RE: Announcing OpenID Authentication 2.0 - Implementor's Draft 11

2007-01-19 Thread Recordon, David
I'm not sure what the right process is, though my hunch is that we'll
know the time is right once there are multiple working OpenID Auth 2.0
RPs and OPs on the web from different vendors that people are at least
testing with.  Until code that implements the spec exists in the wild, I
doubt we can really ultimately call it final.

That's just my take on it though...

--David 

-Original Message-
From: Dick Hardt [mailto:[EMAIL PROTECTED] 
Sent: Thursday, January 18, 2007 11:38 PM
To: heraldry-dev@incubator.apache.org
Cc: openid-general; specs@openid.net
Subject: Re: Announcing OpenID Authentication 2.0 - Implementor's Draft
11

David

A couple questions:

1) Would you like to set a deadline for final comments? Perhaps a week?

2) What is the approval process now? Is it still as posted at:

http://openid.net/specs.bml

Currently, the collective authors of OpenID Authentication (David
Recordon, Josh Hoyt, Dick Hardt, and Brad Fitzpatrick) oversee this
process and make the final determination of when a proposal has
matured.

-- Dick

On 18-Jan-07, at 7:35 PM, Recordon, David wrote:

 So with great pleasure I get to announce the culmination of about nine

 months of work between the OpenID, XRI, Sxip, and LID communities in 
 the drafting of OpenID Authentication 2.0.  This evening the editors 
 have published the final draft of the spec, which we now feel is in a 
 solid state for public implementations.

 There are already implementations in various languages 
 (http://svn.apache.org/repos/asf/incubator/heraldry/libraries/,
 http://code.google.com/p/openid4java/,
 http://code.google.com/p/openid4perl/) supporting this spec and more 
 will emerge over the next few weeks.

 There will be another draft of the spec before it is considered final,

 though unless unforeseen implementation problems emerge these changes 
 will be further wordsmithing and cleanup.

 http://openid.net/specs/openid-authentication-2_0-11.html (dated
 today)

 Cool? Cool!

 --David



___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11

2007-01-19 Thread Ben Laurie
On 1/19/07, Recordon, David [EMAIL PROTECTED] wrote:
 So with great pleasure I get to announce the culmination of about nine
 months of work between the OpenID, XRI, Sxip, and LID communities in the
 drafting of OpenID Authentication 2.0.  This evening the editors have
 published the final draft of the spec, which we now feel is in a solid
 state for public implementations.

 There are already implementations in various languages
 (http://svn.apache.org/repos/asf/incubator/heraldry/libraries/,
 http://code.google.com/p/openid4java/,
 http://code.google.com/p/openid4perl/) supporting this spec and more
 will emerge over the next few weeks.

 There will be another draft of the spec before it is considered final,
 though unless unforeseen implementation problems emerge these changes
 will be further wordsmithing and cleanup.

 http://openid.net/specs/openid-authentication-2_0-11.html (dated today)

 Cool? Cool!

Still totally unhappy about the phishing issues, which I blogged about here:

http://www.links.org/?p=187


 --David
 ___
 general mailing list
 [EMAIL PROTECTED]
 http://openid.net/mailman/listinfo/general

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: [OpenID] OpenID and phishing (was Announcing OpenID Authentication2.0 - Implementor's Draft 11)

2007-01-19 Thread Scott Kveton
 Still totally unhappy about the phishing issues, which I blogged
 about here:
 
 http://www.links.org/?p=187
 
 I have a proposal which I think could greatly reduce the risk of
 phishing: identity providers should /never/ display their login form
 (or a link to the form) on a page that has been redirected to by an
 OpenID consumer.
 
 Instead, they should instruct the user to navigate to the login page
 themselves. The login page should have a short, memorable URL and
 users should be encouraged to bookmark it themselves when they sign
 up for the provider. The OpenID landing page then becomes an
 opportunity to help protect users against phishing rather than just
 being a vector for the attack.
 
 I've fleshed this out on my blog:
 
 http://simonwillison.net/2007/Jan/19/phishing/
 
 Does that sound workable?

One of the greatest strengths of OpenID is the ability for website operators
to lower the barrier to engagement ... User shows up, user enters OpenID,
user is then immediately participating in discussion/posts/comments/etc.
I'm afraid this proposal takes away from that by forcing the user to lose
the flow ... Of course its that flow that is the problem in terms of
phishing.

What if the OP cataloged where you just came from and then presented the
screen that you mention?  The user is asked to navigate via a bookmark or
entering the URL in the location bar and then upon logging in is presented
with a link back to the site they just came from.  Then the user can quickly
engage and the site can still kick of the SREG mojo instead of having to go
_back_ to the site in question to re-initiate the login.

Would that work or am I missing something obvious?

- Scott

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11

2007-01-19 Thread Dick Hardt

On 19-Jan-07, at 6:19 AM, Ben Laurie wrote:


 Still totally unhappy about the phishing issues, which I blogged  
 about here:

 http://www.links.org/?p=187

There are numerous ways of solving this. Several standard methods can  
solve it. It is a relationship between the user and the OP and the RP  
is not party, so I don't think it belongs in the OpenID  
Authentication specification.

That does not mean it is not important, just that *this* spec is not  
the right place.

-- Dick
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs