Re: [OpenID board] OAuth Hybrid and UI ML?

2009-06-15 Thread Chris Messina
This is where our process I think is broken.
Without a service like to make collecting the agreements, I don't
see how this can be done in a transparent, transferrable way.

How have other groups managed this? Is this why our WG process is so
encumbered and broken?

On Mon, Jun 15, 2009 at 12:41 PM, Allen Tom wrote:

  Hi David,

 I can take care of moderating the UI mailing list. Am I responsible for
 collecting the contribution agreements myself?


 David Recordon wrote:

 Once the working groups are approved and someone is willing to moderate new
 members on the list to make sure they've signed contribution agreements
 before posting, I can make the list itself.

  On Jun 11, 2009, at 6:21 PM, Allen Tom wrote:

  Hi Nat,

 How does one create a mailing list? At least with regards to the OpenID UI
 WG, we're just mailing each other directly.


 Nat Sakimura wrote:

  I just found out that the Mailing list for OAuth Hybrid WG and UI WG are
 not listed on .

  To make sure equal participation, we should make it possible for people
 to find out about them.

  Are they established at all? Where is the discussion being conducted
 right now?

 Nat Sakimura (=nat)


 specs mailing listsp...@openid.net

 specs mailing list

 board mailing list

Chris Messina
Open Web Advocate

Personal site:

Diso Project:
OpenID Foundation:

This email is:   [ ] bloggable[X] ask first   [ ] private
specs mailing list

Re: SREG's Privacy Policy URL

2009-06-02 Thread Chris Messina
I worry a little about dumping this into the UX extension, because it's not
the logical place to look for it.
Instead (and our WG process is really effed here), perhaps we should have a
Policy Expression Extension (acronym pending) so that we could express
things like this:


!-- Privacy Policy --



!-- Terms  Conditions --



I also think that RP discovery makes a lot of sense, and that really this
stuff should all live in /host-meta.


On Tue, Jun 2, 2009 at 11:14 AM, Allen Tom wrote:

 OK, how about if we define a new Privacy Policy Service for RPs to
 include in their XRDS, with a link to their privacy policy?

 So the RP would just include the following snippet in its discovery
 document, discoverable under its realm:


 I'm not sure where we can formally document this. I guess we can put it in
 the UI spec?


 George Fletcher wrote:

 I think for a short-term solution we'd need to define service types for
 the privacy policy and TOS for XRDS.

 For the long-term, the same could potentially be used as rel values in
 the XRD markup. The XRD spec is solidifying but is not 100% stable.

 I think we should have a discovery option regardless of whether we update
 UX or AX. So I'd like to see a proposal for XRDS and then when XRD is
 available, supporting that.


 Allen Tom wrote:

 Hi Luke,

 Yes, this is what we're looking for. Currently, in OpenID, the only way
 for the RP to link to its privacy policy (which is sort of like linking to
 its ToS) is by passing it in the openid.sreg.policy_url parameter using

 Since we're trying to deprecate SREG, we can try to move this parameter
 to either the UI or AX Extension, or move it into Discovery.

 Is there an actual Discovery spec?


 Luke Shepard wrote:

 FWIW, Facebook Connect allows relying parties to define a “terms of
 service” url. We then show that link to users when they click on it. With
 OpenID, the equivalent URL would be set using relying party discovery. Is
 this more or less what you’re looking for?


 On 6/2/09 10:21 AM, Allen Tom wrote:

Alternatively, the RP could publish its privacy policy in its
document, which does make a lot of sense, but I understand that
a lot of work going on to define the next generation of
discovery, and
I'm not quite sure what the timeframe is for that.


 specs mailing list

 specs mailing list

Chris Messina
Open Web Advocate


Diso Project:
OpenID Foundation:

This email is:   [ ] bloggable[X] ask first   [ ] private
specs mailing list

Re: Request to consider creation of the User Interface Work Group

2009-02-21 Thread Chris Messina
I think this is very good progress, with a well-defined scope and plenty of
interest so far.

Let's make this happen!


On Fri, Feb 20, 2009 at 4:06 PM, Allen Tom wrote:


 Improving OpenID UX and adding support for internationalization should
 definitely be done ASAP. The scope is focused and well defined, and I'm
 confident that we will be able to quickly write a very short spec that will
 greatly improve OpenID's usability and demonstrate our commitment to deploy
 OpenID worldwide.

 (I might be a bit biased)

 Allen Tom wrote:

 Hi Specs Council,

 Please consider the attached proposal to form the User Interface Work

   Charter Proposal

 In accordance with the OpenID Foundation IPR policies and procedures this
 note proposes the formation of a new working group chartered to produce an
 OpenID specification. As per Section 4.1 of the Policies, the proposed
 charter is below (still liable to change during this feedback period).


 OpenID User Interface Working Group

 Background Information

 OpenID traditionally requires the Relying Party to redirect the entire
 browser window to the OpenID Provider for the user to authenticate before
 redirecting the browser back to the Relying Party. It is believed that the
 User Experience (UX) could be significantly improved if the authentication
 flow occurred within a smaller popup window, making the experience less
 disruptive to the user.
 Although it is possible for Relying Parties to open a popup window for the
 user to authenticate at the OpenID Provider using the Provider's default
 user interface, the overall user experience can be optimized if the OP was
 aware that its UI was running within a popup. For instance, an OP may want
 to resize the popup browser window when using the popup interface, but would
 probably not want to resize the full browser window when using the default
 redirect interface. Another optimization is that the OP can close the popup,
 rather than return a negative assertion if the user chooses to cancel the
 authentication request.
 Users who begin the OpenID sign in process on a Relying Party in one
 language and then transition to their OpenID Provider's site in a different
 language may find the overall experience to be very disruptive. In many
 cases, the Relying Party may want to pass a language hint to the OpenID
 Provider to use to display the User Interface to the user, especially if the
 user is not already authenticated at the OP.

 Statement of Purpose

 This workgroup intends to produce a very brief OpenID extension to enable
 the OpenID Authentication User Interface to be invoked in a standalone popup
 window, and to allow the Relying Party to request that the user interface be
 displayed in a particular language.


 Produce an extension that allows an OpenID Provider to indicate its
 support of a popup friendly user interface, as opposed to the default user
 interface optimized for a full browser window. The popup must be in an
 independent browser window, and must not be framed by the RP.

 The extension will also define a mechanim for RPs to pass a language hint
 to the OP to help determine the langange used to display the OpenID
 Authentication user interface.

 Out of Scope
 The content of the user interface other than the language that the
 interface is displayed in is out of scope.

 OpenID User Interface Extension 1.0

 Anticipated audience

 All those interested in improving OpenID Usability.

 Language of business


 Method of work

 Mailing list discussion. Posting of intermediate drafts in the OpenID
 Wiki. Virtual conferencing on an ad-hoc basis.

 Basis for completion of the activity

 The OpenID User Interface Extension 1.0 final draft is completed.


   * Allen Tom,, Yahoo!
   * Brian Ellin,, Janrain
   * David Recordon,, Six Apart
   * Chris Messina,, Vidoop/DiSo Project*
 Breno de Medeiros,, Google
   * Luke Shepard,, Facebook

 Initial Editors

   * Allen Tom,, Yahoo!
   * Breno de Medeiros,, Google

 specs mailing list

 specs mailing list

Chris Messina
 Open Web Advocate-at-Large # #
This email is:   [ ] bloggable[X] ask first   [ ] private
specs mailing list

Re: Proposing an OpenID Authentication 2.1 Working Group

2008-11-18 Thread Chris Messina
And given the growing momentum with the new-fangledness (and it's use in
other places like OAuth and Portable Contacts and OpenSocial) it would be
nice if, by the time an initial draft of the newness is complete, OpenID
would be ready with support for it, so that we can simplify and minimize the
number of libraries out there (i.e. ONE set of discovery libraries).
I also appreciate Martin's notes from IIW, since I was unable to attend, and
look forward to David's new charter, since I'm very much in favor and
supportive of this work!


On Wed, Nov 12, 2008 at 6:06 PM, Dick Hardt [EMAIL PROTECTED] wrote:

 Eran is promising to move the XRD spec forward quickly.

 -- Dick

 On 12-Nov-08, at 3:01 PM, Joseph A Holsten wrote:

  Feel free to  focus on yadis/xrds errata, but don't worry about XRD
  new fangledness yet. I'd even say don't mention xrds-simple. OpenID
  has been workable with yadis/xrds. But until the xrds-simple/xrd
  stuff gets near final, mentioning it will only confuse people and
  strain their trust.
  On Nov 11, 2008, at 2:46 PM, David Recordon wrote:
  Yep, thanks!  I'll be sending out a new charter shortly.
  On Nov 11, 2008, at 11:24 AM, George Fletcher wrote:
  Great notes! Thanks!
  Martin Atkins wrote:
  Here's the output from today's IIW session on this:
  2.0 has been finalized
  bunch of implementations
  found lots of spec bugs
  also gone and done oauth and email addresses and other things.
  Can we
  support these in the core spec?
  - Making the spec more readable and fixing bugs (eratta)
   - Delegation
   - Error handling
  - Adding a security appendix
   - could be a separate document referred to by the spec
   - possibly produced by separate group
   - Who controls this security page?
 - Security committee could look after this.
 - or Allen at Yahoo! will be editing a security document
  - Clarifying XRI
   - Currently there's no firm message about whether RPs MUST support
  XRIs or not.
   - Need to clarify how exactly XRI should be used with OpenID.
   - Similar to the whitelist question.
  - Clarify if RPs can white or blacklist what OPs they accept, and
   - Discovery of type of identifiers an RP supports.
  - Clarifying IRI
  - Updating discovery. Possibly including the new-fangled XRD
  - Clarifying whether association over SSL must/can use diffie-
  - Discovery of support of checkid_immediate.
  Exploratory work:
  - Signature mechanisms. Looking at additionally supporting the
  mechanisms defined in OAuth so that they can be closer together.
   - Possibly deprecating the current signature mechanism.
   - Public keys?
  - Email-shaped identifiers for OpenID
   - Could be a separate working group?
  There was consensus that email-shaped identifiers would be worked
  on by
  a separate group and possibly rolled into 2.1 if it's done in time.
  - Smart/rich clients?
   - Could be in this WG unless it ends up being a big change in
  case it could be its own WG.
   - There's another session about this.
  specs mailing list
  Chief Architect   AIM:  gffletch
  Identity Services Work: [EMAIL PROTECTED]
  Mobile: +1-703-462-3494
  Office: +1-703-265-2544   Blog: http://
  specs mailing list
  specs mailing list
  specs mailing list

 specs mailing list

Chris Messina
 Open Technology Advocate-at-Large # #
This email is:   [ ] bloggable[X] ask first   [ ] private
specs mailing list

Re: Joining OpenID Spec List

2008-10-30 Thread Chris Messina

Not to be curt, but has Facebook signed a non-assert on OpenID IPR? If
you plan to contribute (I hope so!!), would you be able to?


On Tue, Oct 28, 2008 at 7:42 AM, Dave Morin [EMAIL PROTECTED] wrote:
 Hey everyone,

 Just finished talking with David Recordon for a bit and have decided
 to join the OpenID Spec list. Happy to be here and contribute. It was
 great seeing many of you at the OpenID UEX Summit last week.


 specs mailing list

Chris Messina
  Open Technology Advocate-at-Large # #
This email is:   [ ] bloggable[X] ask first   [ ] private
specs mailing list

Re: Email Address to URL Transformation

2008-08-13 Thread Chris Messina
You can find out more information about EAUT and Emailtoid here:

The specification is available here:

We do hope to turn this into an extension to OpenID as it attempts to
directly address the criticism about OpenID that people don't tend to think
of themselves as URLs but instead identify themselves by email
addresses. I wrote more about this here (for context):


On Tue, Aug 12, 2008 at 9:19 PM, [EMAIL PROTECTED] wrote:

 Formal answer is no.

 I think Vidoop will eventually propose to form a working group on this
 eventually, but that is only my guess.


 On 8/13/08, Arshad Khan [EMAIL PROTECTED] wrote:
  Does OpenID 2.0 support 'Email Address to URL Transformation (EAUT)?
  There is some info on this page of what EAUT is:
  Has Vidoop developed this outside OpenID 2.0 framework?

 Nat Sakimura (=nat)
 specs mailing list

Chris Messina
Open Source Advocate-at-Large # #
This email is: [ ] bloggable [X] ask first [ ] private
specs mailing list

Re: OpenID Inline Authentication Extension 1.0 Draft 1

2007-09-03 Thread Chris Messina
Has anyone done a comparison between this spec and OAuth? It really  
seems like an unnecessary duplication of work given the 8 months we've  
put into it so far...


Sent from my iPhone

On Sep 3, 2007, at 2:22 PM, Martin Atkins [EMAIL PROTECTED]  

 John Ehn wrote:

 Thanks for the response!  I'm looking at those specs now, and I  
 like the flow of the HTTP Authentication spec, because it looks like
 it's solving the problem of passing the OpenID Identifier to the RP  
 an automated way, which is really cool.  Looks like it needs to be
 fleshed out in some parts, though.

 Both of these specs need work. What you see up there on the wiki is
 really just a brain dump wanting to be turned into a spec. I've not
 really had much time to work on them, though.

 As for the Signature Request protocol, I'm not quite sure what it  
 yet, but I'll let you know my opinion once I've digested it.

 The HTTP Authentication spec has a part in it where it says the  
 must get a signature from somewhere. When I originally specced it my
 only answer here was that non-human agents can act as their own OP and
 therefore they could just compute the signature themselves, but
 realising that this protocol had applications for humans  
 to services inside specialised rich clients ('s  
 API, for example, or JOSM for OpenStreetMap) I added Signature Request
 Protocol as a standard mechanism for rich client RPs to obtain a
 signature from the user's OP.

 As I think it notes somewhere in the copy, I'm imagining in the ideal
 case a desktop service or at least a shared library that does the SRP
 bit on behalf of all of the user's applications, so that each
 application does not need to be given the user's OP credentials. It  
 my hope that it could theoretically be integrated with systems like
 Apple's Keychain.

 However, SRP is still very rough-and-ready and still has lots of
 outstanding issues. I think Inline Authentication might have the  
 to some of these issues.


 specs mailing list
specs mailing list

Re: OpenID Trusted Authentication Extension

2007-08-28 Thread Chris Messina
Hi John,

Looks like there's some consensus around OAuth... ;)

I helped to get OAuth off the ground to solve the very problem that
you're looking to solve -- in our case, enabling Ma.gnolia OpenID
users to use Dashboard Widgets and Twitter API users to authenticate
their apps, eventually using OpenID.

While I appreciate your work on an OpenID-specific extension, I think
there's some legitimacy in looking at a solution that works generally
regardless of the authentication mechanism. By decoupling OpenID and
OAuth, the goal was to make it easier to adopt OAuth first and then
lead into adopting OpenID.

In the case of your spec, which seems like a good piece of work,
there'd be no sense in supporting the extension without supporting
OpenID and as such, has limited benefit in the wild for implementors.
With OAuth, if we're able to get folks like AOL, Google, Yahoo and
others to support it, the amount of effort necessary to support all of
them becomes the same amount of work to support one.

Anyway, I'm glad to see you on the OAuth list. Feel free to poke
around; we're looking to put out a 0.9 Draft and have it implemented
over the course of September in libraries and then release finally a
1.0 Oct 1.



On 8/27/07, David Fuelling [EMAIL PROTECTED] wrote:

 Have a look at OAuth
 (  I think it's
 currently a private google group, but it seems like you've given a lot of
 thought to this type of thing, so I'm sure the group owners would welcome
 your input.  There's a lot of activity going on over there.


 On 8/26/07, John Ehn [EMAIL PROTECTED] wrote:
  I have created a draft of a new specification that I think will help to
 fill a gap in OpenID functionality.
  What appears to be a newer productivity feature of many websites is the
 ability to import and utilize information from other sites.  For instance,
 Basecamp provides an API that allows other systems to access user data.
 This is a great feature, but it currently cannot be done with OpenID, due to
 the dependence on end-user interaction during the authentication process.
  The Trusted Authentication Extension provides for the ability for an
 OpenID Consumer to log in to another OpenID Consumer without user
 interaction.  The end user will be able to create a trusted connection
 between two OpenID enabled sites, which will allow a client site to access a
 destination site using the end user's Identity.
  Please provide your comments and feedback, as they are most appreciated.
  Thank you,
  John Ehn
  specs mailing list

 specs mailing list

Chris Messina
Citizen Provocateur 
  Open Source Advocate-at-Large
Cell: 412 225-1051
Skype: factoryjoe
This email is:   [ ] bloggable[X] ask first   [ ] private
specs mailing list

Re: Promoting OpenID

2007-04-05 Thread Chris Messina
I thought it was interesting to discover this:

On the one hand, this is interesting from a marketing perspective, and
I think we need more education materials and demonstrations of how
this technology can be used.

On the other, I personally think selling to the enterprise is nearly
impossible without tons of grassroots adoption (think: Firefox) who
will their feet to the fire, at which point, we can tell them that we
have a bucket of water called OpenID that they can implement to
alleviate the burn.

But that's just how I roll. :)


On 4/4/07, Wes Kussmaul [EMAIL PROTECTED] wrote:

  As long as we're being ecumenical about platforms can we include
 Shibboleth, i-name etc. along with OpenID in user-centric identity?

  If so I am interested.

  Wes Kussmaul

  McGovern, James F (HTSC, IT) wrote:
  Great to hear that you are working with Would someone else
 on this list volunteer to work with Siebel, Peoplesoft, SAP, Intalio and

 -Original Message-
 From: Dick Hardt [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, April 04, 2007 2:57 AM
 To: McGovern, James F (HTSC, IT)
 Subject: Re: Promoting OpenID

 On 2-Apr-07, at 8:15 AM, McGovern, James F ((HTSC, IT)) wrote:

  Is anyone here working with vendors in the ERP, CRM, ECM, BPM or
 VRM spaces such that user-centric identity is built into their

  We are working with ...

 This communication, including attachments, is
 for the exclusive use of addressee and may contain proprietary,
 confidential and/or privileged information. If you are not the intended
 recipient, any use, copying, disclosure, dissemination or distribution is
 strictly prohibited. If you are not the intended recipient, please notify
 the sender immediately by return e-mail, delete this communication and
 destroy all copies.

 specs mailing list

 specs mailing list

Chris Messina
Citizen Provocateur 
  Open Source Ambassador-at-Large
Cell: 412 225-1051
Skype: factoryjoe
This email is:   [ ] bloggable[X] ask first   [ ] private
specs mailing list