Manger, James H wrote:
>
> For most RPs there shouldn’t be a high price (if any price). When the
> login only gives access to the user’s own resources (be they colour
> preferences, reputation, personal details, money…), then any
> inappropriately weak authentication of the user by their OP only
>
The RP is not saying “this is very very important to *me*”. It is saying “in
my opinion, this is likely to be very very important to *you*”. Consequently,
it is not a contradiction for the RP to also say “I leave it to you as to the
specifics”.
> Does participating in OpenID mean the RP givin
Echoing Kevin's comments from October on this
(http://openid.net/pipermail/specs/2006-October/000223.html)
This model will only fly in the general case when the user or some other
non-RP agent is willing to assume all risk/liability for the transaction
the user's identity is requesting.
Barring t
Thanks, Johnny. Good points.
How about one of these:
When a message is sent as a POST, OpenID parameters MUST be sent
only in the POST body and the parameters processed MUST be only those
from the POST body.
When a message is sent as a POST, OpenID parameters MUST be sent
only in and
Well said Phill.
We'd like to take an off-the-shelf policy that is comes with an
off-the-shelf process (the two are very intertwined) that produces
specifications that can be taken to more established SDOs. Once this thing
exists, this IPR discussion can be very much quicker.
As you've noted in
Paul Madsen wrote:
> Is there not a potential contradiction between an RP expressing both of
> 'this is very very important to me' and 'I leave it to you as to the
> specifics'?
>
Perhaps, but that is the case in both the "IdP reports" and the "RP
suggests" case: either way the IdP is calling
Is there not a potential contradiction between an RP expressing both of
'this is very very important to me' and 'I leave it to you as to the
specifics'?
If the RP authenticated the user locally and not through OpenID, and the
resources it was protecting were of any value or sensitivity, it woul
On 12-Dec-06, at 11:31 AM, Joaquin Miller wrote:
>> When a message is sent as a POST, OpenID parameters MUST only be
>> sent in and processed from the POST body.
>
> Does that mean the same as this:
>
>When a message is sent as a POST, OpenID parameters MUST be sent
> only in the POST body
When a message is sent as a POST, OpenID parameters MUST only be
sent in and processed from the POST body.
Does that mean the same as this:
When a message is sent as a POST, OpenID parameters MUST be sent
only in the POST body; the parameters processed MUST be only those
from the POST bo
Manger, James H wrote:
>
> The user-centric solution is not for the RP to specify a max auth age (or
> captcha or email verification or handbio or hardotp…), but for the RP to
> indicate the importance of the authentication. The user (with a little help
> from their OP) decides how to react (eg
The problem is not the people who contribute, it's the ones who never join the
group or agree to any license because they never intend to make or sell
anything.
Align with the standards bodies, that way we have the option of going to a
standards body later.
I have been through the pain here...
On 12/12/06, James A. Donald <[EMAIL PROTECTED]> wrote:
> Changes and enhancements to the openID standard are
> patentable. When the standard was originally proposed,
> it was far from clear that it would be widely adopted,
> so it is unlikely that anyone patented it in time, so
> the original sta
On Dec 11, 2006, at 16:41, Johnny Bufu wrote:
> Hi Johannes,
>
> Josh and I went through the remaining issues, so I have addressed
> and/or commented on some of them below.
>
> For easier tracking I've inserted [josh] after the ones that Josh
> agreed to handle.
Looking forward to Josh's inpu
13 matches
Mail list logo
