Re: [OIDFSC] Request to consider creation of the User Interface Work Group

2009-02-24 Thread Dick Hardt
+1 (not sure if I am still on the council or not though :-) On 23-Feb-09, at 11:39 AM, David Recordon wrote: +1 On Feb 20, 2009, at 6:19 PM, Allen Tom wrote: Hi Specs Council, Please consider the attached proposal to form the User Interface Work Group.

RE: Suggested scoping for AX 2.0 WG

2009-02-04 Thread Dick Hardt
To be clear, what I have suggested is not the bulk exchange of multiple users. It is the method to treat number of attributes as a group that requires some integrity within them. When it comes to CX, by design, it does not do multi user exchane either since it requires the parties to

Suggested scoping for AX 2.0 WG

2009-02-03 Thread Dick Hardt
1) I'd prefer to NOT include SREG in the work, but am ok with it being in if the scope is really to clarify issues in SREG and add language directing people to AX. Anyone else have a strong opinion either way? (SREG included in this WG or in a different one?) 2) In the Scope section, I feel

RE: Suggested scoping for AX 2.0 WG

2009-02-03 Thread Dick Hardt
subject. -Dick From: Breno de Medeiros [mailto:br...@google.com] Sent: Tuesday, February 03, 2009 2:39 PM To: Dick Hardt Cc: da...@sixapart.com; Allen Tom; Martin Atkins; Nat Sakimura; OpenID Specs Mailing List Subject: Re: Suggested scoping for AX 2.0 WG On Tue, Feb 3, 2009 at 2:19 PM, Dick

Re: Request for consideration of AX 2.0 Working Group Charter Proposal

2009-01-27 Thread Dick Hardt
I'd prefer to narrow the scope of the WG and keep it focussed on a small number of goals. A separate WG on SREG would be preferred, but I think it is a disservice to the community to have two specs having such significant overlap. Choice in this case leads to confusion and reluctance to

Re: Use of Qworum for indirect communication

2008-12-17 Thread Dick Hardt
Designing OpenID around a particular product is clearly a non-starter. Enabling smart clients was discussed as part of OpenID 2.1 at IIW. Smart clients can: reduce the phishing risk of malicious RPs improve the user experience by simplifying the flow improve the

Re: What is the status of AX 2.0 WG proposal?

2008-12-17 Thread Dick Hardt
I've been busy with other things. :-) I had an in person chat with Allen Tom, Eran and Breno about what they were thinking of. There was some discussion on the step2 list. I have a work item to write up the scope so that we can get it started -- but have needed to deal with some time

Re: Could you update me of the status of CX WG proposal?

2008-12-17 Thread Dick Hardt
On 17-Dec-08, at 6:17 PM, Nat Sakimura wrote: Hi. Could you kindly update me of the status of CX WG proposal? People are waiting for it. Also, I think it is a really good idea to set up a ML for spec council so that people can mail the spec council collectively. I am emailing to David,

Re: What is the status of AX 2.0 WG proposal?

2008-12-17 Thread Dick Hardt
for validate request which has tentatively been abandoned in terms of allowing meta-data to describe attributes in fetch/store requests. 2008/12/17 Dick Hardt dick.ha...@gmail.com: I've been busy with other things. :-) I had an in person chat with Allen Tom, Eran and Breno about what they were

Re: Completing the SREG 1.1 specification

2008-12-02 Thread Dick Hardt
On 2-Dec-08, at 3:41 PM, Allen Tom wrote: We decided to build support for SREG before AX because SREG seems to be more widely used, and also because SREG allows the RP to pass the url to its privacy policy in the request. Strangely, AX does not have an interface for the RP to pass its

Re: Completing the SREG 1.1 specification

2008-11-29 Thread Dick Hardt
want to implement! If the community is ready to move to AX, then you don't need to do the work. If the community wants both, then it does need to get cleaned up. Dick Hardt wrote: A related topic. Wondering what the community thinks of having two specifications for moving around profile

Re: Completing the SREG 1.1 specification

2008-11-28 Thread Dick Hardt
A related topic. Wondering what the community thinks of having two specifications for moving around profile data: we have SREG and AX: do we need both? -- Dick On 28-Nov-08, at 2:33 PM, Martin Atkins wrote: Hi all, It recently became apparent that version 1.1 of the Simple

Re: Proposing an OpenID Authentication 2.1 Working Group

2008-11-18 Thread Dick Hardt
new charter, since I'm very much in favor and supportive of this work! Chris On Wed, Nov 12, 2008 at 6:06 PM, Dick Hardt [EMAIL PROTECTED] wrote: Eran is promising to move the XRD spec forward quickly. -- Dick On 12-Nov-08, at 3:01 PM, Joseph A Holsten wrote: Feel free to focus on yadis

Re: Proposing an OpenID Authentication 2.1 Working Group

2008-11-12 Thread Dick Hardt
Eran is promising to move the XRD spec forward quickly. -- Dick On 12-Nov-08, at 3:01 PM, Joseph A Holsten wrote: Feel free to focus on yadis/xrds errata, but don't worry about XRD new fangledness yet. I'd even say don't mention xrds-simple. OpenID has been workable with yadis/xrds. But

Re: Auto logout? Request re-authentication from the server?

2008-07-02 Thread Dick Hardt
One parameter of PAPE was allowing the RP to specify how long it had been since the OP had authenticated the user. There is a PAPE working group right now, if you were interested in looking at how your suggestions would be incorporated, I am sure they would welcome you to the group. I've

RECOMMENDED: Proposal to create the PAPE working group

2008-05-22 Thread Dick Hardt
John Bradley, [EMAIL PROTECTED], Wingaa Corporation Johnny Bufu, [EMAIL PROTECTED], Independent Dick Hardt, [EMAIL PROTECTED], Sxip Identity Corporation Editors: Michael B. Jones, [EMAIL

Re: Using email address as OpenID identifier

2008-04-02 Thread Dick Hardt
On 1-Apr-08, at 11:15 PM, Paul E. Jones wrote: Dick, I’ll give you that one: that’s certainly easier. But, does not cause some confusion? After all, one’s identity is not yahoo.com, but that is the identity provider. Perhaps the prompts around the Internet ought to Say “OpenID

Re: OpenID and Yahoo

2008-04-02 Thread Dick Hardt
On 2-Apr-08, at 6:28 AM, McGovern, James F (HTSC, IT) wrote: Does anyone have a perspective on Yahoo and AOL and their weak support for OpenID? It is good that they are a provider, but shouldn't they really also allow access based on an OpenID issued by signon.com, myvidoop.com and others...

Re: Using email address as OpenID identifier

2008-04-01 Thread Dick Hardt
On 1-Apr-08, at 7:37 PM, Brad Fitzpatrick wrote: -- that said, with directed identity in OpenID 2.0, a user just needs to type in yahoo.com, or press the pretty yahoo button. No typing. I think this is why we don't need to use emails. People are very familiar with typing in a URL in

Re: Using email address as OpenID identifier

2008-04-01 Thread Dick Hardt
Entering yahoo.com is even easier! On 1-Apr-08, at 10:05 PM, Paul E. Jones wrote: Eran, I’m not suggesting that the address must be a real e-mail address. I’m suggesting that the ID has that form. It’s easier for users than enteringhttps://me.yahoo.com/userid. If it happens to also be

Re: Using email address as OpenID identifier

2008-04-01 Thread Dick Hardt
On 1-Apr-08, at 10:02 PM, Paul E. Jones wrote: Dick, On this point, I really have to disagree. Even I rarely enter a URL into a web browser. Why bother when I know the web browser will figure it out for me. I don’t want to type http:// or https:// :-) I don't want to type the protocol

Re: RP generated nonce for stateful mode.

2007-11-20 Thread Dick Hardt
You point out the issue. A hash of the session-id is NOT a nonce. A nonce is required to prevent replay attacks. -- Dick On 19-Nov-07, at 8:19 PM, NISHITANI Masaki wrote: Hi everyone. OpenID 2.0 uses nonce generated by OP to identify the transaction. This seems very reasonable for

Re: OpenID 2.0 finalization progress

2007-10-25 Thread Dick Hardt
2.0 is stamped complete without an IPR non-assertion statement from everybody involved here, I'm going to blog red flags far wide because I see no reason this little crew can't get that much together in time, and quite quickly. - Brad On Mon, 22 Oct 2007, Dick Hardt wrote: On 19

Re: OpenID 2.0 finalization progress

2007-10-22 Thread Dick Hardt
On 19-Oct-07, at 10:20 PM, David Recordon wrote: Completely agreed with Johannes. We are very close with the IPR policy/process being in place and assuming all the contributors agree to it, 2.0 can be declared final within 30 days of October 30th as that is the end of the public review

Re: OpenID 2.0 finalization progress

2007-10-18 Thread Dick Hardt
, for example, wouldn't it? On Oct 15, 2007, at 16:00, Dick Hardt wrote: +1 On 15-Oct-07, at 3:02 PM, Josh Hoyt wrote: Hello fellow OpenID spec participants, As I wrote in August [1], it's time to get the specification declared final. We've had quite a while now for implementations

Re: OpenID Attribute Exchange Protocol questions

2007-07-10 Thread Dick Hardt
On 10-Jul-07, at 1:47 AM, James Henstridge wrote: On 10/07/07, Johnny Bufu [EMAIL PROTECTED] wrote: On 6-Jul-07, at 3:54 AM, James Henstridge wrote: Would that be appropriate to include in the spec or some best practices document? I see this as a pure OpenID (core) issue and don't feel

Re: OpenID Attribute Exchange Protocol questions

2007-07-10 Thread Dick Hardt
On 10-Jul-07, at 1:47 AM, James Henstridge wrote: I don't think it's implied anywhere (or a good design) to keep state between the original request and subsequent updates. So the RP cannot infer the 'removed' statement just because an update did not contain an attribute that was

Re: OpenID Attribute Exchange Protocol questions

2007-07-10 Thread Dick Hardt
On 10-Jul-07, at 10:52 AM, Johnny Bufu wrote: On 10-Jul-07, at 8:43 AM, James Henstridge wrote: On 10/07/07, Dick Hardt [EMAIL PROTECTED] wrote: Given that there doesn't seem to be any way to recover from this situation, it seems like private associations are the only sane option

Re: No New DB Field Requirement? (WAS: RE: Questions about IIW Identifier Recycling Table)

2007-06-08 Thread Dick Hardt
It is more complex having to use two fields to uniquely identify a user in a DB then one. DB queries are more complex and there is more opportunity for the developer to make mistakes. Given a goal of OpenID is to be simple, one field is better then two. -- Dick On 8-Jun-07, at 10:14 AM,

Re: Do We Agree on the Problem We're Trying to Solve?

2007-06-08 Thread Dick Hardt
to A. Anybody disagree? If so, I'd suggest that we should either solve A and B at the same time, or not at all. On Jun 8, 2007, at 10:42, Dick Hardt wrote: At IIW we[1] decided we wanted to solve (A) and that (B) would be nice to solve, but we were ok to wait for a future version

Re: Do We Agree on the Problem We're Trying to Solve?

2007-06-08 Thread Dick Hardt
At IIW we[1] decided we wanted to solve (A) and that (B) would be nice to solve, but we were ok to wait for a future version to resolve, as when we discussed (B), resolving looked much harder then it seemed at first. I'm not certain of where we are now. -- Dick [1] those present when we

Re: Do We Agree on the Problem We're Trying to Solve?

2007-06-08 Thread Dick Hardt
Multiple, redundant identifiers solves B without requiring a master directory. On 8-Jun-07, at 11:06 AM, Johannes Ernst wrote: Such as? On Jun 8, 2007, at 10:55, Dick Hardt wrote: There are ways to solve B that don't really solve A. In fact, I think the only way to solve B that does

Re: Do We Agree on the Problem We're Trying to Solve?

2007-06-08 Thread Dick Hardt
On 8-Jun-07, at 2:29 PM, Drummond Reed wrote: Multiple, redundant identifiers is what canonical ID mapping provides. It doesn't require a master directory; it's as distributed as OpenID itself, i.e., it simply provides a way to map a reassignable URL or XRI to a persistent URL or XRI.

Re: Do We Agree on the Problem We're Trying to Solve?

2007-06-08 Thread Dick Hardt
On 8-Jun-07, at 4:21 PM, Drummond Reed wrote: Dick Hardt wrote: The persistent URL or XRI *is* a master directory. What do you do when the persistent identifier is compromised, goes out of business ... That is problem B. Canonical IDs do not solve B. I completely agree that B

Re: Do We Agree on the Problem We're Trying to Solve?

2007-06-08 Thread Dick Hardt
that LiveJournal, or some ugly URL from AOL, etc will never go away then that is my choice. --David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dick Hardt Sent: Friday, June 08, 2007 4:08 PM To: Drummond Reed Cc: specs@openid.net Subject: Re: Do We

Re: Attribute Exchange external reference?

2007-06-04 Thread Dick Hardt
The attribute exchanged can be a reference rather then the data itself. http://axschema.org/media/image/default/ Is an example. -- Dick On 4-Jun-07, at 12:23 AM, =nat wrote: Hi. I am kind of new to this field, and this topic may have been discussed before, but since a Google search on

Re: Specifying identifier recycling

2007-06-04 Thread Dick Hardt
On 4-Jun-07, at 7:51 AM, Granqvist, Hans wrote: So I ask again - does anyone see any issues with the fragments being used like this: http://openid.net/pipermail/specs/2007-May/001767.html Seems reasonable in essence. But it adds complexity and removes some immediacy of URL

Re: Specifying identifier recycling

2007-06-03 Thread Dick Hardt
On 3-Jun-07, at 2:14 AM, Recordon, David wrote: Overall, I'm not sure we are ready in this community to pick one alternative over another as the standards. I have my views, (many) others have (many) others -- and I don't think that any of this has to be in an Authentication 1.x (x1) or 2.0

Re: Specifying identifier recycling

2007-06-03 Thread Dick Hardt
There is a huge difference between the OP/RP shared secret and using a shared secret as an identifier. The secret between the OP and RP has a mechanism for it to be recycled. If it happens to be lost, then the pair can set up a new secret. If the user's secret is lost, then that identifier

Re: Proposal for Recycling Identifiers in OpenID 2.0

2007-05-14 Thread Dick Hardt
The issue you bring up is a separate issue then the motivation for recycling identifiers by large OPs. Your point is how does a user transfer from one identifier to another. The issue at hand is the scarcity of namespace. -- Dick On 14-May-07, at 8:48 AM, Johannes Ernst wrote: These seems

Re: Proposal for Recycling Identifiers in OpenID 2.0

2007-05-14 Thread Dick Hardt
On 14-May-07, at 10:10 AM, Johannes Ernst wrote: On May 14, 2007, at 9:12, Dick Hardt wrote: The issue you bring up is a separate issue then the motivation for recycling identifiers by large OPs. What I'm saying is a superset of the issue discussed so far that ought to use the same

Proposal for Recycling Identifiers in OpenID 2.0

2007-05-13 Thread Dick Hardt
I had the good fortune of discussing URIs, URLs, fragments and the recycling issue with a number of smart W3C people at WWW2007 and they did not respond with horror at the concept of using fragments to recycle identifiers. Given this is a requirement for large OPs, here is a proposal. A

Re: encoding newlines in attribute values

2007-04-20 Thread Dick Hardt
On 20-Apr-07, at 11:05 AM, Douglas Otis wrote: On Apr 20, 2007, at 10:56 AM, Johnny Bufu wrote: On Apr 19, 2007, at 10:46 AM, Josh Hoyt wrote: Each attribute already has to define its encoding rules and data- type. The mechanism for encoding a newline can be part of this encoding, if

axschema.org instead of openid.net

2007-04-20 Thread Dick Hardt
Thanks everyone for feedback on using schema.openid.net. Here are my conclusions: 1) A number of people would like to be using a web oriented schema right away and don't want to wait for other groups to create the schema. 2) A number of people are allergic to the openid.net domain being

Re: [dev-monkey] Newlines in bio attribute

2007-04-11 Thread Dick Hardt
use a common escape sequence ... may need to define one for AX anyways ... On 10-Apr-07, at 2:07 PM, Rowan Kerr wrote: The OP doesn't like newlines in attribute values. Which isn't that surprising because handling of newlines isn't even described in the OpenID AX spec yet. But, if we

Re: in favor of allowing a fragment in a URI for metadata for an attribute type

2007-04-11 Thread Dick Hardt
btw: my main driver in stating +1 is that I was concerned with how it would be implemented, and given that Mark has the one working parser and is ok with it, then my concern has disappeared! On 10-Apr-07, at 5:52 PM, Dick Hardt wrote: Good argument Mark, I concur. +1 -- Dick On 10-Apr

Re: PROPOSAL schema.openid.net for AX (and other extensions)

2007-04-10 Thread Dick Hardt
On 9-Apr-07, at 5:24 PM, Recordon, David wrote: Yes, I agree an upgrade path from SREG is needed. We could however do something as simple as http://openid.net/specs/openid-simple-registration- extension-1_0.html#ni ckname for the existing SREG fields. by making this a fragment, you force

Re: Web Access Management

2007-04-09 Thread Dick Hardt
Deal with the IPR issue ... On 9-Apr-07, at 12:54 PM, McGovern, James F ((HTSC, IT)) wrote: So, what will it take to move the mentioned vendors from simply being aware to actively participating? -Original Message- From: Dick Hardt [mailto:[EMAIL PROTECTED] Sent: Sunday, April 08

Re: PROPOSAL schema.openid.net for AX (and other extensions)

2007-04-09 Thread Dick Hardt
in the documents and I think this list would benefit everyone in the conversation. I'm just curious as to the fields you're expecting an OP to implement. --David -Original Message- From: Dick Hardt [mailto:[EMAIL PROTECTED] Sent: Monday, April 09, 2007 07:12 PM Pacific Standard

Re: Web Access Management

2007-04-08 Thread Dick Hardt
if Dick reached out to them. -Original Message- From: Hans Granqvist [mailto:[EMAIL PROTECTED] Sent: Thursday, April 05, 2007 1:05 PM To: Dick Hardt Cc: McGovern, James F (HTSC, IT); specs@openid.net Subject: Re: Web Access Management Ping demoed OpenID technology at RSA. I

Re: Promoting OpenID

2007-04-08 Thread Dick Hardt
On 5-Apr-07, at 8:46 PM, Johannes Ernst wrote: On Apr 5, 2007, at 18:36, Chris Messina wrote: ... I personally think selling to the enterprise is nearly impossible without tons of grassroots adoption ... I disagree. ;-) Now granted, there are many, many things that we all need to do and

Re: PROPOSAL schema.openid.net for AX (and other extensions)

2007-04-08 Thread Dick Hardt
, Mark Wahl wrote: Dick Hardt wrote: If there was something out there already, I would propose we used it. There is not. Just like the SAML crowd has accused the OpenID crowd of reinventing an identity protocol (AKA reinventing the wheel) -- the AX proposal has some unique concepts

Re: some questions on OpenID AX 1.0 draft 4

2007-04-08 Thread Dick Hardt
Hi Mark, for some reason I just saw this post, answers and questions inserted ... On 5-Apr-07, at 9:47 AM, Mark Wahl wrote: http://openid.net/specs/openid-attribute-exchange-1_0-04.html 1. Section 2 states that the store operation saves or updates attribute information on the OpenID

Re: Moving AX Forward (WAS RE: SREG namespace URI rollback)

2007-04-06 Thread Dick Hardt
On 5-Apr-07, at 9:18 AM, Recordon, David wrote: I don't think this is really that important of a point given all the other things we need to do. People are doing to do things different then you would, but get the same result -- is that ok? I'm fine with doing things differently, I'm not

Re: Moving AX Forward (WAS RE: SREG namespace URI rollback)

2007-04-06 Thread Dick Hardt
On 5-Apr-07, at 9:24 AM, Recordon, David wrote: Dick, see my other message but this is not about ME stopping you! We wanted to publish them on the website so that other people could look at them, but you did not want to do that, and you control the domain. Dick, that isn't a fair statement

PROPOSAL schema.openid.net for AX (and other extensions)

2007-04-06 Thread Dick Hardt
OpenID Attribute Exchange (AX) uses URLs to uniquely identity attributes. The URLs are resolvable to provide meta data that is both machine and human readable. In order to do anything useful with AX, some commons identity attributes need to be defined. I would propose that we start off

Re: PROPOSAL schema.openid.net for AX (and other extensions)

2007-04-06 Thread Dick Hardt
If there was something out there already, I would propose we used it. There is not. Just like the SAML crowd has accused the OpenID crowd of reinventing an identity protocol (AKA reinventing the wheel) -- the AX proposal has some unique concepts that people like Paul and Mark think are

Re: PROPOSAL schema.openid.net for AX (and other extensions)

2007-04-06 Thread Dick Hardt
worth discussing at IIW when the entire community comes together. I would really like to see this be something that can be used by OpenID, CardSpace, Higgins, SAML, etc. --David -Original Message- From: Dick Hardt [mailto:[EMAIL PROTECTED] Sent: Friday, April 06, 2007 1:07 PM

Re: Re[2]: Server-to-server channel

2007-04-05 Thread Dick Hardt
On 4-Apr-07, at 8:59 PM, Chris Drake wrote: Thursday, April 5, 2007, 5:43:02 AM, you wrote: [snip] DO How these keys are handled internally could be left to the DO consumer or RP. [snip] This sounds like another *strong* use-case for updating the OpenID protocol to allow transactions

Re: Moving AX Forward (WAS RE: SREG namespace URI rollback)

2007-04-05 Thread Dick Hardt
advocating this work be done as part of the ID Schemas project to provide this flexibility. --David -Original Message- From: Johnny Bufu [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 04, 2007 12:39 PM To: Recordon, David Cc: Dick Hardt; OpenID specs list Subject: Re: Moving AX

Re: Moving AX Forward (WAS RE: SREG namespace URI rollback)

2007-04-05 Thread Dick Hardt
On 4-Apr-07, at 1:16 PM, Recordon, David wrote: Johnny, I see a lot of, at least my initial confusion, coming from there being multiple documents. This is why I urge merging the transport and metadata since the reality is they currently are only being used with each other. As the metadata

Re: Attribute Exchange 1.0 svn revision 295 review

2007-04-05 Thread Dick Hardt
On 4-Apr-07, at 2:07 PM, Josh Hoyt wrote: Is editing of this spec by authors of other OpenID specifications welcome? (I hope that by this review and my past spec work I'm showing that I have adequate understanding and appropriate goals.) Yes! Great feedback below Update URL issues

Re: Moving AX Forward (WAS RE: SREG namespace URI rollback)

2007-04-05 Thread Dick Hardt
On 5-Apr-07, at 9:06 AM, Recordon, David wrote: Actually it is describing a document format, and it could easily be used by other groups as evidenced by references from people in the ID Schemas group. I agree that it could be, but is anyone? It leaves the option open. I love shooting

Re: Moving AX Forward (WAS RE: SREG namespace URI rollback)

2007-04-05 Thread Dick Hardt
If you would let us put the attributes on the website, then other people could see them and comment on them. On 5-Apr-07, at 9:02 AM, Recordon, David wrote: I guess I don't see why blaming the ID Schemas project for not much happening is a good excuse for not doing it there. Blame? ... just

Re: Promoting OpenID

2007-04-04 Thread Dick Hardt
On 2-Apr-07, at 8:15 AM, McGovern, James F ((HTSC, IT)) wrote: Is anyone here working with vendors in the ERP, CRM, ECM, BPM or VRM spaces such that user-centric identity is built into their product? We are working with salesforce.com ... ___

Re: Attribute Exchange pre-draft 5

2007-04-03 Thread Dick Hardt
On 3-Apr-07, at 3:32 AM, Josh Hoyt wrote: If I understand correctly, the response to a request for an attribute with count.x=1 is different from the response for a request with no count specified, even though the meaning is the same. (namespacing left off for clarity) Request:

Re: Server-to-server channel

2007-04-03 Thread Dick Hardt
Good questions to tease out the logic behind the architecture Anders, responses to each of your points below ... On 3-Apr-07, at 6:18 AM, Anders Feder wrote: Johnny Bufu wrote: This is basically a push approach, as opposed to the pull approach you were suggesting. I'm new to OpenID, and

Re: Server-to-server channel

2007-04-03 Thread Dick Hardt
On 3-Apr-07, at 8:24 AM, Dick Hardt wrote: On 2-Apr-07, at 11:50 AM, Chris Drake wrote: User Centric implies that sites don't store anything about me, and that whenever they need to know stuff (eg: my email), they instead ask my OpenID server, which returns them the answer (unless I've

Re: Server-to-server channel

2007-04-03 Thread Dick Hardt
On 3-Apr-07, at 3:05 PM, Anders Feder wrote: Dick Hardt wrote: There are two common client server design patterns. Request / Response and Publish / Subscribe. I see - I was not aware that the latter model was so well- understood in the client/server paradigm. The RP has what ever

Re: Web Access Management

2007-04-03 Thread Dick Hardt
Ping demoed OpenID technology at RSA. I hear Novell and IBM are looking at supporting OpenID. Microsoft has said they will in future products. Oracle and CA are following OpenID. So, yes. :-) On 2-Apr-07, at 8:21 AM, McGovern, James F ((HTSC, IT)) wrote: Unlike blog sites and Internet

Re: SREG namespace URI rollback

2007-04-03 Thread Dick Hardt
I can see an OP thinking that AX is a big step, but have a hard time seeing it to be that big for an RP (once there are libraries that support AX) ... and it is really not that much more to do AX over SREG for an RP. Where you thinking OP or RP David? -- Dick On 3-Apr-07, at 12:17 PM,

Re: Features for Future Versions

2007-04-02 Thread Dick Hardt
On 2-Apr-07, at 8:09 AM, McGovern, James F ((HTSC, IT)) wrote: I originally joined this list with the hopes of injecting support for relationships, authorization and attestation into the specification but have been somewhat disappointed. I do have the following questions? 1. Will

Re: Attribute Exchange pre-draft 5

2007-04-02 Thread Dick Hardt
On 2-Apr-07, at 2:41 PM, Rowan Kerr wrote: On 2-Apr-07, at 5:27 PM, Josh Hoyt wrote: I'm thinking about differentiating between an attribute that's not available and an attribute that *is* available, but its value is . I. e. difference between a null pointer, and a pointer to an empty

Re: Version 2.0 soon final?

2007-03-26 Thread Dick Hardt
On 26-Mar-07, at 12:22 PM, Josh Hoyt wrote: On 3/20/07, Granqvist, Hans [EMAIL PROTECTED] wrote: OpenID 2.0 has been cooking for quite a while. When will 2.0 be FCS? What does FCS [1] mean? Josh 1. http://en.wikipedia.org/wiki/FCS Future Combat Systems?

Re: Extensions key prefix

2007-03-13 Thread Dick Hardt
On 13-Mar-07, at 6:23 PM, Drummond Reed wrote: Rowan, If I understand you correctly here, what you are saying is that openid.ns.* prefixes work almost identically to XML namespace (xmlns) prefixes, i.e.: that is where the idea came from :-) * the prefix is never globally defined by

Re: Proposal: An anti-phishing compromise

2007-02-09 Thread Dick Hardt
mandated by the spec but every worthwhile OP does it. My $0.02. --David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dick Hardt Sent: Sunday, February 04, 2007 11:42 PM To: Granqvist, Hans Cc: OpenID specs list Subject: Re: Proposal: An anti

Re: Proposal: An anti-phishing compromise

2007-02-04 Thread Dick Hardt
On 1-Feb-07, at 2:36 PM, Granqvist, Hans wrote: Add a single, required, boolean field to the authentication response that specifies whether or not the method the OP used to authenticate the user is phishable. The specification will have to provide guidelines on what properties an

Re: Federated Authorization

2007-01-25 Thread Dick Hardt
On 25-Jan-07, at 1:36 PM, McGovern, James F ((HTSC, IT)) wrote: Modify your scenario as follows: - Tthe College of Physicians and Surgeons says she is a surgeon and is board certified for X number of procedures - A particular hospital says she is part of their team. Likewise, they also

Re: 2.0 Spec Questions

2007-01-22 Thread Dick Hardt
On 21-Jan-07, at 4:48 PM, James McGovern wrote: Several questions after reading the 2.0 spec - draft 11. 1. The definition of realm if I am reading it correctly could be problematic in large enterprises. For example, if one were using a web access management product, they would have

Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11

2007-01-19 Thread Dick Hardt
On 19-Jan-07, at 6:19 AM, Ben Laurie wrote: Still totally unhappy about the phishing issues, which I blogged about here: http://www.links.org/?p=187 There are numerous ways of solving this. Several standard methods can solve it. It is a relationship between the user and the OP and the

DRAFT 11 - FINAL?

2007-01-18 Thread Dick Hardt
Hey List To deal with the recent security concern postings about OpenID, language was added to clarify a secure channel is needed between the OP and the end-user's machine. Are there any more issues with this specification: http://openid.net/specs/openid-authentication-2_0-11.html

Re: Federated Authorization

2007-01-18 Thread Dick Hardt
Hi James As Phillip states, SAML can be used to represent the assertion. Interesting that you mention a Doctor example. A use case that we are working on uses a Surgeon (Sally) who needs to prove: - Tthe College of Physicians and Surgeons says she is a surgeon - A particular hospital says

Re: DRAFT 11 - FINAL?

2007-01-18 Thread Dick Hardt
publish draft 11. Thanks, --David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dick Hardt Sent: Thursday, January 18, 2007 3:45 PM To: specs@openid.net Subject: DRAFT 11 - FINAL? Hey List To deal with the recent security concern postings

Re: Announcing OpenID Authentication 2.0 - Implementor's Draft 11

2007-01-18 Thread Dick Hardt
Great job David, Johnny and Josh! -- Dick On 18-Jan-07, at 7:35 PM, Recordon, David wrote: So with great pleasure I get to announce the culmination of about nine months of work between the OpenID, XRI, Sxip, and LID communities in the drafting of OpenID Authentication 2.0. This evening

Re: Announcing OpenID Authentication 2.0 - Implementor's Draft 11

2007-01-18 Thread Dick Hardt
David A couple questions: 1) Would you like to set a deadline for final comments? Perhaps a week? 2) What is the approval process now? Is it still as posted at: http://openid.net/specs.bml Currently, the collective authors of OpenID Authentication (David Recordon, Josh Hoyt, Dick

Re: Announcing OpenID Authentication 2.0 - Implementor's Draft 11

2007-01-18 Thread Dick Hardt
Hi Daniel The OpenID4java code is up to date to DRAFT 11, and also has support for the OpenID Attribute Exchange draft. (Sxip volunteered to build the OpenID Java libraries, and our preference was to use code.google.com for the repository) -- Dick On 18-Jan-07, at 11:52 PM, Daniel E.

Re: Question on Conferences and the Marketing of OpenID

2007-01-14 Thread Dick Hardt
On 8-Jan-07, at 7:01 AM, James McGovern wrote: I learned of OpenID because I ran across it while blogging. Otherwise, in context of my day job working for a Fortune 100 enterprise whose primary business model isn't technology otherwise would have never heard of it. While this list

Re: Business Scenarios

2007-01-14 Thread Dick Hardt
We are working on a citizen-centric solution for regional set of public sector organizations. Most of the major IdM vendors are involved, but no white papers have been published at this time. -- Dick On 10-Jan-07, at 8:42 AM, McGovern, James F ((HTSC, IT)) wrote: I am looking for any

Re: Attribute Exchange Schema site

2007-01-05 Thread Dick Hardt
: On 1/3/07, Dick Hardt [EMAIL PROTECTED] wrote: Our proposal was to have the schemas for OpenID hosted at schema.openid.net. Some people expressed concerns about having them be on openid.net. Do you have any suggestions? Anyone else have an opinion? Does anyone care? ;-) Being part

OpenID Signed Assertions 1.0 - Draft 1

2006-12-03 Thread Dick Hardt
RL) Profile, RFC3280, April2002. [RFC3548] Josefsson, S., The Base16, Base32, and Base64 Data Encodings, RFC3548, July2003. [W3C.REC-xmldsig-core-20020212] Solo, D., Eastlake, D., and J. Reagle, XML-Signature Syntax and Processing, W3C Recommendationhttp://www.w3.org/TR/2002/REC-xmldsig-core-20020212, Feb

Re: OpenID Authentication 2.0 Pre-Draft 11 (Take 5)

2006-11-25 Thread Dick Hardt
On 25-Nov-06, at 12:10 AM, Recordon, David wrote: Decent number of changes to help clean-up the draft from what I posted on the 19th. Getting close with only a few more things left on the punch list! Thanks for posting David. What do we have left on the list? -- Dick

Attribute Exchange, Attribute Types and Attribute Metadata

2006-11-24 Thread Dick Hardt
Below is a summary of draft specifications for OpenIDAttribute Exchange, Attribute Types and Attribute Metadata. I will check them into SVN real-soon-now and hopefully David will have them linked off the spec site. HTML versions will be posted as separate emails for those in the US unable to

OpenID Attribute Types Draft 2

2006-11-24 Thread Dick Hardt
data-1.0] Hardt, D., Identity Attribute Metadata, October2006 (TXT, HTML). TOC 5.2.Non-normative References [RFC2396] Berners-Lee, T., Fielding, R., and L. Masinter, Uniform Resource Identifiers (URI): Generic Syntax, RFC2396, August1998 (TXT, HTML, XML). TOC Author's Address

Identity Attribute Metadata Draft 1

2006-11-24 Thread Dick Hardt
ute Exchange, August2006 (TXT, HTML). [RFC2119] Bradner, S., Key words for use in RFCs to Indicate Requirement Levels, BCP14, RFC2119, March1997 (TXT, HTML, XML). [RFC4646] Phillips, A. and M. Davis, Tags for Identifying Languages, BCP47, RFC4646, September2006. [W3C.REC-x

Identity Attribute Metadata Draft 1

2006-11-24 Thread Dick Hardt
Dick Hardt Sxip Identity 798 Beatty Street Vancouver, BC V6B 2M1 CA Email: [EMAIL PROTECTED] URI:http://sxip.com/ ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs

Re: OpenID Auth 2.0 and user-agent neutrality (or, OpenID with REST/SOAP)

2006-11-19 Thread Dick Hardt
On 19-Nov-06, at 3:08 PM, Adam Nelson wrote: Great start on the Wiki. Note that there are some efforts in IETF for enhancing what can be done at the TLS layer for authentication which would enable the same mechanism to be used not only for HTTP, but for SMTP, POP3, IMAP ... Hmm, that's

Re: OpenID Auth 2.0 and user-agent neutrality (or, OpenID with REST/SOAP)

2006-11-17 Thread Dick Hardt
On 17-Nov-06, at 10:38 AM, John Kemp wrote: Dick Hardt wrote: On 16-Nov-06, at 11:41 PM, Matt Pelletier wrote: On Nov 17, 2006, at 1:24 AM, Dick Hardt wrote: Hi John So that a message can be more then 2K of data. Is it possible to update the language so 1) we don't deprecate HTTP

Re: IdP's Advertising Both http and https

2006-11-12 Thread Dick Hardt
On 9-Nov-06, at 7:45 AM, Rowan Kerr wrote: On Wed, 2006-11-08 at 00:42 -0800, Dick Hardt wrote: -Original Message- From: Recordon, David But the security warnings will still exist: - RP redirects me to http on IdP - IdP redirects me to https on IdP for login page (warning

Re: OpenID Auth 2.0 and user-agent neutrality (or, OpenID with REST/SOAP)

2006-11-12 Thread Dick Hardt
Hi Adam The switch from GET to POST was made so that we were not constrained by the URL parameter payload limit. As you point out, HTTP headers can be used for moving messages as well, but there was no clear mechanism to do that without modifying all the widely available browsers. I think

Re: Map/Normalize Email Address to IdP/OP URL (Was [PROPOSAL] Handlehttp://[EMAIL PROTECTED] Style Identifiers)

2006-11-10 Thread Dick Hardt
On 10-Nov-06, at 7:20 AM, David Fuelling wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Daugherty # I think that all this discussion about email userid is moving us off # track. My original proposal was that the email

  1   2   >