Re: OPs to advertise support for OpenID extensions via the extension's type URI

2009-07-29 Thread David Recordon
Sounds good to me! On Jul 22, 2009, at 5:23 PM, John Bradley wrote: +1 I think that advertising the extension itself is a good practice. A RP may prefer OPs that support the extension over ones that don't. That is the case for PAPE now as an example. With XRD most of that will be described

Re: experimental namespace for openid.net

2009-07-10 Thread David Recordon
Should this experimental namespace only apply to work being done by OpenID working groups? I'm very supportive of pushing the standards forward via prototypes, but that should be done as part of the OpenID community instead of by a single company. I'd be very happy to help get a discovery

Re: Clarification needed in PAPE spec

2009-06-17 Thread David Recordon
Yeah, it was meant to be included with the value of an empty string. --David On Jun 17, 2009, at 10:56 AM, Andrew Arnott wrote: A space-delimited list of no elements is the empty string. So I'd say (and DNOA is coded such that) it cannot be omitted, but may be empty. -- Andrew Arnott I

Re: OAuth Hybrid and UI ML?

2009-06-16 Thread David Recordon
wrote: Will these lists be open for reading to the community? I'd like to keep up with what's happening in both these groups. Thanks, George David Recordon wrote: Once the working groups are approved and someone is willing to moderate new members on the list to make sure they've signed

Re: OAuth Hybrid and UI ML?

2009-06-15 Thread David Recordon
Once the working groups are approved and someone is willing to moderate new members on the list to make sure they've signed contribution agreements before posting, I can make the list itself. --David On Jun 11, 2009, at 6:21 PM, Allen Tom wrote: Hi Nat, How does one create a mailing

Re: Requiring Pseudonymous Identifier

2009-05-13 Thread David Recordon
Agreed. RP requests a pseudonymous identifier and it's up to the OP to figure out how to make one and ideally communicate back to the RP that it did so. --David On May 13, 2009, at 9:41 AM, Andrew Arnott wrote: Agreed. There is no reason for OpenID to mandate how pseudononymous

Re: Requiring Pseudonymous Identifier

2009-05-13 Thread David Recordon
Does it make more sense to use a PAPE policy requesting a pseudonymous identifier or an AX attribute requesting one? Any of these approaches would work, I just don't think we've mapped out the pros/cons of each. --David On May 13, 2009, at 8:44 AM, George Fletcher wrote: I don't think

Re: RECOMMENDED: Proposal to create the OpenID and OAuth Hybrid Extension working group

2009-01-31 Thread David Recordon
Unless there are any objections, I will change this voting period to match that of the CX working group where the vote will open Saturday February 14th. --David - David Recordon da...@sixapart.com wrote: The Specifications Council recommends that the Foundation members approve

Re: RECOMMENDED: Proposal to create the Contract Exchange Extension working group

2009-01-31 Thread David Recordon
eXchange Extention Specification (draft), Oct. 2008. [TX2008]. - David Recordon da...@sixapart.com wrote: The Specifications Council recommends that the Foundation members approve the creation of the Contract Exchange Extension working group (http://openid.net/pipermail/specs-council/2009

Re: Request for consideration of AX 2.0 Working Group Charter Proposal

2009-01-24 Thread David Recordon
This has been on my list to kick to the specs council but I've also been waiting for Dick to reengage since he's been such a core driver of the AX spec in the past. :) --David - Nat Sakimura sakim...@gmail.com wrote: On Sat, Jan 24, 2009 at 4:02 AM, Breno de Medeiros

Re: OpenID Problem

2009-01-14 Thread David Recordon
Hi Faisal, While this is most likely a permissions issue between PHP and your filesystem, I doubt that you'll receive an answer on this mailing list. The specs@openid.net mailing list is designed to discuss the OpenID specifications themselves. You can try reposting to gene...@openid.net

Re: Separation of Discovery from AuthN (was Proposal to form Discovery Working Group)

2009-01-04 Thread David Recordon
I'd advocate for waiting until all of the discovery work occurring in OASIS, IETF, and W3C shakes out before we make changes to how OpenID discovery works. I'd much rather make this sort of change once rather than twice. --David On Jan 4, 2009, at 11:14 PM, Drummond Reed wrote: I’m just

Re: [OIDFSC] FW: Proposal to create the TX working group

2008-12-31 Thread David Recordon
there also enables us to have a more focused discussion than email alone by using comments directly on the wiki page. =Drummond -- *From:* David Recordon [mailto:record...@gmail.com] *Sent:* Wednesday, December 31, 2008 12:33 AM *To:* Nat Sakimura *Cc:* specs

Re: Proposal to form Discovery Working Group

2008-12-22 Thread David Recordon
: David Recordon; Brian Eaton; Johannes Ernst Subject: Proposal to form Working Group I would like to submit the following proposal for a working group charter (also available at http://wiki.openid.net/Working_Groups:Discovery): Services and Metadata Discovery Coordination Working Group

Re: Proposal to form Discovery Working Group

2008-12-22 Thread David Recordon
, and pointers on how to manage the transition. On Mon, Dec 22, 2008 at 10:27 AM, David Recordon drecor...@sixapart.com wrote: Agreed with Breno here. We're going to have to make a change to OpenID discovery at some point over the next year as other groups finish their evolutions

A Working Groups Wiki Page

2008-12-03 Thread David Recordon
We now have a wiki page for Working Groups! http://wiki.openid.net/Working_Groups I've listed the current PAPE WG as well as the groups that I know have been proposed. I've also filled in the draft charter for the Auth 2.1 group at http://wiki.openid.net/Working_Groups:Auth_2.1. If you're

Re: Proposal to create the TX working group

2008-12-03 Thread David Recordon
Contributions: * Sakimura, N., et. al OpenID Trusted data eXchange Extention Specification (draft), Oct. 2008. [TX2008]. On Wed, Nov 12, 2008 at 6:39 AM, David Recordon [EMAIL PROTECTED] wrote: Just wanted to add that Nat is running a session on TX at IIW this afternoon. We should

Re: Completing the SREG 1.1 specification

2008-11-29 Thread David Recordon
I certainly want to see us push the world to implementing AX instead of SREG, though agree with Mart that there are existing interoperability problems with SREG that would be nice to fix given that large OPs are still implementing it in a broken fashion. I'd see no issue with including in

Re: PAPE and NIST level policies.

2008-11-25 Thread David Recordon
Yeah, the latest draft is at http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-05.html . On Nov 25, 2008, at 2:21 AM, Martin Paljak wrote: Right. I was lazy and google directed me to 1.0-02 as the first response ... m. On 25.11.2008, at 12:03, Nat wrote: The

Re: Proposing an OpenID Authentication 2.1 Working Group

2008-11-11 Thread David Recordon
Yep, thanks! I'll be sending out a new charter shortly. On Nov 11, 2008, at 11:24 AM, George Fletcher wrote: Great notes! Thanks! Martin Atkins wrote: Here's the output from today's IIW session on this: 2.0 has been finalized bunch of implementations found lots of spec bugs also gone

Re: Proposal to create the TX working group

2008-11-11 Thread David Recordon
Just wanted to add that Nat is running a session on TX at IIW this afternoon. We should definitly chat about the needs being expressed in this thread and how they might be able to be solved with OpenID. --David On Nov 11, 2008, at 1:13 PM, Martin Paljak wrote: On 09.11.2008, at 20:51, Nat

Re: Email Address to URL Transformation

2008-11-09 Thread David Recordon
Hey Arshad, This is now something we're talking about supporting in OpenID Authentication 2.1 though it isn't yet clear whether it will support a transformation technique like EAUT or something else. --David On Aug 12, 2008, at 5:35 PM, Arshad Khan wrote: Does OpenID 2.0 support ‘Email

Proposing an OpenID Authentication 2.1 Working Group

2008-11-08 Thread David Recordon
on the draft has been achieved, consistent with the purpose and scope. Proposers: - Allen Tom, [EMAIL PROTECTED], Yahoo! - Brad Fitzpatrick, [EMAIL PROTECTED], Google - Breno de Medeiros, [EMAIL PROTECTED], Google - Carl Howells, [EMAIL PROTECTED], JanRain - David Recordon, [EMAIL PROTECTED], Six

Re: Proposal to create the OpenID OAuth Hybrid Working Group

2008-11-08 Thread David Recordon
that maximal consensus on the protocol proposal has been achieved within the working group, consistent with the purpose and scope. Proposers: - Ben Laurie, [EMAIL PROTECTED], Google - Breno de Medeiros, [EMAIL PROTECTED], Google - David Recordon, [EMAIL PROTECTED], Six Apart - Dirk Balfanz, [EMAIL

Re: Proposal to create the TX working group

2008-11-08 Thread David Recordon
any particular attachment to trust exchange. So, I am ok in changing it but it would be nice if I can preserve TX acronym though. Do you have any specific suggestions? =nat On Sun, Nov 9, 2008 at 3:50 AM, David Recordon [EMAIL PROTECTED] wrote: Hi Nat, Thanks. I still would really like

Fwd: [xrds-simple] Refocusing XRDS / XRDS-Simple / Discovery

2008-11-01 Thread David Recordon
This is worth reading as it outlines what Eran plans to do with the current XRDS and XRDS-Simple specifications. It will have future implications on OpenID as the current Yadis discovery protocol actually violates the HTTP and web architecture (as pointed out by the W3C). I'm going to be

Re: Proposal to create the TX working group

2008-10-31 Thread David Recordon
Hey Nat, Do you see this as being built atop Attribute Exchange for transport or as something new that TX defines? I know Sxip had done work with AX to enable passing signed and encrypted attributes using SAML assertions. Is Trust Exchange really the best name? Seems like trust is quite

XRDS-Simple 1.0 Draft 1 Released

2008-03-29 Thread David Recordon
If you haven't taken a look about XRDS-Simple -- and care about Yadis or XRDS Based Discovery -- then you should! The blow by blow history is: 1) Brad Fitzpatrick, Johannes Ernst, and I were looking at merging OpenID and LID in 2005 and needed a discovery protocol. Made a text based one

Fwd: [OpenID] The 3xx Redirect Debate

2008-03-29 Thread David Recordon
Wanted to make sure everyone saw this, though please reply to it on the General list since the majority of the discussion ended up happening over there. --David Begin forwarded message: From: David Recordon [EMAIL PROTECTED] Date: March 29, 2008 1:19:39 AM PDT To: OpenID List [EMAIL

Re: [OpenID] Problems with OpenID and TAG httpRange-14

2008-03-10 Thread David Recordon
I don't see why changes would really need to wait, if there is an interested group of people then lets spin up a mailing list and get participants to agree to the IP policy. The entire goal of having working groups and seperate mailing lists is to help ensure that future OpenID specs are

Re: handling of url redirection

2008-02-23 Thread David Recordon
Hi Marv, This has never been specified as a relying party could choose to follow as many redirects as it wishes. Maybe there should be a hard line drawn though from an interoperability side? --David On Feb 17, 2008, at 3:06 PM, SignpostMarv Martin wrote: Was talking with keturn in #openid

Re: OpenID 3.0

2008-02-08 Thread David Recordon
+1. Let's get 2.0 deployed and figure out what it might be lacking before just starting on 3.0. On Feb 3, 2008, at 11:05 PM, Johannes Ernst wrote: Amen. Let's build (optional) extensions, and only if that absolutely does not work for an essential feature, meekly suggest that the smallest

Re: OAuth + OpenID

2008-01-12 Thread David Recordon
Great, thanks! We're talking about these drawing at OpenIDDevCamp right now. Thanks, --David On Dec 11, 2007, at 7:33 PM, NISHITANI Masaki wrote: I enumerated all possible cases to use OAuth and OpenID together to organize my thought a bit more. And correct the charts for one

Finalizing OpenID Authentication 2.0 and OpenID Attribute Exchange

2007-12-01 Thread David Recordon
Hey all, While its certainly been a long process in the making, it seems that we're now in a position to declare OpenID Authentication 2.0 and OpenID Attribute Exchange as final specifications. Both have evolved through extensive community participation and feedback and each are stable as

Re: [security] Phishing-Resistant Authentication definition

2007-11-20 Thread David Recordon
Do you have proposed wording for this? It might also make sense to rename this policy to something like No Shared Secret and then also draft a second policy which allows shared secrets which are more resistant to phishing than passwords. In the end, not calling anything phishing resistant

Fwd: OSIS PAPE call results

2007-11-05 Thread David Recordon
Hey all, It turned out that from the OSIS interoperability event in Barcelona a call was scheduled to discuss PAPE issues from the interop. I heard about the call a few minutes before, but Mike, Johnny, and I had a really productive call. If no one disagrees, we should get these edits

Re: SREG namespace URI rollback

2007-11-01 Thread David Recordon
Sorry it took me a few days, but seems alright to me. I think a larger question would be if there should be any material differences with SREG 1.1 such as adding a few additional common fields. -David On Oct 26, 2007, at 4:51 PM, Johnny Bufu wrote: David, Josh, Reviving an old thread

Re: Some PAPE Wording Clarifications

2007-10-23 Thread David Recordon
I see both sides of this. At the end of the day the RP is ultimately making the decision as to if the user can proceed or not. Just as in SREG if the RP says email is required and the user/OP choose not to provide it, the RP still has to decide what to do. I do agree that it is easier on

Re: Some PAPE Wording Clarifications

2007-10-23 Thread David Recordon
, there are arguments to be made for both sides here. I have to agree with Johnny and David's point on this; lets give the RP what it can be reasonably expected to understand. On 10/23/07, David Recordon [EMAIL PROTECTED] wrote: I see both sides of this. At the end of the day the RP

Fwd: [OpenID] Provider Assertion Policy Extension Draft 2 Published

2007-10-23 Thread David Recordon
Begin forwarded message: From: David Recordon [EMAIL PROTECTED] Date: October 23, 2007 4:39:23 PM PDT To: OpenID List [EMAIL PROTECTED] Subject: [OpenID] Provider Assertion Policy Extension Draft 2 Published Reply-To: [EMAIL PROTECTED] Hey all, Draft 2 of PAPE has now been published

An OAuth OpenID Extension

2007-10-22 Thread David Recordon
Hey all, I know John did some work in September (http://extremeswank.com/ openid_trusted_auth.html and http://extremeswank.com/ openid_inline_auth.html). Both solve extremely important use-cases and are becoming increasingly discussed especially with the advent of OAuth. I'd really like to

Defining PAPE active authentication (WAS: Re: PAPE Extension Specification)

2007-10-22 Thread David Recordon
Agreed with Jonathan here, don't think we need to define a policy URI for active. Rather need to clarify what is meant in section 5.1. (Optional) If the End User has not actively authenticated to the OP within the number of seconds specified in a manner fitting the requested

Re: PAPE Extension Specification (part 2)

2007-10-22 Thread David Recordon
On Oct 9, 2007, at 10:08 AM, Jonathan Daugherty wrote: Hi all, Here are a few more items. Section 5.1 - The spec doesn't specify what should be done in the absence of max_auth_age in a PAPE request. I could assume, but it would be easy enough to specify, say, that the OP is

Re: Question about PAPE

2007-10-22 Thread David Recordon
Hey Siddharth, Just to be clear, a OTP hardware token is considered a one-time password device token not a Hard token given SP 800-63, section 6 on page 15. This means that a OTP device can satisfy up to level 3, though a FIPS compliant Hard token would be needed for level 4. Level 3 also

Re: Defining PAPE active authentication (WAS: Re: PAPE Extension Specification)

2007-10-22 Thread David Recordon
Hey Paul, How do you guys define passive. Seems like the opposite problem of defining active. Thanks, --David On Oct 22, 2007, at 3:18 PM, Paul Madsen wrote: SAML 2.0 expresses it in terms of whether or not the authentication is 'passive' paul David Recordon wrote: Agreed

Some PAPE Wording Clarifications

2007-10-22 Thread David Recordon
Hey Johnny and Jonathan, Just checked in some clarifications, review would be appreciated. http://openid.net/pipermail/commits/2007-October/000381.html Thanks, --David ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs

SVN URLs Changed

2007-10-08 Thread David Recordon
Hey all, We're currently in the process of changing all of the SVN URLs to be in the form of http://svn.openid.net/. New URLs are: http://svn.openid.net/ - WebSVN http://svn.openid.net/repos/website/ http://svn.openid.net/repos/specifications/ Sorry for the change, --David

HTML-Based Discovery with OP Identifiers

2006-12-28 Thread David Recordon
Sitting here in Seattle with Drummond and looking through the spec. Section 7.3.3 says: HTML-based discovery MUST be supported by Relying Parties. HTML- based discovery is only usable for discovery of Claimed Identifiers. OP Identifiers must be XRIs or URLs that support XRDS discovery.