date:20061009

PROPOSAL: OpenID Authentication Flow and how delegate fits in

2006-10-09 Thread Dick Hardt

I'll start off with a couple new definitions so that we are not hung  
up on what terms mean:

supplied_identifier := what the user types into the RP's form
verified_identifier := the identifier that the IdP says the user is

When looking at the OpenID protocol, the openid.identity sent from  
the RP to the IdP can be thought of as just a hint as to what  
verified_identifier the user wants to be at the RP. Given that, I  
would describe the flow as such:

1) User provides a supplied_identifier to the RP. The user may type  
this into a form which will post the supplied_identifier to the RP's  
login_url or a software agent may post this to the login_url. The  
supplied_identifier may be an:
OpenID URL
iname
IdP URL

2) The RP then does the appropriate discovery on supplied_identifier  
to find the IdP's entry point and functionality supported. The  
delegate tag is ignored if present.

3) If the RP wants to get a verified_identifier for the user, the RP  
sends an indirect message to the IdP containing  
openid.identity=supplied_identifier, otherwise openid.identity="none"  
to indicate it does not want a verified_identifier.

4) if a verified_identifier was requested, the IdP determines which  
verified_identifier the user would like to be with the RP, and then  
sends an indirect message with  openid.identity=verified_identifier  
to the RP. Although the user may have typed in one OpenID URL or  
iname, a different one could be in the response back to the RP.

5) If the RP has not already determined that the IdP is authorative  
for verified_identifier, then the RP does discovery on the  
verified_identifier to confirm the IdP is authoritative.

+ The IdP knows what the user typed into the form at the RP since  
that is what is sent to the IdP.
+ The IdP can display a friendly name to the user as to what they are  
releasing.
+ The IdP can assist the user in determining which  
verified_identifier they want to be at a site. Eg. the user may have  
forgotten which verified_identifier they were in the past, and the  
IdP can ask the user to confirm they want to use a different  
verified_identifer then the one they have previously used.
+ works with OpenID 1.1 as even though a 1.1 RP will send the  
delegate, a 2.0 IdP will send back the verified_identifier.

NOTE: The delegate tag is just a token that the user sticks into  
their HTML so that the IdP knows the user controls that URL. If the  
IdP controls the URL, then the delegate tag is not needed.

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Consolidated Delegate Proposal

2006-10-09 Thread Dick Hardt

I think a i-name IdP would have a display name for each i-name and  
show that consistent display name to the user. Why have the RP involved?

I think this delegate stuff is getting over complicated.

-- Dick

On 9-Oct-06, at 3:06 PM, Drummond Reed wrote:

> Dick,
>
> As Josh explains in
> http://openid.net/pipermail/specs/2006-October/000296.html, the  
> primary
> motivation for openid.display is when the user enters an i-name  
> into the RP.
> As Josh puts it:
>
> "Basically, =foo and =bar could both be tied to the same i-number.  
> Doing
> resolution on =foo and =bar will yield the same "canonical id,"  
> which means
> that they represent one logical entity. Drummond wants the display  
> name to
> tell the IdP *which* synonym the user entered at the RP so that the  
> IdP can
> present that same synonym in the UI, since the "canonical id" is both
> the IdP user identifier and the RP user identifier, but is not
> user-friendly (=!1234.1234.1234.1234)"
>
> It boils down to this:
>
> * If what the user enters at the RP is a URL, then there is at  
> least one and
> at most two identifiers involved -- the Claimed Identifier and an  
> optional
> Delegate Identifier.
> * If what the user enters at the RP is an XRI, then there are at  
> least two
> and at most three identifiers involved -- the Display Name (i- 
> name), the
> Claimed Identifier (i-number -- "CanonicalID"), and an optional  
> Delegate
> Identifier (which is usually the same CanonicalID but does not have  
> to be).
>
> Thus openid.display gives IdPs who support XRIs the ability to echo  
> back to
> the user the i-name synonym they typed in at the RP, rather than by  
> their
> CanonicalID i-number, which they are about as likely to know as  
> their IP
> address.
>
> If we decide that's totally unnecessary -- that it's always okay  
> for an IdP
> to just address an XRI user by an internal account name and not the  
> i-name
> synonym they used at the RP -- then we can drop openid.display.
>
> =Drummond
>
> -Original Message-
> From: Dick Hardt [mailto:[EMAIL PROTECTED]
> Sent: Monday, October 09, 2006 2:19 PM
> To: Drummond Reed
> Cc: 'Josh Hoyt'; 'Recordon, David'; specs@openid.net
> Subject: Re: Consolidated Delegate Proposal
>
> I have finally got up on this thread and don't see the value of the
> openid.display parameter.
>
> The RP does not know who the user is when the user is using OpenID to
> login, since that is why the RP is using OpenID, to find out who the
> user is.
>
> Having the user type in another parameter just lets the user see the
> same thing at the IdP. What's the point?
>
> The user clearly knows they are at two different sites, and I think
> it is more important to have a consistent experience at the IdP
> across RPs then to have a consistent experience between the RP and
> the IdP.
>
> The IdP must know who the user is in order to create a positive
> response back to the RP, so the IdP will already have some display
> values to show the user.
>
> ... so what am I missing?
>
> -- Dick
>
>
> On 9-Oct-06, at 10:56 AM, Drummond Reed wrote:
>
>> Josh, your message arrived while I was writing my reply to David's.
>>
>> I agree completely that openid.display is primarily useful for i-name
>> synonyms.
>>
>> You go on to say, "For URIs, the display name *must* be the same as
>> the RP
>> user identifier, because there is no other value is verifiable by
>> the IdP."
>>
>> I was proposing that openid.display be treated simply a string, so
>> neither
>> an RP nor an IdP would ever never resolve it, verify it, use it as
>> key, etc.
>>
>> openid.display would default to openid.rpuserid if the RP didn't
>> send an
>> openid.display value. And if openid.rpuserid was a CanonicalID,
>> then an RP
>> SHOULD at least send the i-name as openid.display.
>>
>> However if the RP wanted to prompt a user for a short Display Name,
>> even if
>> the User's Claimed Identifier was a URL, the RP *could* send this
>> Display
>> Name to the IdP, and the IdP *could* display it so the user
>> experience was
>> consistent across the two sites.
>>
>> For example:
>>
>> At RP site the prompts are:
>>
>> OpenID Identifier:
>> Your Preferred Display Name:
>>
>> The user enters:
>>
>> OpenID Identifier: example.idp.com/some/long/URL
>> Your Preferred Display Name: DSR
>>
>> The RP sends to IdP:
>>
>> openid.identity = http://example.idp.com/some/long/URL
>> openid.rpuserid = http://example.idp.com/some/long/URL
>> openid.display = DSR
>>
>> The IdP displays:
>>
>> Hello DSR. Do you want to login to YourFriendlyRP?
>> Password: []
>> [Accept Once] {Accept Always] [Cancel]
>>
>>
>> =Drummond
>>
>> -Original Message-
>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
>> Josh Hoyt
>> Sent: Monday, October 09, 2006 10:28 AM
>> To: Recordon, David
>> Cc: Drummond Reed; specs@openid.net
>> Subject: Re: Consolidated Delegate Proposal
>>
>> On 10/9/06, Recordon, David <[EMAIL PROTECTED]> wrote:
>>> In terms of

RE: Consolidated Delegate Proposal

2006-10-09 Thread Drummond Reed

Dick, 

As Josh explains in
http://openid.net/pipermail/specs/2006-October/000296.html, the primary
motivation for openid.display is when the user enters an i-name into the RP.
As Josh puts it:

"Basically, =foo and =bar could both be tied to the same i-number. Doing
resolution on =foo and =bar will yield the same "canonical id," which means
that they represent one logical entity. Drummond wants the display name to
tell the IdP *which* synonym the user entered at the RP so that the IdP can
present that same synonym in the UI, since the "canonical id" is both
the IdP user identifier and the RP user identifier, but is not
user-friendly (=!1234.1234.1234.1234)"

It boils down to this: 

* If what the user enters at the RP is a URL, then there is at least one and
at most two identifiers involved -- the Claimed Identifier and an optional
Delegate Identifier.
* If what the user enters at the RP is an XRI, then there are at least two
and at most three identifiers involved -- the Display Name (i-name), the
Claimed Identifier (i-number -- "CanonicalID"), and an optional Delegate
Identifier (which is usually the same CanonicalID but does not have to be).

Thus openid.display gives IdPs who support XRIs the ability to echo back to
the user the i-name synonym they typed in at the RP, rather than by their
CanonicalID i-number, which they are about as likely to know as their IP
address.

If we decide that's totally unnecessary -- that it's always okay for an IdP
to just address an XRI user by an internal account name and not the i-name
synonym they used at the RP -- then we can drop openid.display.

=Drummond 

-Original Message-
From: Dick Hardt [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 09, 2006 2:19 PM
To: Drummond Reed
Cc: 'Josh Hoyt'; 'Recordon, David'; specs@openid.net
Subject: Re: Consolidated Delegate Proposal

I have finally got up on this thread and don't see the value of the  
openid.display parameter.

The RP does not know who the user is when the user is using OpenID to  
login, since that is why the RP is using OpenID, to find out who the  
user is.

Having the user type in another parameter just lets the user see the  
same thing at the IdP. What's the point?

The user clearly knows they are at two different sites, and I think  
it is more important to have a consistent experience at the IdP  
across RPs then to have a consistent experience between the RP and  
the IdP.

The IdP must know who the user is in order to create a positive  
response back to the RP, so the IdP will already have some display  
values to show the user.

... so what am I missing?

-- Dick

On 9-Oct-06, at 10:56 AM, Drummond Reed wrote:

> Josh, your message arrived while I was writing my reply to David's.
>
> I agree completely that openid.display is primarily useful for i-name
> synonyms.
>
> You go on to say, "For URIs, the display name *must* be the same as  
> the RP
> user identifier, because there is no other value is verifiable by  
> the IdP."
>
> I was proposing that openid.display be treated simply a string, so  
> neither
> an RP nor an IdP would ever never resolve it, verify it, use it as  
> key, etc.
>
> openid.display would default to openid.rpuserid if the RP didn't  
> send an
> openid.display value. And if openid.rpuserid was a CanonicalID,  
> then an RP
> SHOULD at least send the i-name as openid.display.
>
> However if the RP wanted to prompt a user for a short Display Name,  
> even if
> the User's Claimed Identifier was a URL, the RP *could* send this  
> Display
> Name to the IdP, and the IdP *could* display it so the user  
> experience was
> consistent across the two sites.
>
> For example:
>
> At RP site the prompts are:
>
> OpenID Identifier:
> Your Preferred Display Name:
>
> The user enters:
>
> OpenID Identifier: example.idp.com/some/long/URL
> Your Preferred Display Name: DSR
>
> The RP sends to IdP:
>
> openid.identity = http://example.idp.com/some/long/URL
> openid.rpuserid = http://example.idp.com/some/long/URL
> openid.display = DSR
>
> The IdP displays:
>
> Hello DSR. Do you want to login to YourFriendlyRP?
> Password: []
> [Accept Once] {Accept Always] [Cancel]
>
>
> =Drummond
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of  
> Josh Hoyt
> Sent: Monday, October 09, 2006 10:28 AM
> To: Recordon, David
> Cc: Drummond Reed; specs@openid.net
> Subject: Re: Consolidated Delegate Proposal
>
> On 10/9/06, Recordon, David <[EMAIL PROTECTED]> wrote:
>> In terms of openid.display, shouldn't the IdP greet the user in  
>> whatever
>> manner it uses?  Thus if the user has an account on the IdP, the IdP
>> should always greet the user in the same manner with it.  Seems like
>> both a usability, phishing, and potential XSS issue if the IdP greets
>> the user with a string from the RP.
>>
>> Am I just missing something there?
>
> The display name is only useful for XRI synonyms. Basically, =foo and
> =bar could both be tied to the

Re: Delegation Proposal Amendment

2006-10-09 Thread Dick Hardt

ok -- I get it now -- I think it is a bad name as it implies that  
this is the identifier that the RP persists across sessions

really, it is the user identifier that the RP gets

-- Dick

On 9-Oct-06, at 2:38 PM, Drummond Reed wrote:

> Dick,
>
> The "persistent identifier" I referred to in this thread was whatever
> identifier the RP was going to persist (proposed to be called
> openid.rpuserid on
> http://www.lifewiki.net/openid/ConsolidatedDelegationProposal).  
> This boils
> down to:
>
> * If Claimed Identifier = URL, then openid.rpuserid = URL
> * If Claimed Identifier = XRI i-name (reassignable), then  
> openid.rpuserid =
> XRI i-number (CanonicalID - persistent).
>
> Both are discoverable from the XRDS document once the RP has done  
> discovery.
> That's cases 2/3/4/5 on
> http://www.lifewiki.net/openid/ConsolidatedDelegationProposal.
>
> Thus the only case where the RP does not have an identifier to  
> persist is
> the directed identity case (Case 1). In that case, the RP does not  
> send
> openid.rpuserid, but instead receives it back in the response from  
> IdP.
>
> =Drummond
>
> -Original Message-
> From: Dick Hardt [mailto:[EMAIL PROTECTED]
> Sent: Monday, October 09, 2006 2:21 PM
> To: Drummond Reed
> Cc: 'Josh Hoyt'; specs@openid.net
> Subject: Re: Delegation Proposal Amendment
>
> Drummond
>
> How does the RP get a persistent identifier before it has called the
> IdP? The user could type anything into the form.
>
> -- Dick
>
> On 6-Oct-06, at 2:22 PM, Drummond Reed wrote:
>
>> Josh,
>>
>> This is very cool. Adding openid.rp_user_id would give us an
>> unambigous way
>> to represent what I called the RPI in my earlier message:
>>
>> IPI = IdP-Persistent-Identifier = openid.identity
>>
>> RPI = RP-Persistent-Identifier = openid.rp_user_id
>>
>> It doesn't address the third identifier, which I called UPI
>> (User-Presented-Identifier -- the one the user typed in at the RP),
>> but
>> let's leave that aside for now.
>>
>> So as I understand it, the rules would be:
>>
>> * ON THE RP SIDE *
>>
>> The RP ALWAYS does discovery on UPI. Then it applies these tests:
>>
>> 1) If UPI maps to a directed identity server
>> (http://openid.net/server/2.0), then:
>>  openid.rp_user_id = [empty]
>>  openid.identity = "http://openid.net/identifier_select/2.0";
>>
>> 2) If UPI is an XRI that maps to a CanonicalID AND there is no
>> openid:delegate element in the XRD, then:
>>  openid.rp_user_id = CanonicalID
>>  openid.identity = CanonicalID
>>
>> 3) If UPI is an XRI that maps to a CanonicalID AND to an IPI (via the
>> openid:delegate element in the XRD), then:
>>  openid.rp_user_id = CanonicalID
>>  openid.identity = IPI
>>
>> 4) If UPI is a URL that maps to an IPI (via the openid:delegate
>> element in
>> the XRD), then:
>>  openid.rp_user_id = UPI
>>  openid.identity = IPI
>>
>> 5) Else:
>>  openid.rp_user_id = UPI
>>  openid.identity = UPI
>>
>>
>> * ON THE IDP SIDE *
>>
>> 6) IdP ALWAYS keys on the value of openid.identity.
>>
>> 7) IdP ALWAYS returns the same value of openid.identity that the RP
>> sent (so
>> the RP can always key off this value in the response).
>>
>> 8) IdP ALWAYS returns the value of openid.rp_user_id UNLESS it was
>> empty, in
>> which case see rule 9a below.
>>
>> 9) IdP MAY or MAY NOT do discovery. The rules are:
>>
>>  a) If openid.identity = "http://openid.net/identifier_select/2.0";,
>> then IdP prompts User for UPI (or detects cookie, etc.). If UPI !=
>> IPI, then
>> IdP does discovery on UPI to get mapping to IPI. IdP authenticates
>> against
>> IPI, but at that point allows user to select the RPI (or generates
>> for the
>> user). IdP returns:
>>  openid.rp_user_id = user-selected or IdP-generated RPI
>>  openid.identity = "http://openid.net/identifier_select/2.0";
>>
>>  b) If openid.identity = UPI that IdP does not recognize, then IdP
>> does discovery on UPI to get mapping to IPI. After authentication
>> against
>> IPI, IdP returns:
>>  openid.rp_user_id = UPI
>>  openid.identity = UPI
>>
>>  c) If openid.identity = IPI, IdP does not need to do discovery, but
>> authenticates against IPI and returns:
>>  openid.rp_user_id = [value sent by RP]
>>  openid.identity = IPI
>>
>> *
>>
>> This all works wonderfully and covers all the use cases --
>> congratulations!
>>
>> Now, let me make a case for also making the third identifier -- the
>> UPI --
>> explicit in the protocol. This addresses a specific usability issue
>> that
>> arises due to the fact that XRIs support i-name/CanonicalID
>> separation,
>> which URLs don't. However I believe it can also improve usability
>> for URLs.
>>
>> The motivation is that in cases 2 and 3 above, the
>> openid.rp_user_id that
>> the RP passes to the IdP is going to be an CanonicalID, which is an
>> i-number. This is a very ugly string like:
>>
>>  =!F83.62B1.44F.2813 (that's my actual i-number)
>>
>> However the IdP

Re: Re[2]: [PROPOSAL] Separate Public Identifier from IdP Identifier

2006-10-09 Thread Dick Hardt

On 6-Oct-06, at 11:14 AM, Chris Drake wrote:

>
> An ***IdP*** can *initiate* the OpenID login with the RP using
> openid:Token.
>
> How the User arrived at the RP with this token is not the concern of
> the RP.  (could be javascript, browser plugins, participating IdP
> helper CGIs, or even the RP itself).  The point is - the guts of the
> authentication process remains unchanged and is backwards compatible,
> but all the privacy-invasive components that live at the RP are thus
> made *optional*.
>
> Simple as that.  User only needs to remember and use one ID.  User
> only needs to type it one time each day (or however long they elect to
> "stay logged on" for).  Datamatching and privacy invasion are
> eradicated.  No need to key custom IdP anonymity URLs ever.  Even
> facilitates double-blind anonymous logins (with inclusion of a simple
> RP nonce extension).  Win-win-win.

This is a great idea Chris!

Since the protocol from the RP point of view is it receives a POST  
for the browser, how that gets started does not matter to the RP.

Now all we need is a way for the IdP to know which URL to send the post.

A couple options:

1) the RP includes the "login URL" in request messages to the IdP.  
The IdP saves it for allowing the user to bookmark.

2) the RP has the "login URL" somewhere easily discoverable by the IdP

I would propose that both methods are supported.

-- Dick
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: [VOTE] Rename openid.nonce to openid.response_nonce

2006-10-09 Thread Dick Hardt

+1

Allows us to easily have a request_nonce now or in the future and  
have clarity on what is what

-- Dick

On 9-Oct-06, at 2:19 PM, Recordon, David wrote:

> Judging from a lack of responses, I'm guessing people don't really  
> care.
> Is this a correct assessment?
>
> I'm +1 to this to add clarity, though also in the "don't really care"
> boat at the same time.
>
> --David
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of Recordon, David
> Sent: Thursday, October 05, 2006 5:25 PM
> To: specs@openid.net
> Subject: [VOTE] Rename openid.nonce to openid.response_nonce
>
> Stemming from the proposal to add a request nonce, the idea to rename
> the openid.nonce field to openid.response_nonce surfaced.  Is this
> something that we should do?
>
> Vote closes Tuesday the 10th at 3:30pm PST.  Votes are +1 (in  
> support of
> idea), 0 (abstain), or -1 (disagree).  Traditionally a -1 vote, with
> appropriate technical reasoning, will cause the vote as a whole to  
> fail.
> In this case, I believe it will be best to make the decision tallying
> all votes for and against unless a strong technical argument can be  
> made
> for not renaming this parameter.
>
> --David
> ___
> specs mailing list
> specs@openid.net
> http://openid.net/mailman/listinfo/specs
>
> ___
> specs mailing list
> specs@openid.net
> http://openid.net/mailman/listinfo/specs
>
>

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Re[2]: [PROPOSAL] bare response / bare request

2006-10-09 Thread Dick Hardt


On 6-Oct-06, at 8:41 PM, Chris Drake wrote:

> KT> On Fri, 2006-10-06 at 16:34 -0700, Drummond Reed wrote:
>>> Let me play the dumb customer here and say:
>>>
>>> * A whole lot of real-world users would love OpenID-enabled  
>>> bookmarks.
>>> * A whole lot of websites would love to offer them.
>>> * A whole lot of IdPs would love to provide them.
>
> KT> Okay Customer, if both websites and IdPs would love it, is it  
> okay if
> KT> it's something that websites + IdPs can layer on top of the  
> core?  If
> KT> some sites chose not to, and the IdP said "login bookmark not  
> available
> KT> for this site", would that be okay?
>
> Technically - the only thing we need is a mechanism for the IdP to
> find the RPs OpenID "bookmark entrance" - a hidden field in the
> original login  should be sufficient: IdP can then save this URL
> in the users profile for them.

Are you suggesting that the IdP can discover the bookmark_entrance by  
looking at an RP's site?

-- Dick
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

RE: Delegation Proposal Amendment

2006-10-09 Thread Drummond Reed

Dick,

The "persistent identifier" I referred to in this thread was whatever
identifier the RP was going to persist (proposed to be called
openid.rpuserid on
http://www.lifewiki.net/openid/ConsolidatedDelegationProposal). This boils
down to:

* If Claimed Identifier = URL, then openid.rpuserid = URL
* If Claimed Identifier = XRI i-name (reassignable), then openid.rpuserid =
XRI i-number (CanonicalID - persistent).

Both are discoverable from the XRDS document once the RP has done discovery.
That's cases 2/3/4/5 on
http://www.lifewiki.net/openid/ConsolidatedDelegationProposal. 

Thus the only case where the RP does not have an identifier to persist is
the directed identity case (Case 1). In that case, the RP does not send
openid.rpuserid, but instead receives it back in the response from IdP. 

=Drummond 

-Original Message-
From: Dick Hardt [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 09, 2006 2:21 PM
To: Drummond Reed
Cc: 'Josh Hoyt'; specs@openid.net
Subject: Re: Delegation Proposal Amendment

Drummond

How does the RP get a persistent identifier before it has called the  
IdP? The user could type anything into the form.

-- Dick

On 6-Oct-06, at 2:22 PM, Drummond Reed wrote:

> Josh,
>
> This is very cool. Adding openid.rp_user_id would give us an  
> unambigous way
> to represent what I called the RPI in my earlier message:
>
> IPI = IdP-Persistent-Identifier = openid.identity
>
> RPI = RP-Persistent-Identifier = openid.rp_user_id
>
> It doesn't address the third identifier, which I called UPI
> (User-Presented-Identifier -- the one the user typed in at the RP),  
> but
> let's leave that aside for now.
>
> So as I understand it, the rules would be:
>
> * ON THE RP SIDE *
>
> The RP ALWAYS does discovery on UPI. Then it applies these tests:
>
> 1) If UPI maps to a directed identity server
> (http://openid.net/server/2.0), then:
>   openid.rp_user_id = [empty]
>   openid.identity = "http://openid.net/identifier_select/2.0";
>
> 2) If UPI is an XRI that maps to a CanonicalID AND there is no
> openid:delegate element in the XRD, then:
>   openid.rp_user_id = CanonicalID
>   openid.identity = CanonicalID
>
> 3) If UPI is an XRI that maps to a CanonicalID AND to an IPI (via the
> openid:delegate element in the XRD), then:
>   openid.rp_user_id = CanonicalID
>   openid.identity = IPI
>
> 4) If UPI is a URL that maps to an IPI (via the openid:delegate  
> element in
> the XRD), then:
>   openid.rp_user_id = UPI
>   openid.identity = IPI
>
> 5) Else:
>   openid.rp_user_id = UPI
>   openid.identity = UPI
>
>
> * ON THE IDP SIDE *
>
> 6) IdP ALWAYS keys on the value of openid.identity.
>
> 7) IdP ALWAYS returns the same value of openid.identity that the RP  
> sent (so
> the RP can always key off this value in the response).
>
> 8) IdP ALWAYS returns the value of openid.rp_user_id UNLESS it was  
> empty, in
> which case see rule 9a below.
>
> 9) IdP MAY or MAY NOT do discovery. The rules are:
>
>   a) If openid.identity = "http://openid.net/identifier_select/2.0";,
> then IdP prompts User for UPI (or detects cookie, etc.). If UPI !=  
> IPI, then
> IdP does discovery on UPI to get mapping to IPI. IdP authenticates  
> against
> IPI, but at that point allows user to select the RPI (or generates  
> for the
> user). IdP returns:
>   openid.rp_user_id = user-selected or IdP-generated RPI
>   openid.identity = "http://openid.net/identifier_select/2.0";
>
>   b) If openid.identity = UPI that IdP does not recognize, then IdP
> does discovery on UPI to get mapping to IPI. After authentication  
> against
> IPI, IdP returns:
>   openid.rp_user_id = UPI
>   openid.identity = UPI
>
>   c) If openid.identity = IPI, IdP does not need to do discovery, but
> authenticates against IPI and returns:
>   openid.rp_user_id = [value sent by RP]
>   openid.identity = IPI
>
> *
>
> This all works wonderfully and covers all the use cases --  
> congratulations!
>
> Now, let me make a case for also making the third identifier -- the  
> UPI --
> explicit in the protocol. This addresses a specific usability issue  
> that
> arises due to the fact that XRIs support i-name/CanonicalID  
> separation,
> which URLs don't. However I believe it can also improve usability  
> for URLs.
>
> The motivation is that in cases 2 and 3 above, the  
> openid.rp_user_id that
> the RP passes to the IdP is going to be an CanonicalID, which is an
> i-number. This is a very ugly string like:
>
>   =!F83.62B1.44F.2813 (that's my actual i-number)
>
> However the IdP only has the choice of openid.rp_user_id or  
> openid.identity
> from which to greet me to ask for my authentication credentials.  
> Since these
> will both be a CanonicalID, this leads to a greeting like:
>
>   Hello =!F83.62B1.44F.2813. Please confirm that you want to login
>   to YourFavoriteRP. [Allow Once] [Allow Always] [Cancel]
>
> All it takes to solve thi

Re: [OT] our cookie expiration

2006-10-09 Thread Dick Hardt

On 9-Oct-06, at 1:12 AM, Josh Hoyt wrote:

> On 10/8/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
>> [...] I would want the site to prompt for a password if I was  
>> doing something
>> important. The only way for the IdP to know that is for the RP to
>> tell it somehow -> auth_age request.
>
> This is only useful in conjunction with signed requests. A malicious
> 3rd party could easily remove whatever parameter(s) in the request
> that made the IdP prompt for the password. If the request is not
> signed, it's a false sense of security at best.

Not true. The malicious 3rd party can modify the request, but not the  
response.

The response would contain the auth_age parameter as well, so the RP  
would know if the IdP was claiming to have performed the request.

-- Dick
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Delegation Proposal Amendment

2006-10-09 Thread Dick Hardt

Drummond

How does the RP get a persistent identifier before it has called the  
IdP? The user could type anything into the form.

-- Dick

On 6-Oct-06, at 2:22 PM, Drummond Reed wrote:

> Josh,
>
> This is very cool. Adding openid.rp_user_id would give us an  
> unambigous way
> to represent what I called the RPI in my earlier message:
>
> IPI = IdP-Persistent-Identifier = openid.identity
>
> RPI = RP-Persistent-Identifier = openid.rp_user_id
>
> It doesn't address the third identifier, which I called UPI
> (User-Presented-Identifier -- the one the user typed in at the RP),  
> but
> let's leave that aside for now.
>
> So as I understand it, the rules would be:
>
> * ON THE RP SIDE *
>
> The RP ALWAYS does discovery on UPI. Then it applies these tests:
>
> 1) If UPI maps to a directed identity server
> (http://openid.net/server/2.0), then:
>   openid.rp_user_id = [empty]
>   openid.identity = "http://openid.net/identifier_select/2.0";
>
> 2) If UPI is an XRI that maps to a CanonicalID AND there is no
> openid:delegate element in the XRD, then:
>   openid.rp_user_id = CanonicalID
>   openid.identity = CanonicalID
>
> 3) If UPI is an XRI that maps to a CanonicalID AND to an IPI (via the
> openid:delegate element in the XRD), then:
>   openid.rp_user_id = CanonicalID
>   openid.identity = IPI
>
> 4) If UPI is a URL that maps to an IPI (via the openid:delegate  
> element in
> the XRD), then:
>   openid.rp_user_id = UPI
>   openid.identity = IPI
>
> 5) Else:
>   openid.rp_user_id = UPI
>   openid.identity = UPI
>
>
> * ON THE IDP SIDE *
>
> 6) IdP ALWAYS keys on the value of openid.identity.
>
> 7) IdP ALWAYS returns the same value of openid.identity that the RP  
> sent (so
> the RP can always key off this value in the response).
>
> 8) IdP ALWAYS returns the value of openid.rp_user_id UNLESS it was  
> empty, in
> which case see rule 9a below.
>
> 9) IdP MAY or MAY NOT do discovery. The rules are:
>
>   a) If openid.identity = "http://openid.net/identifier_select/2.0";,
> then IdP prompts User for UPI (or detects cookie, etc.). If UPI !=  
> IPI, then
> IdP does discovery on UPI to get mapping to IPI. IdP authenticates  
> against
> IPI, but at that point allows user to select the RPI (or generates  
> for the
> user). IdP returns:
>   openid.rp_user_id = user-selected or IdP-generated RPI
>   openid.identity = "http://openid.net/identifier_select/2.0";
>
>   b) If openid.identity = UPI that IdP does not recognize, then IdP
> does discovery on UPI to get mapping to IPI. After authentication  
> against
> IPI, IdP returns:
>   openid.rp_user_id = UPI
>   openid.identity = UPI
>
>   c) If openid.identity = IPI, IdP does not need to do discovery, but
> authenticates against IPI and returns:
>   openid.rp_user_id = [value sent by RP]
>   openid.identity = IPI
>
> *
>
> This all works wonderfully and covers all the use cases --  
> congratulations!
>
> Now, let me make a case for also making the third identifier -- the  
> UPI --
> explicit in the protocol. This addresses a specific usability issue  
> that
> arises due to the fact that XRIs support i-name/CanonicalID  
> separation,
> which URLs don't. However I believe it can also improve usability  
> for URLs.
>
> The motivation is that in cases 2 and 3 above, the  
> openid.rp_user_id that
> the RP passes to the IdP is going to be an CanonicalID, which is an
> i-number. This is a very ugly string like:
>
>   =!F83.62B1.44F.2813 (that's my actual i-number)
>
> However the IdP only has the choice of openid.rp_user_id or  
> openid.identity
> from which to greet me to ask for my authentication credentials.  
> Since these
> will both be a CanonicalID, this leads to a greeting like:
>
>   Hello =!F83.62B1.44F.2813. Please confirm that you want to login
>   to YourFavoriteRP. [Allow Once] [Allow Always] [Cancel]
>
> All it takes to solve this problem is for the RP to pass the UPI in  
> the
> authentication request. Then the IdP can say:
>
>   Hello =drummond.reed. Please confirm that you want to login
>   to YourFavoriteRP. [Allow Once] [Allow Always] [Cancel]
>
> Better still, this functionality is not limited to XRIs. RPs can  
> apply it to
> any User just by prompting the user for a preferred Display Name  
> along with
> their OpenID identifier. Then the RP can send the Display Name as  
> the UPI
> string so the IdP can call the user by the same name. For example:
>
>   Hello Drummond. Please confirm that you want to login
>   to YourFavoriteRP. [Allow Once] [Allow Always] [Cancel]
>
> So this boils down to a simple proposed amendment to your amendment:
>
> PROPOSED AMENDMENT: Add a third optional parameter, openid.display,  
> the
> value of which is the UPI. The rules governing its use:
>
> 1) If the RP DOES NOT send openid.display, it defaults to  
> openid.rp_user_id.
> (And by your amendment, if RP does not send open

RE: [VOTE] Rename openid.nonce to openid.response_nonce

2006-10-09 Thread Recordon, David

Judging from a lack of responses, I'm guessing people don't really care.
Is this a correct assessment?

I'm +1 to this to add clarity, though also in the "don't really care"
boat at the same time.

--David

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Recordon, David
Sent: Thursday, October 05, 2006 5:25 PM
To: specs@openid.net
Subject: [VOTE] Rename openid.nonce to openid.response_nonce

Stemming from the proposal to add a request nonce, the idea to rename
the openid.nonce field to openid.response_nonce surfaced.  Is this
something that we should do?

Vote closes Tuesday the 10th at 3:30pm PST.  Votes are +1 (in support of
idea), 0 (abstain), or -1 (disagree).  Traditionally a -1 vote, with
appropriate technical reasoning, will cause the vote as a whole to fail.
In this case, I believe it will be best to make the decision tallying
all votes for and against unless a strong technical argument can be made
for not renaming this parameter.

--David
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Consolidated Delegate Proposal

2006-10-09 Thread Dick Hardt

I have finally got up on this thread and don't see the value of the  
openid.display parameter.

The RP does not know who the user is when the user is using OpenID to  
login, since that is why the RP is using OpenID, to find out who the  
user is.

Having the user type in another parameter just lets the user see the  
same thing at the IdP. What's the point?

The user clearly knows they are at two different sites, and I think  
it is more important to have a consistent experience at the IdP  
across RPs then to have a consistent experience between the RP and  
the IdP.

The IdP must know who the user is in order to create a positive  
response back to the RP, so the IdP will already have some display  
values to show the user.

... so what am I missing?

-- Dick


On 9-Oct-06, at 10:56 AM, Drummond Reed wrote:

> Josh, your message arrived while I was writing my reply to David's.
>
> I agree completely that openid.display is primarily useful for i-name
> synonyms.
>
> You go on to say, "For URIs, the display name *must* be the same as  
> the RP
> user identifier, because there is no other value is verifiable by  
> the IdP."
>
> I was proposing that openid.display be treated simply a string, so  
> neither
> an RP nor an IdP would ever never resolve it, verify it, use it as  
> key, etc.
>
> openid.display would default to openid.rpuserid if the RP didn't  
> send an
> openid.display value. And if openid.rpuserid was a CanonicalID,  
> then an RP
> SHOULD at least send the i-name as openid.display.
>
> However if the RP wanted to prompt a user for a short Display Name,  
> even if
> the User's Claimed Identifier was a URL, the RP *could* send this  
> Display
> Name to the IdP, and the IdP *could* display it so the user  
> experience was
> consistent across the two sites.
>
> For example:
>
> At RP site the prompts are:
>
> OpenID Identifier:
> Your Preferred Display Name:
>
> The user enters:
>
> OpenID Identifier: example.idp.com/some/long/URL
> Your Preferred Display Name: DSR
>
> The RP sends to IdP:
>
> openid.identity = http://example.idp.com/some/long/URL
> openid.rpuserid = http://example.idp.com/some/long/URL
> openid.display = DSR
>
> The IdP displays:
>
> Hello DSR. Do you want to login to YourFriendlyRP?
> Password: []
> [Accept Once] {Accept Always] [Cancel]
>
>
> =Drummond
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of  
> Josh Hoyt
> Sent: Monday, October 09, 2006 10:28 AM
> To: Recordon, David
> Cc: Drummond Reed; specs@openid.net
> Subject: Re: Consolidated Delegate Proposal
>
> On 10/9/06, Recordon, David <[EMAIL PROTECTED]> wrote:
>> In terms of openid.display, shouldn't the IdP greet the user in  
>> whatever
>> manner it uses?  Thus if the user has an account on the IdP, the IdP
>> should always greet the user in the same manner with it.  Seems like
>> both a usability, phishing, and potential XSS issue if the IdP greets
>> the user with a string from the RP.
>>
>> Am I just missing something there?
>
> The display name is only useful for XRI synonyms. Basically, =foo and
> =bar could both be tied to the same i-number. Doing resolution on =foo
> and =bar will yield the same "canonical id," which means that they
> represent one logical entity. Drummond wants the display name to tell
> the IdP *which* synonym the user entered at the RP so that the IdP can
> present that same synonym in the UI, since the "canonical id" is both
> the IdP user identifier and the RP user identifier, but is not
> user-friendly (=!1234.1234.1234.1234)
>
> For URIs, the display name *must* be the same as the RP user
> identifier, because there is no other value is verifiable by the IdP.
>
> Does that explanation help?
>
> Josh
>
> ___
> specs mailing list
> specs@openid.net
> http://openid.net/mailman/listinfo/specs
>
>

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

RE: Consolidated Delegate Proposal

2006-10-09 Thread Drummond Reed

Josh, your message arrived while I was writing my reply to David's.

I agree completely that openid.display is primarily useful for i-name
synonyms.

You go on to say, "For URIs, the display name *must* be the same as the RP
user identifier, because there is no other value is verifiable by the IdP."

I was proposing that openid.display be treated simply a string, so neither
an RP nor an IdP would ever never resolve it, verify it, use it as key, etc.

openid.display would default to openid.rpuserid if the RP didn't send an
openid.display value. And if openid.rpuserid was a CanonicalID, then an RP
SHOULD at least send the i-name as openid.display. 

However if the RP wanted to prompt a user for a short Display Name, even if
the User's Claimed Identifier was a URL, the RP *could* send this Display
Name to the IdP, and the IdP *could* display it so the user experience was
consistent across the two sites.

For example:

At RP site the prompts are:

OpenID Identifier: 
Your Preferred Display Name:

The user enters:

OpenID Identifier: example.idp.com/some/long/URL
Your Preferred Display Name: DSR

The RP sends to IdP:

openid.identity = http://example.idp.com/some/long/URL
openid.rpuserid = http://example.idp.com/some/long/URL
openid.display = DSR

The IdP displays:

Hello DSR. Do you want to login to YourFriendlyRP?
Password: []
[Accept Once] {Accept Always] [Cancel]

=Drummond 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Hoyt
Sent: Monday, October 09, 2006 10:28 AM
To: Recordon, David
Cc: Drummond Reed; specs@openid.net
Subject: Re: Consolidated Delegate Proposal

On 10/9/06, Recordon, David <[EMAIL PROTECTED]> wrote:
> In terms of openid.display, shouldn't the IdP greet the user in whatever
> manner it uses?  Thus if the user has an account on the IdP, the IdP
> should always greet the user in the same manner with it.  Seems like
> both a usability, phishing, and potential XSS issue if the IdP greets
> the user with a string from the RP.
>
> Am I just missing something there?

The display name is only useful for XRI synonyms. Basically, =foo and
=bar could both be tied to the same i-number. Doing resolution on =foo
and =bar will yield the same "canonical id," which means that they
represent one logical entity. Drummond wants the display name to tell
the IdP *which* synonym the user entered at the RP so that the IdP can
present that same synonym in the UI, since the "canonical id" is both
the IdP user identifier and the RP user identifier, but is not
user-friendly (=!1234.1234.1234.1234)

For URIs, the display name *must* be the same as the RP user
identifier, because there is no other value is verifiable by the IdP.

Does that explanation help?

Josh

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

RE: Consolidated Delegate Proposal

2006-10-09 Thread Drummond Reed

No, you're not missing anything. That's what I thought at the outset too.
And you may well be right -- the IdP can always use openid.identity to
lookup the user's IdP account and retrieve an an internal display name from
there.

However I don't believe there's a security or phishing issue here -- the IdP
would only echo the Display Name, if any, passed from the IdP. In other
words, if the RP prompts for a Display Name, and the User enters one at the
RP, then it's perfectly natural that the IdP can turn around and address the
User by the same Display Name, since the IdP is authenticating the User's
identity in the context of the RP.

That doesn't mean the IdP can't also display it's own identifier(s) for the
User if it wants (or other tokens that help prove to the User that they are
not being phished).

It's not just for i-names that openid.display is useful -- it's also handy
for long URLs, where an RP is motivated to give the user a shorter display
name to better control screen real estate.

Anyway, those are the basic use cases. If there's not enough value in
openid.display then we can drop it. openid.rpuserid is the meat of the
proposal, because it enables a clean separation between the IdP-facing
identifier (openid.identity) and the RP-facing-identifier (openid.rpuserid).

=Drummond 

-Original Message-
From: Recordon, David [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 09, 2006 9:38 AM
To: Drummond Reed; specs@openid.net
Subject: RE: Consolidated Delegate Proposal

In terms of openid.display, shouldn't the IdP greet the user in whatever
manner it uses?  Thus if the user has an account on the IdP, the IdP
should always greet the user in the same manner with it.  Seems like
both a usability, phishing, and potential XSS issue if the IdP greets
the user with a string from the RP.

Am I just missing something there?

--David

-Original Message-
From: Drummond Reed [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 09, 2006 1:20 AM
To: Recordon, David; specs@openid.net
Subject: RE: Consolidated Delegate Proposal

>David Recordon wrote:
>
>Read through it
>(http://www.lifewiki.net/openid/ConsolidatedDelegationProposal),
>and I'm liking how it really clears up delegation.  A few questions:
>
>1) In case 1, is what the user typed in ever sent from the RP to the 
>IdP?  What if it is an OpenID Auth 2.0 IdP, but the user entered their 
>identifier on the RP?  Or in the case where the IdP supports multiple 
>identifiers for the user, shouldn't the RP send what the user entered 
>so the user doesn't have to choose it again at their IdP?

Case 1 is the directed identity case. The RP *could* send what the user
types in at the RP (the identifier for the IdP's directed identity
server), but since the RP knows (from the OpenID service type) that this
is an anonymous login, and thus that the RP needs to get
openid.rd_user_id *back* from the IdP, it seemed better for the RP not
to send anything. This way you never break the rule that the IdP never
changes any of the identifier parameters than an RP sends it.

>2) This may also be part of my first question, but why is there such a 
>delta between case 1 and cases 2 and 3?  How does the RP know to use 
>case 1 versus case 2, they seem quite similar in their explanation?

Again, Case 1 is the directed identity case, that's why it's so unusual.
The way the RP differentiates between case 1 and cases 2/3/4/5 is that
only in case 1 is the value  attribute in the OpenID service
endpoint "http://openid.net/identifier_select/2.0";.

I went back and rewrote the page to make this much clearer.

>3) What is openid.display used for?

The complete explanation was in the latter part of
http://openid.net/pipermail/specs/2006-October/000278.html. But to make
the consolidated proposal easier to review, I added a "Summary of
Motivations"
section at the start and put a section at the end explaining the
motivation for openid.display. 

>4) In the rules, don't you mean the IdP must return the value of the 
>rp_user_id for the RP to key off of, not the value of identity?

Yes, sorry, this was unclear. What I meant was that since the RP must
ALWAYS send openid.identity, the RP could *ALWAYS* count on this in the
response.
However you're right that as far as a persistent key goes 

>I think this is getting there, just either needs to be tightened up or 
>the different flows better explained.

I think it just needed to be better explained. Also, Josh, note that
when I went back to edit this tonight, I found the parameter name
"openid.rp_user_id" was driving the wiki markup nuts. So I changed it to
just "openid.rpuserid". Personally, I think this reads fine and
eliminates the awkward underscores. I hope you agree.

=Drummond 

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Consolidated Delegate Proposal

2006-10-09 Thread Josh Hoyt

On 10/9/06, Recordon, David <[EMAIL PROTECTED]> wrote:
> In terms of openid.display, shouldn't the IdP greet the user in whatever
> manner it uses?  Thus if the user has an account on the IdP, the IdP
> should always greet the user in the same manner with it.  Seems like
> both a usability, phishing, and potential XSS issue if the IdP greets
> the user with a string from the RP.
>
> Am I just missing something there?

The display name is only useful for XRI synonyms. Basically, =foo and
=bar could both be tied to the same i-number. Doing resolution on =foo
and =bar will yield the same "canonical id," which means that they
represent one logical entity. Drummond wants the display name to tell
the IdP *which* synonym the user entered at the RP so that the IdP can
present that same synonym in the UI, since the "canonical id" is both
the IdP user identifier and the RP user identifier, but is not
user-friendly (=!1234.1234.1234.1234)

For URIs, the display name *must* be the same as the RP user
identifier, because there is no other value is verifiable by the IdP.

Does that explanation help?

Josh
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

RE: Consolidated Delegate Proposal

2006-10-09 Thread Drummond Reed

Maybe I misunderstood the directed identity protocol. Section 4.2.3.1 of
Draft 9 says:

*** EXCERPT ***

4.2.3.1.  IdP Identifiers

If the entered Identifier is an IdP Identifier, the OpenID information is
contained in a service element with the following information:

* An  tag whose text content is "http://openid.net/server/2.0";
* An  tag whose text content is The IdP Endpoint URL

*** END ***

So in the discovery phase what the RP should find is an xrd:Type tag of
"http://openid.net/server/2.0";. That's what I meant.

Am I missing something?

=Drummond 

-Original Message-
From: Recordon, David [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 09, 2006 9:34 AM
To: Drummond Reed; specs@openid.net
Subject: RE: Consolidated Delegate Proposal

Ok, that makes it more clear.

I think this line was part of what was throwing me, "If Claimed
Identifier is EITHER a URL or XRI that maps to a directed identity
server (http://openid.net/server/2.0), the values are:" since in the
discovery phase it should be finding the type of identifier_select.

--David 

-Original Message-
From: Drummond Reed [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 09, 2006 1:20 AM
To: Recordon, David; specs@openid.net
Subject: RE: Consolidated Delegate Proposal

>David Recordon wrote:
>
>Read through it
>(http://www.lifewiki.net/openid/ConsolidatedDelegationProposal),
>and I'm liking how it really clears up delegation.  A few questions:
>
>1) In case 1, is what the user typed in ever sent from the RP to the 
>IdP?  What if it is an OpenID Auth 2.0 IdP, but the user entered their 
>identifier on the RP?  Or in the case where the IdP supports multiple 
>identifiers for the user, shouldn't the RP send what the user entered 
>so the user doesn't have to choose it again at their IdP?

Case 1 is the directed identity case. The RP *could* send what the user
types in at the RP (the identifier for the IdP's directed identity
server), but since the RP knows (from the OpenID service type) that this
is an anonymous login, and thus that the RP needs to get
openid.rd_user_id *back* from the IdP, it seemed better for the RP not
to send anything. This way you never break the rule that the IdP never
changes any of the identifier parameters than an RP sends it.

>2) This may also be part of my first question, but why is there such a 
>delta between case 1 and cases 2 and 3?  How does the RP know to use 
>case 1 versus case 2, they seem quite similar in their explanation?

Again, Case 1 is the directed identity case, that's why it's so unusual.
The way the RP differentiates between case 1 and cases 2/3/4/5 is that
only in case 1 is the value  attribute in the OpenID service
endpoint "http://openid.net/identifier_select/2.0";.

I went back and rewrote the page to make this much clearer.

>3) What is openid.display used for?

The complete explanation was in the latter part of
http://openid.net/pipermail/specs/2006-October/000278.html. But to make
the consolidated proposal easier to review, I added a "Summary of
Motivations"
section at the start and put a section at the end explaining the
motivation for openid.display. 

>4) In the rules, don't you mean the IdP must return the value of the 
>rp_user_id for the RP to key off of, not the value of identity?

Yes, sorry, this was unclear. What I meant was that since the RP must
ALWAYS send openid.identity, the RP could *ALWAYS* count on this in the
response.
However you're right that as far as a persistent key goes 

>I think this is getting there, just either needs to be tightened up or 
>the different flows better explained.

I think it just needed to be better explained. Also, Josh, note that
when I went back to edit this tonight, I found the parameter name
"openid.rp_user_id" was driving the wiki markup nuts. So I changed it to
just "openid.rpuserid". Personally, I think this reads fine and
eliminates the awkward underscores. I hope you agree.

=Drummond 

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

RE: Consolidated Delegate Proposal

2006-10-09 Thread Recordon, David

In terms of openid.display, shouldn't the IdP greet the user in whatever
manner it uses?  Thus if the user has an account on the IdP, the IdP
should always greet the user in the same manner with it.  Seems like
both a usability, phishing, and potential XSS issue if the IdP greets
the user with a string from the RP.

Am I just missing something there?

--David

-Original Message-
From: Drummond Reed [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 09, 2006 1:20 AM
To: Recordon, David; specs@openid.net
Subject: RE: Consolidated Delegate Proposal

>David Recordon wrote:
>
>Read through it
>(http://www.lifewiki.net/openid/ConsolidatedDelegationProposal),
>and I'm liking how it really clears up delegation.  A few questions:
>
>1) In case 1, is what the user typed in ever sent from the RP to the 
>IdP?  What if it is an OpenID Auth 2.0 IdP, but the user entered their 
>identifier on the RP?  Or in the case where the IdP supports multiple 
>identifiers for the user, shouldn't the RP send what the user entered 
>so the user doesn't have to choose it again at their IdP?

Case 1 is the directed identity case. The RP *could* send what the user
types in at the RP (the identifier for the IdP's directed identity
server), but since the RP knows (from the OpenID service type) that this
is an anonymous login, and thus that the RP needs to get
openid.rd_user_id *back* from the IdP, it seemed better for the RP not
to send anything. This way you never break the rule that the IdP never
changes any of the identifier parameters than an RP sends it.

>2) This may also be part of my first question, but why is there such a 
>delta between case 1 and cases 2 and 3?  How does the RP know to use 
>case 1 versus case 2, they seem quite similar in their explanation?

Again, Case 1 is the directed identity case, that's why it's so unusual.
The way the RP differentiates between case 1 and cases 2/3/4/5 is that
only in case 1 is the value  attribute in the OpenID service
endpoint "http://openid.net/identifier_select/2.0";.

I went back and rewrote the page to make this much clearer.

>3) What is openid.display used for?

The complete explanation was in the latter part of
http://openid.net/pipermail/specs/2006-October/000278.html. But to make
the consolidated proposal easier to review, I added a "Summary of
Motivations"
section at the start and put a section at the end explaining the
motivation for openid.display. 

>4) In the rules, don't you mean the IdP must return the value of the 
>rp_user_id for the RP to key off of, not the value of identity?

Yes, sorry, this was unclear. What I meant was that since the RP must
ALWAYS send openid.identity, the RP could *ALWAYS* count on this in the
response.
However you're right that as far as a persistent key goes 

>I think this is getting there, just either needs to be tightened up or 
>the different flows better explained.

I think it just needed to be better explained. Also, Josh, note that
when I went back to edit this tonight, I found the parameter name
"openid.rp_user_id" was driving the wiki markup nuts. So I changed it to
just "openid.rpuserid". Personally, I think this reads fine and
eliminates the awkward underscores. I hope you agree.

=Drummond 

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

RE: Consolidated Delegate Proposal

2006-10-09 Thread Recordon, David

Ok, that makes it more clear.

I think this line was part of what was throwing me, "If Claimed
Identifier is EITHER a URL or XRI that maps to a directed identity
server (http://openid.net/server/2.0), the values are:" since in the
discovery phase it should be finding the type of identifier_select.

--David 

-Original Message-
From: Drummond Reed [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 09, 2006 1:20 AM
To: Recordon, David; specs@openid.net
Subject: RE: Consolidated Delegate Proposal

>David Recordon wrote:
>
>Read through it
>(http://www.lifewiki.net/openid/ConsolidatedDelegationProposal),
>and I'm liking how it really clears up delegation.  A few questions:
>
>1) In case 1, is what the user typed in ever sent from the RP to the 
>IdP?  What if it is an OpenID Auth 2.0 IdP, but the user entered their 
>identifier on the RP?  Or in the case where the IdP supports multiple 
>identifiers for the user, shouldn't the RP send what the user entered 
>so the user doesn't have to choose it again at their IdP?

Case 1 is the directed identity case. The RP *could* send what the user
types in at the RP (the identifier for the IdP's directed identity
server), but since the RP knows (from the OpenID service type) that this
is an anonymous login, and thus that the RP needs to get
openid.rd_user_id *back* from the IdP, it seemed better for the RP not
to send anything. This way you never break the rule that the IdP never
changes any of the identifier parameters than an RP sends it.

>2) This may also be part of my first question, but why is there such a 
>delta between case 1 and cases 2 and 3?  How does the RP know to use 
>case 1 versus case 2, they seem quite similar in their explanation?

Again, Case 1 is the directed identity case, that's why it's so unusual.
The way the RP differentiates between case 1 and cases 2/3/4/5 is that
only in case 1 is the value  attribute in the OpenID service
endpoint "http://openid.net/identifier_select/2.0";.

I went back and rewrote the page to make this much clearer.

>3) What is openid.display used for?

The complete explanation was in the latter part of
http://openid.net/pipermail/specs/2006-October/000278.html. But to make
the consolidated proposal easier to review, I added a "Summary of
Motivations"
section at the start and put a section at the end explaining the
motivation for openid.display. 

>4) In the rules, don't you mean the IdP must return the value of the 
>rp_user_id for the RP to key off of, not the value of identity?

Yes, sorry, this was unclear. What I meant was that since the RP must
ALWAYS send openid.identity, the RP could *ALWAYS* count on this in the
response.
However you're right that as far as a persistent key goes 

>I think this is getting there, just either needs to be tightened up or 
>the different flows better explained.

I think it just needed to be better explained. Also, Josh, note that
when I went back to edit this tonight, I found the parameter name
"openid.rp_user_id" was driving the wiki markup nuts. So I changed it to
just "openid.rpuserid". Personally, I think this reads fine and
eliminates the awkward underscores. I hope you agree.

=Drummond 

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: [OT] our cookie expiration

2006-10-09 Thread Josh Hoyt

On 10/8/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
> [...] I would want the site to prompt for a password if I was doing something
> important. The only way for the IdP to know that is for the RP to
> tell it somehow -> auth_age request.

This is only useful in conjunction with signed requests. A malicious
3rd party could easily remove whatever parameter(s) in the request
that made the IdP prompt for the password. If the request is not
signed, it's a false sense of security at best.

Josh
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

PROPOSAL: OpenID Authentication Flow and how delegate fits in

Re: Consolidated Delegate Proposal

RE: Consolidated Delegate Proposal

Re: Delegation Proposal Amendment

Re: Re[2]: [PROPOSAL] Separate Public Identifier from IdP Identifier

Re: [VOTE] Rename openid.nonce to openid.response_nonce

Re: Re[2]: [PROPOSAL] bare response / bare request

RE: Delegation Proposal Amendment

Re: [OT] our cookie expiration

Re: Delegation Proposal Amendment

RE: [VOTE] Rename openid.nonce to openid.response_nonce

Re: Consolidated Delegate Proposal

RE: Consolidated Delegate Proposal

RE: Consolidated Delegate Proposal

Re: Consolidated Delegate Proposal

RE: Consolidated Delegate Proposal

RE: Consolidated Delegate Proposal

RE: Consolidated Delegate Proposal

Re: [OT] our cookie expiration

19 matches

Site Navigation

Mail list logo

Footer information