Re: Suggested scoping for AX 2.0 WG

[David Recordon]

Agreed with Allen, let's modernize SREG so that the spec matches how  
people are using it already with 2.0 though point people to using AX  
instead.  I'd prefer this happen within the same WG.


--David

On Feb 3, 2009, at 3:20 PM, Allen Tom wrote:


Hi Dick,

I'll be happy to add language to the revised SREG spec to strongly  
encourage all new deployments to use AX and to NOT  use SREG,  
however, given the current popularity of SREG, I think it's a good  
idea to clarify and modernize it a bit. Speaking on behalf of Yahoo,  
once we have a usable version of AX, we will encourage RPs to use AX  
over SREG.


I do agree that AX for multiple users in a single request is quite a  
bit different than the current design pattern, where an assertion is  
about a single user. I'm not sure how bulk AX would work without  
OAuth.


Allen

Dick Hardt wrote:
1) I'd prefer to NOT include SREG in the work, but am ok with it  
being in if the scope is really to clarify issues in SREG and add  
language directing people to AX. Anyone else have a strong opinion  
either way? (SREG included in this WG or in a different one?)


2) In the Scope section, I feel strongly that bulk exchange of  
attributes about multiple users is out of scope. It is a very  
different design pattern then what AX does now. I have not seen the  
background on why this is in scope, so perhaps I can have a  
different view if someone cares to enlighten me.


-- Dick

PS: please use my microsoft.com address for any specs discussions.






___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Suggested scoping for AX 2.0 WG

[Breno de Medeiros]

Nat,

My apologies then. I did not understand what you meant and I wrote poor
language in the scope description. Moreover, what you are describing is
probably something that would fit much better in this working group.

Someone wants a stab at clarifying the proposal on this point?

2009/2/3 Nat 

> CX does not and cannot carry information from multiple users.
>
> The information model deals exclusively around a single subject.
>
> =...@tokyo via iPhone
>
> On 2009/02/04, at 7:50, Dick Hardt  wrote:
>
>  Thanks for the feedback Breno!
>
>
>
> Nat: can you provide some illumination? I see that CX would define
> attribute types to be carried in AX. I'm confused about the scenario where
> information from multiple users would be transmitted as that implies that
> the protocol no longer is dealing with a single subject.
>
>
>
> -Dick
>
>
>
> *From:* Breno de Medeiros [mailto:br...@google.com ]
> *Sent:* Tuesday, February 03, 2009 2:39 PM
> *To:* Dick Hardt
> *Cc:* da...@sixapart.com; Allen Tom; Martin Atkins; Nat Sakimura; OpenID
> Specs Mailing List
> *Subject:* Re: Suggested scoping for AX 2.0 WG
>
>
>
>
>
> On Tue, Feb 3, 2009 at 2:19 PM, Dick Hardt < 
> dick.ha...@microsoft.com> wrote:
>
> 1) I'd prefer to NOT include SREG in the work, but am ok with it being in
> if the scope is really to clarify issues in SREG and add language directing
> people to AX. Anyone else have a strong opinion either way? (SREG included
> in this WG or in a different one?)
>
>
> I'm ok either way.
>
>
>
> 2) In the Scope section, I feel strongly that bulk exchange of attributes
> about multiple users is out of scope. It is a very different design pattern
> then what AX does now. I have not seen the background on why this is in
> scope, so perhaps I can have a different view if someone cares to enlighten
> me.
>
>
> When Nat Sakimura wrote the contract exchange CX proposal, he included
> scope for exchanging validation/metadata about attributes, and it was felt
> that it should belong here. CX also needs this bulk exchange functionality
> and again because it pertained to attributes, it was believed that it would
> better fit here.
>
> The advantage of keeping it in this WG is that we make sure that different
> approaches to handling exchange of user attributes are viewed by the same
> people, even if it ends up in a separate mini-spec.
>
> The counter-argument is that most members of this WG are not interested
> primarily in this functionality, and it may distract both efforts (CX and
> AX), and that AX is unlikely to directly support anything along these lines.
>
>
>
>
>
> -- Dick
>
> PS: please use my microsoft.com address for any specs discussions.
>
>
>
>
> --
> --Breno
>
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
>
>


-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Suggested scoping for AX 2.0 WG

[Nat]

CX does not and cannot carry information from multiple users.

The information model deals exclusively around a single subject.

=...@tokyo via iPhone

On 2009/02/04, at 7:50, Dick Hardt  wrote:


Thanks for the feedback Breno!



Nat: can you provide some illumination? I see that CX would define  
attribute types to be carried in AX. I’m confused about the scenario 
 where information from multiple users would be transmitted as that  
implies that the protocol no longer is dealing with a single subject.




-Dick



From: Breno de Medeiros [mailto:br...@google.com]
Sent: Tuesday, February 03, 2009 2:39 PM
To: Dick Hardt
Cc: da...@sixapart.com; Allen Tom; Martin Atkins; Nat Sakimura;  
OpenID Specs Mailing List

Subject: Re: Suggested scoping for AX 2.0 WG





On Tue, Feb 3, 2009 at 2:19 PM, Dick Hardt  
 wrote:


1) I'd prefer to NOT include SREG in the work, but am ok with it  
being in if the scope is really to clarify issues in SREG and add  
language directing people to AX. Anyone else have a strong opinion  
either way? (SREG included in this WG or in a different one?)



I'm ok either way.



2) In the Scope section, I feel strongly that bulk exchange of  
attributes about multiple users is out of scope. It is a very  
different design pattern then what AX does now. I have not seen the  
background on why this is in scope, so perhaps I can have a  
different view if someone cares to enlighten me.



When Nat Sakimura wrote the contract exchange CX proposal, he  
included scope for exchanging validation/metadata about attributes,  
and it was felt that it should belong here. CX also needs this bulk  
exchange functionality and again because it pertained to attributes,  
it was believed that it would better fit here.


The advantage of keeping it in this WG is that we make sure that  
different approaches to handling exchange of user attributes are  
viewed by the same people, even if it ends up in a separate mini-spec.


The counter-argument is that most members of this WG are not  
interested primarily in this functionality, and it may distract both  
efforts (CX and AX), and that AX is unlikely to directly support  
anything along these lines.






-- Dick

PS: please use my microsoft.com address for any specs discussions.




--
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Suggested scoping for AX 2.0 WG

[Nat]

=...@tokyo via iPhone

On 2009/02/04, at 7:39, Breno de Medeiros  wrote:




On Tue, Feb 3, 2009 at 2:19 PM, Dick Hardt  
 wrote:
1) I'd prefer to NOT include SREG in the work, but am ok with it  
being in if the scope is really to clarify issues in SREG and add  
language directing people to AX. Anyone else have a strong opinion  
either way? (SREG included in this WG or in a different one?)


I'm ok either way.


2) In the Scope section, I feel strongly that bulk exchange of  
attributes about multiple users is out of scope. It is a very  
different design pattern then what AX does now. I have not seen the  
background on why this is in scope, so perhaps I can have a  
different view if someone cares to enlighten me.


When Nat Sakimura wrote the contract exchange CX proposal, he  
included scope for exchanging validation/metadata about attributes,  
and it was felt that it should belong here. CX also needs this bulk  
exchange functionality and again because it pertained to attributes,  
it was believed that it would better fit here.




To be clear, what I have suggested is not the bulk exchange of  
multiple users. It is the method to treat number of attributes as a  
group that requires some integrity within them. When it comes to CX,  
by design, it does not do multi user exchane either since it requires  
the parties to explicitly sign the contract.


The advantage of keeping it in this WG is that we make sure that  
different approaches to handling exchange of user attributes are  
viewed by the same people, even if it ends up in a separate mini-spec.


The counter-argument is that most members of this WG are not  
interested primarily in this functionality, and it may distract both  
efforts (CX and AX), and that AX is unlikely to directly support  
anything along these lines.





-- Dick

PS: please use my microsoft.com address for any specs discussions.




--
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Suggested scoping for AX 2.0 WG

[Allen Tom]

Hi Dick,

I'll be happy to add language to the revised SREG spec to strongly 
encourage all new deployments to use AX and to NOT  use SREG, however, 
given the current popularity of SREG, I think it's a good idea to 
clarify and modernize it a bit. Speaking on behalf of Yahoo, once we 
have a usable version of AX, we will encourage RPs to use AX over SREG.


I do agree that AX for multiple users in a single request is quite a bit 
different than the current design pattern, where an assertion is about a 
single user. I'm not sure how bulk AX would work without OAuth.


Allen

Dick Hardt wrote:

1) I'd prefer to NOT include SREG in the work, but am ok with it being in if 
the scope is really to clarify issues in SREG and add language directing people 
to AX. Anyone else have a strong opinion either way? (SREG included in this WG 
or in a different one?)

2) In the Scope section, I feel strongly that bulk exchange of attributes about 
multiple users is out of scope. It is a very different design pattern then what 
AX does now. I have not seen the background on why this is in scope, so perhaps 
I can have a different view if someone cares to enlighten me.

-- Dick

PS: please use my microsoft.com address for any specs discussions.

  


___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

RE: Suggested scoping for AX 2.0 WG

[Dick Hardt]

Thanks for the feedback Breno!

Nat: can you provide some illumination? I see that CX would define attribute 
types to be carried in AX. I'm confused about the scenario where information 
from multiple users would be transmitted as that implies that the protocol no 
longer is dealing with a single subject.

-Dick

From: Breno de Medeiros [mailto:br...@google.com]
Sent: Tuesday, February 03, 2009 2:39 PM
To: Dick Hardt
Cc: da...@sixapart.com; Allen Tom; Martin Atkins; Nat Sakimura; OpenID Specs 
Mailing List
Subject: Re: Suggested scoping for AX 2.0 WG


On Tue, Feb 3, 2009 at 2:19 PM, Dick Hardt 
mailto:dick.ha...@microsoft.com>> wrote:
1) I'd prefer to NOT include SREG in the work, but am ok with it being in if 
the scope is really to clarify issues in SREG and add language directing people 
to AX. Anyone else have a strong opinion either way? (SREG included in this WG 
or in a different one?)

I'm ok either way.


2) In the Scope section, I feel strongly that bulk exchange of attributes about 
multiple users is out of scope. It is a very different design pattern then what 
AX does now. I have not seen the background on why this is in scope, so perhaps 
I can have a different view if someone cares to enlighten me.

When Nat Sakimura wrote the contract exchange CX proposal, he included scope 
for exchanging validation/metadata about attributes, and it was felt that it 
should belong here. CX also needs this bulk exchange functionality and again 
because it pertained to attributes, it was believed that it would better fit 
here.

The advantage of keeping it in this WG is that we make sure that different 
approaches to handling exchange of user attributes are viewed by the same 
people, even if it ends up in a separate mini-spec.

The counter-argument is that most members of this WG are not interested 
primarily in this functionality, and it may distract both efforts (CX and AX), 
and that AX is unlikely to directly support anything along these lines.




-- Dick

PS: please use my microsoft.com address for any specs 
discussions.



--
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Suggested scoping for AX 2.0 WG

[Breno de Medeiros]

On Tue, Feb 3, 2009 at 2:19 PM, Dick Hardt  wrote:

> 1) I'd prefer to NOT include SREG in the work, but am ok with it being in
> if the scope is really to clarify issues in SREG and add language directing
> people to AX. Anyone else have a strong opinion either way? (SREG included
> in this WG or in a different one?)


I'm ok either way.

>
>
> 2) In the Scope section, I feel strongly that bulk exchange of attributes
> about multiple users is out of scope. It is a very different design pattern
> then what AX does now. I have not seen the background on why this is in
> scope, so perhaps I can have a different view if someone cares to enlighten
> me.


When Nat Sakimura wrote the contract exchange CX proposal, he included scope
for exchanging validation/metadata about attributes, and it was felt that it
should belong here. CX also needs this bulk exchange functionality and again
because it pertained to attributes, it was believed that it would better fit
here.

The advantage of keeping it in this WG is that we make sure that different
approaches to handling exchange of user attributes are viewed by the same
people, even if it ends up in a separate mini-spec.

The counter-argument is that most members of this WG are not interested
primarily in this functionality, and it may distract both efforts (CX and
AX), and that AX is unlikely to directly support anything along these lines.



>
>
> -- Dick
>
> PS: please use my microsoft.com address for any specs discussions.
>
>


-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Suggested scoping for AX 2.0 WG

[Dick Hardt]

1) I'd prefer to NOT include SREG in the work, but am ok with it being in if 
the scope is really to clarify issues in SREG and add language directing people 
to AX. Anyone else have a strong opinion either way? (SREG included in this WG 
or in a different one?)

2) In the Scope section, I feel strongly that bulk exchange of attributes about 
multiple users is out of scope. It is a very different design pattern then what 
AX does now. I have not seen the background on why this is in scope, so perhaps 
I can have a different view if someone cares to enlighten me.

-- Dick

PS: please use my microsoft.com address for any specs discussions.

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: OpenID Mobile Profile?

[Nat Sakimura]

Yes. As far as the protocol flow is concerned, that flow is exactly
what I have suggested in an earlier mail.

By the way, have you thought of some way of dynamically establishing
consumer_key & consumer_secret?

I envision that both consumer and provider advertising its identifier
as  in XRD and associated public key would do the job. Of
course, whether the Service Provider accepts the request is entirely
at their descretion, but it will remove the manual process there.

=nat



On Tue, Feb 3, 2009 at 4:56 AM, Allen Tom  wrote:
> Hi Nat,
>
> OpenID has a huge opportunity in the mobile market, because logging
> in/registering is at least an order of magnitude more painful on a handset
> than on a standard desktop browser. Even with my iPhone, logging in is
> terrible, and I can't think of a single time I've bothered to register.
>
> At least from my perspective, I'm more interested in discussing UX rather
> than protocol changes. Although the URLs are getting really long, the URL
> length is an implementation detail that is mostly hidden from the user.
> Supporting the equivalent of SAML's artifact binding as an additional OpenID
> communication mode isn't really going to improve the UX for users of iPhone
> class devices.
>
> Because OpenID and OAuth appear to be converging, I'd prefer to see
> artifact-type binding implemented using OAuth's Request Token. In OAuth, the
> RP (aka Consumer) first requests a Request Token using direct communication,
> and then redirects the browser to the OP (aka SP) with the Request Token to
> maintain the state. Instead of having the browser pass all the request
> parameters on the URL, all the parameters are represented by the Request
> Token, which is intented to be relatively short.
>
> Allen
>
>
> Nat Sakimura wrote:
>
> Hi.
>
> Are there poeple who are interested in discussing OpenID Mobile profile sort
> of thing?
> Mobile phones has unique challenges of being restricted in URL length etc.
> OpenID as it stands now has very lengthy URLs in both requests and responses
> and it sometimes does not fit into the restrictions.
> SAML world has defined artifact binding to cope with it. IMHO, OpenID should
> define something like that also.
>
> In Japan, there are bunch of people (including mobile carriers) who wants to
> do it.
>
> Are there interest here as well?
>
> --
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
>
> 
> ___
> specs mailing list
> specs@openid.net
> http://openid.net/mailman/listinfo/specs
>
>



-- 
Nat Sakimura (=nat)
http://www.sakimura.org/en/
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs