Re: More questions about openid.ax.update_url

2007-10-22 Thread James Henstridge
On 18/10/2007, Johnny Bufu [EMAIL PROTECTED] wrote: Hi James, On 17-Oct-07, at 2:42 AM, James Henstridge wrote: I have a few more questions about the update_url feature of OpenID attribute exchange that I feel could do with answers in the specification. For the questions, imagine an

Re: OpenID 2.0 finalization progress

2007-10-22 Thread Dick Hardt
On 19-Oct-07, at 10:20 PM, David Recordon wrote: Completely agreed with Johannes. We are very close with the IPR policy/process being in place and assuming all the contributors agree to it, 2.0 can be declared final within 30 days of October 30th as that is the end of the public review

RE: OpenID 2.0 finalization progress

2007-10-22 Thread Gabe Wachob
Dick is right here regarding the certainty that an IPR policy provides with respect to patent. And IPR policy can never ensure that everyone in the world will refrain from making patent claims. With regards to patent, an IPR policy and procedure can only really affect those who choose to be

Re: More questions about openid.ax.update_url

2007-10-22 Thread Johnny Bufu
On 22-Oct-07, at 3:23 AM, James Henstridge wrote: If the RP does not store any user attributes (and requests them with each transaction from the OP), why does it want to be updated when the user changes an attribute value at their OP? What I meant was that the RP would act as a cache for the

Re: OpenID 2.0 finalization progress

2007-10-22 Thread Kevin Turner
On Fri, 2007-10-19 at 16:12 -0700, Johannes Ernst wrote: [...] and after they had produced a spec, Rambus said but we have some patents. This lead to at least one lawsuit I believe. I have heard wildly diverging assessments on whether or not this could happen here. Ok, I'm looking for the

An OAuth OpenID Extension

2007-10-22 Thread David Recordon
Hey all, I know John did some work in September (http://extremeswank.com/ openid_trusted_auth.html and http://extremeswank.com/ openid_inline_auth.html). Both solve extremely important use-cases and are becoming increasingly discussed especially with the advent of OAuth. I'd really like to

Defining PAPE active authentication (WAS: Re: PAPE Extension Specification)

2007-10-22 Thread David Recordon
Agreed with Jonathan here, don't think we need to define a policy URI for active. Rather need to clarify what is meant in section 5.1. (Optional) If the End User has not actively authenticated to the OP within the number of seconds specified in a manner fitting the requested

Re: PAPE Extension Specification (part 2)

2007-10-22 Thread David Recordon
On Oct 9, 2007, at 10:08 AM, Jonathan Daugherty wrote: Hi all, Here are a few more items. Section 5.1 - The spec doesn't specify what should be done in the absence of max_auth_age in a PAPE request. I could assume, but it would be easy enough to specify, say, that the OP is

RE: OpenID 2.0 finalization progress

2007-10-22 Thread Gabe Wachob
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Turner Sent: Monday, October 22, 2007 1:34 PM To: specs Subject: Re: OpenID 2.0 finalization progress On Fri, 2007-10-19 at 16:12 -0700, Johannes Ernst wrote: [...] and after they had

Re: Defining PAPE active authentication (WAS: Re: PAPE Extension Specification)

2007-10-22 Thread Paul Madsen
SAML 2.0 expresses it in terms of whether or not the authentication is 'passive' paul David Recordon wrote: Agreed with Jonathan here, don't think we need to define a policy URI for active. Rather need to clarify what is meant in section 5.1. (Optional) If the End User has not

Re: Question about PAPE

2007-10-22 Thread David Recordon
Hey Siddharth, Just to be clear, a OTP hardware token is considered a one-time password device token not a Hard token given SP 800-63, section 6 on page 15. This means that a OTP device can satisfy up to level 3, though a FIPS compliant Hard token would be needed for level 4. Level 3 also

Re: Defining PAPE active authentication (WAS: Re: PAPE Extension Specification)

2007-10-22 Thread David Recordon
Hey Paul, How do you guys define passive. Seems like the opposite problem of defining active. Thanks, --David On Oct 22, 2007, at 3:18 PM, Paul Madsen wrote: SAML 2.0 expresses it in terms of whether or not the authentication is 'passive' paul David Recordon wrote: Agreed with

Re: OpenID 2.0 finalization progress

2007-10-22 Thread Josh Hoyt
On 10/22/07, Gabe Wachob [EMAIL PROTECTED] wrote: 3) the community calls the spec final and a contributor raises a potential patent infringement issue, and since the community has already implemented and deployed 2.0, the patent owner has more leverage because the costs of engineering around

RE: OpenID 2.0 finalization progress

2007-10-22 Thread Gabe Wachob
I think that's exactly right, though it's really easy to have blind spots when it comes to figuring out the permutations of how one can game group behavior... so I won't guarantee anything else could happen (I've learned that much from law school ;) As I said, I *believe* the all the actors

Some PAPE Wording Clarifications

2007-10-22 Thread David Recordon
Hey Johnny and Jonathan, Just checked in some clarifications, review would be appreciated. http://openid.net/pipermail/commits/2007-October/000381.html Thanks, --David ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs

Re: An OAuth OpenID Extension

2007-10-22 Thread Joseph Holsten
Wow, these are neat. Thanks for the links david, and especially the work john! OK, so the Inline Auth use case seems like a straightforward case for OAuth: resource url = identifier, user auth url = delegate. Successfully accessing the resource after negotiation would imply that the user