Re: OpenID Trusted Authentication Extension

2007-08-29 Thread John Ehn

I want to start off by saying how horribly inappropriate it is to use the
OpenID specifications mailing list to peddle an authentication standard that
has absolutely nothing to do with OpenID.

I find it interesting that so many of the OAuth community have taken time
out of their busy schedules to tell me to back off on my extension to
OpenID.  Every single response to my specification has mentioned OAuth, and
all with a very defensive tone.  Only one or two responses have had any
constructive criticism about the actual content of the specification.

To MY defense, I didn't even know about OAuth until I was reminded of it
in response to my specification.  I have attempted to review the spec, but
am unable to locate it anywhere, even though I joined the Google Group, as

Due to the very public negative response from the OAuth folks, I am tempted
to remove myself from the group as a result.

As for consensus, I simply don't care.  This was an exercise to allow OpenID
to fill the needs of a specific use case.  I believe it is extremely simple
to implement, and is reasonably secure.  If the OpenID folks decide to adopt
it, I will be very happy.  If not, I will still be happy.

I am passionate about OpenID.  I feel that if I want it succeed, I should
work to extend it, and I should have the freedom to do so.

Thank you,

John Ehn

On 8/29/07, Chris Messina [EMAIL PROTECTED] wrote:

 Hi John,

 Looks like there's some consensus around OAuth... ;)

 I helped to get OAuth off the ground to solve the very problem that
 you're looking to solve -- in our case, enabling Ma.gnolia OpenID
 users to use Dashboard Widgets and Twitter API users to authenticate
 their apps, eventually using OpenID.

 While I appreciate your work on an OpenID-specific extension, I think
 there's some legitimacy in looking at a solution that works generally
 regardless of the authentication mechanism. By decoupling OpenID and
 OAuth, the goal was to make it easier to adopt OAuth first and then
 lead into adopting OpenID.

 In the case of your spec, which seems like a good piece of work,
 there'd be no sense in supporting the extension without supporting
 OpenID and as such, has limited benefit in the wild for implementors.
 With OAuth, if we're able to get folks like AOL, Google, Yahoo and
 others to support it, the amount of effort necessary to support all of
 them becomes the same amount of work to support one.

 Anyway, I'm glad to see you on the OAuth list. Feel free to poke
 around; we're looking to put out a 0.9 Draft and have it implemented
 over the course of September in libraries and then release finally a
 1.0 Oct 1.



 On 8/27/07, David Fuelling [EMAIL PROTECTED] wrote:
  Have a look at OAuth
  (  I think it's
  currently a private google group, but it seems like you've given a lot
  thought to this type of thing, so I'm sure the group owners would
  your input.  There's a lot of activity going on over there.
  On 8/26/07, John Ehn [EMAIL PROTECTED] wrote:
   I have created a draft of a new specification that I think will help
  fill a gap in OpenID functionality.
   What appears to be a newer productivity feature of many websites is
  ability to import and utilize information from other sites.  For
  Basecamp provides an API that allows other systems to access user data.
  This is a great feature, but it currently cannot be done with OpenID,
 due to
  the dependence on end-user interaction during the authentication
   The Trusted Authentication Extension provides for the ability for an
  OpenID Consumer to log in to another OpenID Consumer without user
  interaction.  The end user will be able to create a trusted connection
  between two OpenID enabled sites, which will allow a client site to
 access a
  destination site using the end user's Identity.
   Please provide your comments and feedback, as they are most
   Thank you,
   John Ehn
   specs mailing list
  specs mailing list

 Chris Messina
 Citizen Provocateur 
   Open Source Advocate-at-Large
 Cell: 412 225-1051
 Skype: factoryjoe
 This email is:   [ ] bloggable[X] ask first   [ ] private

specs mailing list

Re: [OpenID] Announce: OpenID Authentication Draft 12 (finally)

2007-08-29 Thread Johnny Bufu

On 29-Aug-07, at 12:19 AM, Peter Williams wrote:
 Why do I care so much about a #?

 Discovery in draft#12 a required security procedure - used when
 verifying the validity of an Auth Response.

I agree: everything starts and then relies on discovery; if it's  
broken nothing works. It's patched now in svn rev 359.

Thanks again Peter for finding this before the spec became final!


specs mailing list