Re: RFC: Final outstanding issues with the OpenID 2.0 Authentication specification

2007-05-18 Thread Boris Erdmann
If these four issues are resolved, can we call the OpenID 2.0 Authentication specification done? Speak up if you have any other show-stoppers. Josh Yesterday, Dmitry and I had a long talk about browser support for OpenID. I think it is consensus between us two to state, that there are lots

Re: RFC: Final outstanding issues with the OpenID 2.0 Authentication specification

2007-05-18 Thread Don MacAskill
Josh Hoyt wrote: If these four issues are resolved, can we call the OpenID 2.0 Authentication specification done? Speak up if you have any other show-stoppers. Josh I hate to speak up last minute, but I was at a few tech conferences in the past month or two, and spoke with lots of

RE: RFC: Final outstanding issues with the OpenID 2.0 Authenticationspecification

2007-05-18 Thread Dmitry Shechtman
As a relative newcomer to the OpenID community, I realize this may have been debated endlessly already, and I may just be shouted down. It definitely has been debated endlessly. Or am I alone here? No, you aren't. There are many who agree with this entirely, some of whom have expressed their

RE: Proposal for improved security of association establishment in OpenID2.0

2007-05-18 Thread Guoping Liu
Hans: Thank you for your comments. I agree with you that not vulnerable to *this* man in the middle attack is more accurate. Regards, Guoping -Original Message- From: Granqvist, Hans [mailto:[EMAIL PROTECTED] Sent: Friday, May 18, 2007 10:14 AM To: Guoping Liu; OpenID specs list

Re: Final outstanding issues with the OpenID 2.0 Authenticationspecification

2007-05-18 Thread Marius Scurtescu
On 18-May-07, at 1:00 AM, Dmitry Shechtman wrote: 7.3.3. HTML-Based Discovery A LINK tag MUST be included with attributes rel set to openid2.provider and href set to an OP Endpoint URL A LINK tag MAY be included with attributes rel set to openid2.local_id and href set to the end

RE: Final outstanding issues with the OpenID 2.0Authenticationspecification

2007-05-18 Thread Recordon, David
Please no talk of OpenID 3! If anything, 2.1 or the next version. :) Thanks, --David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Hoyt Sent: Thursday, May 17, 2007 2:05 PM To: Alaric Dailey Cc: OpenID specs list Subject: Re: Final outstanding

Re: RFC: Final outstanding issues with the OpenID 2.0 Authenticationspecification

2007-05-18 Thread Jonathan Daugherty
# I think in the past the idea was giving the HTML form element a # specific name in addition to the text field. This thus makes it # much easier to detect. And I believe it was also suggested that this is out of scope for the protocol spec itself and should be added to either another spec or a

RE: Final outstanding issues with the OpenID 2.0Authenticationspecification

2007-05-18 Thread Recordon, David
Hey Dmitry, When using Yadis you're able to advertise if you're speaking OpenID 1.1 or 2.0 and thus the RP know which version of the protocol the request should be made in. When using HTML-Based Discovery this is not possible unless the attributes are renamed or a third version tag is added which

RE: RFC: Final outstanding issues with the OpenID 2.0 Authenticationspecification

2007-05-18 Thread Recordon, David
Hey Don, Certainly not alone, though I think what we really need to dig into is if the spec is actually more complex from a feature perspective or because it is much more verbose and adds clarity over 1.1. Splitting discovery into a separate spec I think will also help in the document being less

RE: RFC: Final outstanding issues with the OpenID 2.0Authenticationspecification

2007-05-18 Thread Recordon, David
Hi Dmitry, I don't think the solution is to simple denounce OpenID 2.0, but that will rather only make it worse. Rather I'd invite you to continue these productive conversations to see if the issues can be resolved. I think it would be unfortunate for anyone to just give up. --David

Re: Proposal for improved security of association establishment in OpenID 2.0

2007-05-18 Thread Josh Hoyt
Guoping, I'm not an expert, but I do understand the attack that you're describing. I'm hesitant to make the change without input from Paul Crowley, who designed the key exchange mechanism in the first place. I hope that he will comment. It should be noted that a man-in-the-middle can still be a

Re: Final outstanding issues with the OpenID 2.0Authenticationspecification

2007-05-18 Thread Marius Scurtescu
On 18-May-07, at 11:09 AM, Recordon, David wrote: Hey Marius, Good point, committed a patch so please review! :) http://openid.net/svn/diff.php?repname=specificationspath=% 2Fauthentica tion%2F2.0%2Ftrunk%2Fopenid-authentication.xmlrev=325sc=1 That was fast :-) Looks good, but I would add

Re: Final outstanding issues with the OpenID 2.0 Authenticationspecification

2007-05-18 Thread Josh Hoyt
On 5/18/07, Marius Scurtescu [EMAIL PROTECTED] wrote: On 18-May-07, at 1:00 AM, Dmitry Shechtman wrote: In order to be backwards compatible the HTML page should have two sets of tags one for OpenID 1.1 and one for OpenID 2.0, both pointing to the same OP endpoint URL. Otherwise an OpenID 1.1

Re: Final outstanding issues with the OpenID 2.0 Authenticationspecification

2007-05-18 Thread Marius Scurtescu
On 18-May-07, at 11:45 AM, Josh Hoyt wrote: On 5/18/07, Marius Scurtescu [EMAIL PROTECTED] wrote: On 18-May-07, at 1:00 AM, Dmitry Shechtman wrote: In order to be backwards compatible the HTML page should have two sets of tags one for OpenID 1.1 and one for OpenID 2.0, both pointing to the

Re: Final outstanding issues with the OpenID 2.0Authenticationspecification

2007-05-18 Thread Johnny Bufu
David, On 18-May-07, at 11:09 AM, Recordon, David wrote: Hey Marius, Good point, committed a patch so please review! :) On 18-May-07, at 11:08 AM, [EMAIL PROTECTED] wrote: + t + As discussed in the xref +target=compat_modeOpenID Authentication 1.1 +

Re: Final outstanding issues with the OpenID 2.0 Authenticationspecification

2007-05-18 Thread Josh Hoyt
On 5/18/07, Dmitry Shechtman [EMAIL PROTECTED] wrote: I'm sure that this will break a few implementations It certainly will break PHP-OpenID. Which implementation are you referring to as PHP-OpenID? Josh ___ specs mailing list specs@openid.net

Re: RFC: Final outstanding issues with the OpenID 2.0 Authentication specification

2007-05-18 Thread Josh Hoyt
Don, On 5/18/07, Don MacAskill [EMAIL PROTECTED] wrote: My company, SmugMug, is an OpenID provider for hundreds of thousands of high value paying accounts, and will shortly be a consumer as well. I'll freely admit that I haven't fully digested 2.0's pre-spec, but at least part of that reason

Please clarify 2.0 TOC 14 -- Re: RFC: Final outstanding issues with the OpenID 2.0 Authentication specification

2007-05-18 Thread Boris Erdmann
If these four issues are resolved, can we call the OpenID 2.0 Authentication specification done? Speak up if you have any other show-stoppers. I'd like to know WHERE to publish the below mentioned XRDS Document in 2_0-11 TOC 14.

HTML discovery: SGML entities and charsets

2007-05-18 Thread Peter Watkins
7.3.3 in draft 11 says The openid2.provider and openid2.local_id URLs MUST NOT include entities other than amp;, lt;, gt;, and quot;. Other characters that would not be valid in the HTML document or that cannot be represented in the document's character encoding MUST be escaped using the

directed identity + HTML discovery: is this right?

2007-05-18 Thread Peter Watkins
So I'd like my employer (for discussion purposes, The Great Plumbers Association, http://plumbers.co) to act as an OpenID OP. I want all our plumber members to use the same OP URL for OpenID authentication, let's say https://id.plumbers.co/ So the RP doesn't try XRI Resolution, and Yadis fails

Re: directed identity + HTML discovery: is this right?

2007-05-18 Thread Johnny Bufu
On 18-May-07, at 2:19 PM, Peter Watkins wrote: [...] Would we put the OP-Local Identifier in both openid.claimed_id *and* openid.identity? The user/OP can choose to send the local_id as the claimed identifier, or any other claimed identifier that delegates to the local_id sent as