URL at
> which we can do Yadis discovery. Once Yadis discovery begins, flow
> continues as in the original proposal, where
Kevin, thanks for confirming that this
functionality would be supported by the “bare reponse” proposal.
In that case, +1 for the bare response
proposal being in 2.0, as I think it would be really valuable feature for IdPs
to offer (I know XRI i-brokers want it).
=Drummond
+1 to Kevin's point here -- no second discovery step is needed with an XRI.
=Drummond
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Kevin Turner
Sent: Friday, October 06, 2006 1:58 PM
To: specs@openid.net
Subject: Re: [PROPOSAL] Separate Public Identif
On 10/6/06, Granqvist, Hans <[EMAIL PROTECTED]> wrote:
> Can you propose this in terms of diffs to the current draft so
> it is glaringly obvious what the proposal means?
Sure.
> Also, I think this "diffs to current draft" can be most useful
> for all proposals as it cuts through the various sema
Josh,
This is very cool. Adding openid.rp_user_id would give us an unambigous way
to represent what I called the RPI in my earlier message:
IPI = IdP-Persistent-Identifier = openid.identity
RPI = RP-Persistent-Identifier = openid.rp_user_id
It doesn't address the third identifier, which I calle
On Tue, 2006-10-03 at 19:42 -0700, Dick Hardt wrote:
> On 2-Oct-06, at 12:34 PM, Kevin Turner wrote:
> > On Sat, 2006-09-30 at 20:09 -0400, Dick Hardt wrote:
> >> Motivating Use Case
> >>
> >> The IdP would like to allow the user to click a link on the IdP to
> >> login
> Do you mean literal Unix-style diffs or a human-readable set
> of changes to section numbers?
I'd personally prefer the former, but I would settle for the
latter.
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
Well that is something that if the spec dictates where to place/format a
request nonce, an IdP could recognize and remove it. I do agree though
that it is getting close to having too many implications.
--David
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behal
Let me play the dumb customer here and say:
* A whole lot of real-world users would love OpenID-enabled bookmarks.
* A whole lot of websites would love to offer them.
* A whole lot of IdPs would love to provide them.
Translation: it would be really good for adoption.
So if there's a way to desi
Thanks, Hans, I'm getting better educated on 2.0 every day.
=Drummond
-Original Message-
From: Granqvist, Hans [mailto:[EMAIL PROTECTED]
Sent: Friday, October 06, 2006 9:21 AM
To: Drummond Reed; Chris Drake
Cc: specs@openid.net
Subject: RE: Re[2]: Strong Authencation (was [PROPOSAL] aut
On Fri, 2006-10-06 at 16:34 -0700, Drummond Reed wrote:
> Let me play the dumb customer here and say:
>
> * A whole lot of real-world users would love OpenID-enabled bookmarks.
> * A whole lot of websites would love to offer them.
> * A whole lot of IdPs would love to provide them.
Okay Customer
Kevin Turner wrote:
>>From http://www.lifewiki.net/openid/SeparateIdentifierFromIdPToken
> (change #3):
>> Impact on XRI-based auth:
>>
>> An XRI is, for this purpose, a URI that can be resolved into a URL at
>> which we can do Yadis discovery. Once Yadis discovery begins, flow
>> continues as in t
>>On Fri, 2006-10-06 at 16:34 -0700, Drummond Reed wrote:
>> Let me play the dumb customer here and say:
>>
>> * A whole lot of real-world users would love OpenID-enabled bookmarks.
>> * A whole lot of websites would love to offer them.
>> * A whole lot of IdPs would love to provide them.
>
>Kevi
At David's suggestion, to make it easier to follow, I've posted what I
believe is a consolidated delegate proposal at:
http://www.lifewiki.net/openid/ConsolidatedDelegationProposal
This incorporates Josh's original, Martin's, Josh's amendment, and my
amendment to Josh's.
Josh and Martin
KT> On Fri, 2006-10-06 at 16:34 -0700, Drummond Reed wrote:
>> Let me play the dumb customer here and say:
>>
>> * A whole lot of real-world users would love OpenID-enabled bookmarks.
>> * A whole lot of websites would love to offer them.
>> * A whole lot of IdPs would love to provide them.
KT> O
33 matches
Mail list logo