RE: Differentiating between User Identifier and OP Identifier

[Eran Hammer-Lahav]

Wow... this is a little too Da Vinci Code figuring this out form the spec...
:-)
Why not just write 'XRI is optional'?

EHL




> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of Joseph Holsten
> Sent: Tuesday, July 31, 2007 8:55 PM
> To: Eran Hammer-Lahav
> Subject: Re: Differentiating between User Identifier and OP Identifier
> 
> Eran Hammer-Lahav wrote:
> > > Those do not come to the same conclusion - while support for XRIs
> is
> > > left for each RP to decide, the same does not apply to the XRDS /
> Yadis
> > > discovery for URLs.
> >
> > So XRI is optional?
> Yes.
> 
> http://josephholsten.com/



___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Using XRI Proxy Resolvers in OpenID discovery

[Johnny Bufu]

On 30-Jul-07, at 12:58 PM, Eran Hammer-Lahav wrote:

> It has been mentioned on this list that XRI might be optional in  
> OpenID 2.0.
> If you read the spec with that mindset you can find ways to prove it.

Yes, support for XRIs is left for each RP to decide (as is a number  
of other things).

> Your answer is that all three discoveries are a MUST and if that's  
> the case,
> there is little point in this thread.

I don't think I have stated something that would imply this.

> OpenID 1.1 allowed for a very dumb RP. I was able to implement the  
> entire
> spec from scratch in C++ in under a day. OpenID 2.0 took 10 days  
> and it's
> still not complete (missing authority validation). My suggestion  
> was to
> consider allowing RP's to avoid dealing with XRI and XRDS by  
> requiring HTML
> discovery support on the End User side,

Do you mean the OP side? (The end user is only required to have a  
browser.)

Yadis is required for RPs. (There are good reasons for the HTML ->  
Yadis "upgrade")

Making Yadis optional for RPs and HTML mandatory for OPs would break  
other things - like the OPs offering inconsistent discovery  
information to RPs, based on their preference for Yadis or HTML.


Johnny

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

RE: Differentiating between User Identifier and OP Identifier

[Eran Hammer-Lahav]

> The OpenID spec is not authoritative for what XRDS documents can or  
> cannot contain; it just says how to consume them for the purposes of  
> OpenID authentication.

Point taken.


As for the last few points, I now understand how all the little details from
the various sections come together. I still like my idea of reorganizing
section 7.3.2 a bit but it's not my call. I would suggest to word the last
line in 7.3.2.3 to mention Yadis. Something like:

When parsing an XRDS document retrieved during Yadis discovery (via a URL
Identifier), the CanonicalID element MUST be ignored if present.

> Those do not come to the same conclusion - while support for XRIs is
> left for each RP to decide, the same does not apply to the XRDS / Yadis
> discovery for URLs.

So XRI is optional?

Thanks!

EHL

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Differentiating between User Identifier and OP Identifier

[Johnny Bufu]

On 30-Jul-07, at 8:48 PM, Eran Hammer-Lahav wrote:
>>> In this case, it sounds like an XRDS document MUST no include both
>>> an OP Endpoint element and a Claimed Identifier element.
>>
>> I don't see this implied anywhere. Do you have a specific pointer or
>> a clear reasoning for this?
>
> If an XRDS has both elements, the RP will try the server and if it  
> doesn't
> work for some reason (server down, etc.) it will move on to Yadis,  
> not to
> the next signon service (7.3.2.2: If none is found, the RP will  
> search for a
> Claimed Identifier Element).

But an OP Identifier Element _was_ found, so the RP should not even  
process Claimed Identifier Elements, if they exist for whatever reason.

> It doesn't say "if none is found or all server
> endpoints have been attempted and failed". Ok, so MUST is wrong in my
> statement. It should be: "an XRDS document SHOULD not include both  
> an OP
> Endpoint element and a Claimed Identifier element".

The OpenID spec is not authoritative for what XRDS documents can or  
cannot contain; it just says how to consume them for the purposes of  
OpenID authentication.

>> It's the other way around: the OP Identifier Element has higher
>> priority, so the Claimed Identifier Element doesn't get used in such
>> a case.
>
> In this example, the OP Identifier element has a lower XRDS  
> priority than
> the Claimed Identifier Element. It's about the intention of the  
> document
> author - this one says use sigon before server. The OpenID 2.0 spec  
> implies,
> only use the priority value between services of the same element type.

The Service type supersedes the priority attribute; priority is taken  
into account for services of the same type.

This is what the protocol states, and the document's author intention  
does not override them ;-)

>>> Section 7.3.2.3 is confusing:
>>> 1. Does it only apply to XRI identifiers, not to XRDS documents
>>> found during Yadis discovery?
>>
>> Yes: "When the identifier is an XRI...".
>
> Only because it goes on discussing XRDS documents. Does the last  
> line about
> URL implies using Yadis to get to an XRDS document (where one would  
> find a
> Canonical ID to ignore as instructed)?

Yadis is used to get XRDS documents for URLs - not sure what you're  
asking here.

The last sentence aims to answer the question "what if I get a  
canonical id in an XRDS discovered from a URL".


>>> 4. The first line of the third paragraph is not needed.
>>
>> True, the same MUST is in the second phrase of the first paragraph.
>
> Is this email enough to have an editor consider/make the change?

While not strictly needed, why is this particular reinforcement bad?


>>> 6. Last line is confusing. Where would a  come from if
>>> using a
>>> URL identifier? This entire section is under XRDS discovery. Does
>>> it refer
>>> to the URL used in a Yadis discovery (I assume not)?
>>
>> What made you think a canonical id is needed for URLs? It is not --
>> for URLs the claimed identifier is determined as described in the
>> normalization section.
>
> Exactly! So why is URL even mentioned here? See my point? :-)

Sorry, no. The URL case is mentioned to answer the valid question above.


>>> Also, from "HTML-Based discovery MUST be supported by
>>> Relaying Parties" is sounds like XRDS discovery is not required.
>>
>> How do you come to this conclusion?
>
> See comments in previous email on XRI proxies.

Those do not come to the same conclusion - while support for XRIs is  
left for each RP to decide, the same does not apply to the XRDS /  
Yadis discovery for URLs.


Johnny

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: OpenId as API authentication method

[David Fuelling]

What is OAuth?  The group appears to be private, so is not accessible.

david

On 7/27/07, John Panzer <[EMAIL PROTECTED]> wrote:
>
>  You should probably check out OAuth:
> http://groups.google.com/group/oauth, and its draft 
> spec.
>
>
> Eran Hammer-Lahav wrote:
>
>  I am not sure if this belongs in the spec list, but I'll give it a try.
>
>
>
> I would like to suggest adding some text to section 11.1 (or anywhere else
> that's appropriate) that will provide guidelines for using OpenID in a
> scenario where the OpenID RP is not the site the user is actually using. The
> OpenID specification is written with some bias towards implementation in a
> website environment which is the most common use. My aim is to use OpenID as
> the authentication method for establishing API sessions. I am building a web
> service where the client (any user of the API) requests to create a session
> token which can then be used to bypass authentication for a certain period
> of time (nothing new here).
>
>




>
>
>
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs