RE: Announcing OpenID Authentication 2.0 - Implementor's Draft 11
I'm not sure what the right process is, though my hunch is that we'll know the time is right once there are multiple working OpenID Auth 2.0 RPs and OPs on the web from different vendors that people are at least testing with. Until code that implements the spec exists in the wild, I doubt we can really ultimately call it final. That's just my take on it though... --David -Original Message- From: Dick Hardt [mailto:[EMAIL PROTECTED] Sent: Thursday, January 18, 2007 11:38 PM To: heraldry-dev@incubator.apache.org Cc: openid-general; specs@openid.net Subject: Re: Announcing OpenID Authentication 2.0 - Implementor's Draft 11 David A couple questions: 1) Would you like to set a deadline for final comments? Perhaps a week? 2) What is the approval process now? Is it still as posted at: http://openid.net/specs.bml Currently, the collective authors of OpenID Authentication (David Recordon, Josh Hoyt, Dick Hardt, and Brad Fitzpatrick) oversee this process and make the final determination of when a proposal has matured. -- Dick On 18-Jan-07, at 7:35 PM, Recordon, David wrote: So with great pleasure I get to announce the culmination of about nine months of work between the OpenID, XRI, Sxip, and LID communities in the drafting of OpenID Authentication 2.0. This evening the editors have published the final draft of the spec, which we now feel is in a solid state for public implementations. There are already implementations in various languages (http://svn.apache.org/repos/asf/incubator/heraldry/libraries/, http://code.google.com/p/openid4java/, http://code.google.com/p/openid4perl/) supporting this spec and more will emerge over the next few weeks. There will be another draft of the spec before it is considered final, though unless unforeseen implementation problems emerge these changes will be further wordsmithing and cleanup. http://openid.net/specs/openid-authentication-2_0-11.html (dated today) Cool? Cool! --David ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11
On 1/19/07, Recordon, David [EMAIL PROTECTED] wrote: So with great pleasure I get to announce the culmination of about nine months of work between the OpenID, XRI, Sxip, and LID communities in the drafting of OpenID Authentication 2.0. This evening the editors have published the final draft of the spec, which we now feel is in a solid state for public implementations. There are already implementations in various languages (http://svn.apache.org/repos/asf/incubator/heraldry/libraries/, http://code.google.com/p/openid4java/, http://code.google.com/p/openid4perl/) supporting this spec and more will emerge over the next few weeks. There will be another draft of the spec before it is considered final, though unless unforeseen implementation problems emerge these changes will be further wordsmithing and cleanup. http://openid.net/specs/openid-authentication-2_0-11.html (dated today) Cool? Cool! Still totally unhappy about the phishing issues, which I blogged about here: http://www.links.org/?p=187 --David ___ general mailing list [EMAIL PROTECTED] http://openid.net/mailman/listinfo/general ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [OpenID] OpenID and phishing (was Announcing OpenID Authentication2.0 - Implementor's Draft 11)
Still totally unhappy about the phishing issues, which I blogged about here: http://www.links.org/?p=187 I have a proposal which I think could greatly reduce the risk of phishing: identity providers should /never/ display their login form (or a link to the form) on a page that has been redirected to by an OpenID consumer. Instead, they should instruct the user to navigate to the login page themselves. The login page should have a short, memorable URL and users should be encouraged to bookmark it themselves when they sign up for the provider. The OpenID landing page then becomes an opportunity to help protect users against phishing rather than just being a vector for the attack. I've fleshed this out on my blog: http://simonwillison.net/2007/Jan/19/phishing/ Does that sound workable? One of the greatest strengths of OpenID is the ability for website operators to lower the barrier to engagement ... User shows up, user enters OpenID, user is then immediately participating in discussion/posts/comments/etc. I'm afraid this proposal takes away from that by forcing the user to lose the flow ... Of course its that flow that is the problem in terms of phishing. What if the OP cataloged where you just came from and then presented the screen that you mention? The user is asked to navigate via a bookmark or entering the URL in the location bar and then upon logging in is presented with a link back to the site they just came from. Then the user can quickly engage and the site can still kick of the SREG mojo instead of having to go _back_ to the site in question to re-initiate the login. Would that work or am I missing something obvious? - Scott ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11
On 19-Jan-07, at 6:19 AM, Ben Laurie wrote: Still totally unhappy about the phishing issues, which I blogged about here: http://www.links.org/?p=187 There are numerous ways of solving this. Several standard methods can solve it. It is a relationship between the user and the OP and the RP is not party, so I don't think it belongs in the OpenID Authentication specification. That does not mean it is not important, just that *this* spec is not the right place. -- Dick ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
