Re: Defining how OpenID should behave with fragments in the return_to url

2009-03-25 Thread Martin Atkins
James Henstridge wrote: On Wed, Mar 25, 2009 at 3:33 AM, Luke Shepard lshep...@facebook.com wrote: One crude way to do it would be to have the caller specify that they want the return_to args simply appended instead of integrated into the URL- perhaps an argument like

Re: Defining how OpenID should behave with fragments in the return_to url

2009-03-24 Thread Martin Atkins
This looks similar in principle to the AJAX-ish (though not really AJAX at all) mode of OpenID that was in the early demos but no-one actually seems to have implemented in practice. The trick there was to do the OP dance in a hidden iframe and have the return_to page communicate with the

Re: Request for consideration of AX 2.0 Working Group Charter Proposal

2009-01-27 Thread Martin Atkins
Dick Hardt wrote: I'd prefer to narrow the scope of the WG and keep it focussed on a small number of goals. A separate WG on SREG would be preferred, but I think it is a disservice to the community to have two specs having such significant overlap. Choice in this case leads to confusion and

Re: Request for consideration of AX 2.0 Working Group Charter Proposal

2009-01-25 Thread Martin Atkins
Henrik Biering wrote: Agree! If the range of SReg attributes is expanded, however, I would suggest to add phone number (incl. quality as suggested for email) and possibly street+city address line(s). That would make it possible to fill in a somewhat larger part of typical registration forms.

OpenID Authentication 2.0 Errata

2009-01-06 Thread Martin Atkins
Hi folks, It seems that we don't currently have any central place to document the issues with OpenID Authentication 2.0, so I started a wiki page for it: http://wiki.openid.net/OpenID-Authentication-2_0-Errata Currently it only has one issue, which is the one that I encountered today that

Re: Request for consideration of Working Group Charter Proposal

2008-12-23 Thread Martin Atkins
Allen Tom wrote: Hi Nat - I'm not quite sure what you mean by class. Nat previously talked about the idea of bundling several attributes together into a single namespace rather than assigning a URL to each individual scalar attributes. He referred to it as a class though you might instead

Re: OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

2008-12-02 Thread Martin Atkins
Allen Tom wrote: For the time being, we prefer to require CKs for client applications (even if they can't be verified) mostly to make it easy for us to pull the plug on specific applications if they are discovered to be severely buggy or dangerous. We'd also like to require

Completing the SREG 1.1 specification

2008-11-28 Thread Martin Atkins
Atkins, Six Apart ([EMAIL PROTECTED]) * David Recordon, Six Apart ([EMAIL PROTECTED]) * ... Initial Editors: * Martin Atkins, Six Apart ([EMAIL PROTECTED]) * David Recordon, Six Apart ([EMAIL PROTECTED]) [1]http://openid.net/specs/openid-simple-registration-extension-1_1-01.html

Re: Completing the SREG 1.1 specification

2008-11-28 Thread Martin Atkins
I agree that it's not ideal to have both, and in an ideal world everyone would use AX, but currently SREG seems to be more widely deployed than AX. This working group proposal was motivated not by some desire to needlessly perpetuate SREG but rather by actual real-world interop problems I've

Re: OpenID/OAuth hybrid - discovery

2008-11-24 Thread Martin Atkins
Dirk Balfanz wrote: I'm not sure I understand what the commotion is about :-) OAuth discovery (when it is done), will answer the question: given the URL of a resource, where do I go to get access tokens for that resource. The question answered by the XRD element described in Section 5 is

Re: OpenID/OAuth hybrid - discovery

2008-11-24 Thread Martin Atkins
Dirk Balfanz wrote: We're defining an OpenID extension. Consumer will want to know whether or not a given endpoint speaks that extension. That's all it's doing - just like AX or PAPE have a section on discoverability. It also gives consumers a way to look for the combined OpenID/OAuth

Re: OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

2008-11-18 Thread Martin Atkins
Allen Tom wrote: Manger, James H wrote: Ideally, an app would attempt to access a protected resource at an SP and get: * A 401 Unauthenticated response from the SP; with * A “WWW-Authenticate: OAuth” header; with * A parameter providing the authorization URL; and * Another parameter with

Re: Proposing an OpenID Authentication 2.1 Working Group

2008-11-11 Thread Martin Atkins
Here's the output from today's IIW session on this: 2.0 has been finalized bunch of implementations found lots of spec bugs also gone and done oauth and email addresses and other things. Can we support these in the core spec? - Making the spec more readable and fixing bugs (eratta) -

Re: [OpenID] OpenID Extension to handle Emails Addresses?

2008-10-30 Thread Martin Atkins
David Fuelling wrote: I would even entertain the notion of the OpenID extension doing DNS lookup first, then EAUT, though I need to think more on the topic. Alternatively, maybe we make DNS optional. At this point I'll throw in my more recent post about why DNS must be supported and

Re: [OpenID] OpenID Extension to handle Emails Addresses?

2008-10-30 Thread Martin Atkins
David Fuelling wrote: 1. The arguments about using DNS could apply to OpenID in general. However, OpenID doesn't do anything with DNS. Why is this? What were the compelling reasons to not use DNS with OpenID? Is there an FAQ page somewhere about that? I have only

Re: [OpenID] OpenID Extension to handle Emails Addresses?

2008-10-30 Thread Martin Atkins
Hallam-Baker, Phillip wrote: Well we already have a specification for that, it is the core architecture of the Internet: DNS. We use the DNS SRV record for service discovery. It is what it is designed for. It provides for fault tolerance, load balancing, fall over just like an email MX

Re: This is user's URI for Assertion Quality Extension

2008-09-05 Thread Martin Atkins
SitG Admin wrote: http://openid.net/specs/openid-assertion-quality-extension-1_0-03.html http://openid.net/specs/openid-assertion-quality-extension-1_0-03.html I'd like to see the 4th draft of this include a URI level authentication property. I'd like to know whether the OP is asserting

Re: Backporting the 2.0 extension mechanism to 1.1

2008-08-12 Thread Martin Atkins
Nat Sakimura wrote: Actially, that interpretation is not right. In draft 3, we have made it clear. Draft 3 now seems to say: For the purposes of this document and when constructing OpenID 1.1 and 2.0 messages, the extension namespace alias SHALL be pape. Which now seems to

Re: OpenID 2.0 Specifications

2008-08-11 Thread Martin Atkins
Arshad Khan wrote: Hello, Can I please have OpenID 2.0 specifications? Can I also request link to software codes for sever and consumer? http://openid.net/specs/openid-authentication-2_0.html http://openidenabled.com/ http://code.google.com/p/dotnetopenid/

Re: OpenID 2.0 Specifications

2008-08-11 Thread Martin Atkins
Arshad Khan wrote: Hi Martin, Thanks for this. Is it possible to get the specification in word or pdf format? I don't think this is published online, but you should be able to load the HTML version into Word and save it as .doc if necessary. Also, I am not clear if I need to read and

Backporting the 2.0 extension mechanism to 1.1

2008-08-11 Thread Martin Atkins
I notice that, like sreg, the pape extension is supporting 1.1 by simply hard-coding the pape prefix on its arguments. This approach is troublesome for the Net::OpenID::Consumer perl library because it deals only in extension URIs, and supports sreg in 1.1 as a special case. In order to

Re: Backporting the 2.0 extension mechanism to 1.1

2008-08-11 Thread Martin Atkins
Johnny Bufu wrote: On 11/08/08 12:49 AM, Martin Atkins wrote: I notice that, like sreg, the pape extension is supporting 1.1 by simply hard-coding the pape prefix on its arguments. Where/how? To my knowledge the opposite is true, per the last paragraph here: http://openid.net/specs

Re: Responding to a 2.0 request with a 1.1 response

2008-07-20 Thread Martin Atkins
(sorry for responding to myself.) Martin Atkins wrote: Another similar and perhaps more likely case is when a user does 2.0-style delegation to a clavid.com identifier, omitting the 1.1-style delegation. Net::OpenID::Consumer with 1.1 compatibility enabled fails in this case because

Re: Using email address as OpenID identifier

2008-04-07 Thread Martin Atkins
Paul E. Jones wrote: Perhaps it is important to say, though, that I do not think it requires the e-mail providers to get on board with this (in my view) simpler notation. I could use an ID like [EMAIL PROTECTED] and that should work, if myopenid.com would publish the appropriate NAPTR

Re: Using email address as OpenID identifier

2008-04-07 Thread Martin Atkins
Paul E. Jones wrote: I’ll give you that one: that’s certainly easier. But, does not cause some confusion? After all, one’s identity is not yahoo.com, but that is the identity provider. Perhaps the prompts around the Internet ought to Say “OpenID Provider:” instead? :-) I propose

Re: handling of url redirection

2008-02-28 Thread Martin Atkins
Jonathan Daugherty wrote: This is what I was getting at- it'd be good to give users an identical experience when they sign into various OpenID-enabled apps. Just to be clear, this is not an interop issue. This is a matter of drawing the line between what is sane and what is not. For

Re: Integration with Enterprise Directory Services

2008-02-28 Thread Martin Atkins
Drummond Reed wrote: Yes, Marty Schleiff at Boeing is working on an RFC for how to represent XRIs in an LDAP directory for that very reason -- to establish standard OIDs for this attribute. LDAP already has a URI attribute type, but downcasting an XRI into a URI just to squeeze it into that

Re: SREG 1.1 Request parameters

2008-02-22 Thread Martin Atkins
Enis Soztutar wrote: As far as I understand, the distinction between sreg.required and sreg.optional is entirely in the responsibility of the consumer and there is not reason for the protocol to include this arbitrary division. An OP implementation will just merge the two fields and try

Re: OpenID Inline Authentication Extension 1.0 Draft 1

2007-09-03 Thread Martin Atkins
John Ehn wrote: Martin, Thanks for the response! I'm looking at those specs now, and I really like the flow of the HTTP Authentication spec, because it looks like it's solving the problem of passing the OpenID Identifier to the RP in an automated way, which is really cool. Looks like it

Re: Do We Agree on the Problem We're Trying to Solve?

2007-06-12 Thread Martin Atkins
Josh Hoyt wrote: On 6/11/07, Martin Atkins [EMAIL PROTECTED] wrote: Presumably the recommendation would be to have several identifiers attached to a single account just as is recommended today. I would point most of my identifiers at one canonical identifier but retain one or more special

Re: The CanonicalID Approach

2007-06-11 Thread Martin Atkins
Josh Hoyt wrote: On 6/9/07, Martin Atkins [EMAIL PROTECTED] wrote: I'm assuming that the RP authenticates http://inconvenient.example.com/001, not http://impersonation.example.com/mart. Just as with delegation, if I can successfully authenticate as the persistent identifier and the non

Re: The CanonicalID Approach

2007-06-09 Thread Martin Atkins
Josh Hoyt wrote: On 6/8/07, Martin Atkins [EMAIL PROTECTED] wrote: I figure that you could potentially use the same mechanism as delegation to avoid the extra discovery iteration. The problem, as with delegation, is that you need to duplicate the endpoint URL in the source identifier's XRDS

Re: The CanonicalID Approach

2007-06-08 Thread Martin Atkins
Josh Hoyt wrote: On 6/7/07, Recordon, David [EMAIL PROTECTED] wrote: What I'd like to markup is that my three reassignable identifiers so that they all use my LiveJournal userid URL as the persistent identifier. It should be noted that also marking them as synonyms to each other follows the

Re: Generalized solution to OpenID recycling (was RE: The WordPress User Problem)

2007-06-05 Thread Martin Atkins
=drummond.reed wrote: As Martin has pointed out, the purpose of the CanonicalID element in XRDS is to support reassignable-to-persistent identifier mapping. Although this is a native function of XRI resolution (because XRI architecture was explicitly designed to address the

Re: Auth 2.0 Extensions: Namespace Prefixes

2007-06-05 Thread Martin Atkins
Johnny Bufu wrote: On 5-Jun-07, at 8:53 AM, Granqvist, Hans wrote: But it seems superflous: Since you cannot depend on args to be ordered[1], you'll still need to iterate and match prefix to values. Martin's proposal seems like a minor improvement to me - iterating thorough openid.ns.*

Re: Final outstanding issues with the OpenID 2.0 Authenticationspecification

2007-06-03 Thread Martin Atkins
Claus Färber wrote: Marius Scurtescu schrieb: The new attribute values are needed in order to signal an OpenID 2 provider. Why is this necessary? Is OpenID 2 incompatible? In other words, what happens if an OpenID 2 Relying Party tries to talk to an OpenID 1.x Provider? If the

Re: Specifying identifier recycling

2007-06-01 Thread Martin Atkins
Johnny Bufu wrote: We did look at this (with Drummond) in December. The bottom line is that it can't be done easily - a mechanism similar to XRI's canonical ID verification would have to be employed, to confirm that the i- number actually 'belongs' to the URL on which discovery was

Re: Specifying identifier recycling

2007-05-30 Thread Martin Atkins
John Panzer wrote: Has there been a discussion about an extension to map to/from i-numbers via AX? If there were a generic attribute you could stuff an i-number or a hash of an internal ID in there to help solve the disambiguation problem. Alternatively it'd be nice to have a way to ask

Auth 2.0 Extensions: Namespace Prefixes

2007-04-30 Thread Martin Atkins
As currently defined, an extension has a global namespace URI as well as a request-local alias/prefix. For an extension with the namespace http://example.com/blah that has a field foo, the following fields are to be sent: openid.ns.blah=http://example.com/blah openid.blah.foo=bar

Re: Authentication Protocols for Non-browser Apps

2007-04-10 Thread Martin Atkins
Gabe Wachob wrote: Hi Mart- I'm trying to figure out if what you are proposing covers the same use case that I discussed at http://openid.net/pipermail/general/2007-March/002005.html I'm not clear actually what you are trying to do with HTTP Authentication, and it may be

Re: password-free login without SSL and OP reliance (an anti-phishing solution)

2007-04-07 Thread Martin Atkins
Douglas Otis wrote: For clarity, OpenID Authentication 2.0 - Draft 11 4.1.1. Key-Value Form Encoding should change to something like Keyword-Value Form Encoding. Avoid using the word key to mean field or label. This will cause confusion. While I believe that key-value pairs is a

Re: Moving AX Forward (WAS RE: SREG namespace URI rollback)

2007-04-07 Thread Martin Atkins
Johnny Bufu wrote: I believe a key difference here is between what people would be willing to do, and what people actually (will) do. For example: - I would be willing to go to a rugby game, but I don't know if any of my friends are going, so I probably won't go - most of my friends

Re: Moving AX Forward (WAS RE: SREG namespace URI rollback)

2007-04-07 Thread Martin Atkins
Johnny Bufu wrote: These two seem to have been the rationale of the recent discussions about splitting the OpenID spec into core/discovery/etc., which seemed to make sense to a number of people (I'm just not sure if it's worth / good tactical move at this stage). I tend to think

Re: Server-to-server channel

2007-04-05 Thread Martin Atkins
[I initially sent this to Chris directly, because he sent his message to me directly. Then I noticed he'd also replied on the list. Hopefully he'll see this before my private reply and we can avoid another go-around of duplicate messages!] Chris Drake wrote: MA For some things it's

Re: Server-to-server channel

2007-04-05 Thread Martin Atkins
Chris Drake wrote: Hi Martin, Yes - sorry - I accidentally hit reply instead of reply all. I later did re-post to the list though. For the benefit of the list, your reply is at the end here. Re-reading my reply, I think my wording sounded pretty strong, and I might not have made it

Re: Promoting OpenID

2007-04-04 Thread Martin Atkins
McGovern, James F (HTSC, IT) wrote: Is anyone here working with vendors in the ERP, CRM, ECM, BPM or VRM spaces such that user-centric identity is built into their product? Mm tasty acronym soup! ___ specs mailing list specs@openid.net

Re: SREG namespace URI rollback

2007-04-04 Thread Martin Atkins
Recordon, David wrote: I see there being a gap between SREG and AX with nothing bridging it. IMHO, AX takes too large of a step for people to use it if they just want a few more SREG fields. I think we need something which does nothing more than provide a way to extend SREG and that will

Re: Server-to-server channel

2007-04-04 Thread Martin Atkins
Chris Drake wrote: Hi Martin, You wrote MA The age of the information needs to be taken into account here. When the information (rightly) lives at the OP instead of the RP, none of that age complexity exists. It's *my* name. It's *my* credit card. If any RP wants this info, make them

HTTP Authentication Bindings for two-party OpenID Authentication

2007-03-31 Thread Martin Atkins
OpenID is currently only useful for three-party authentication where an end user (usually a human) is logging in to an RP with the help of an OpenID provider. However, we do not have a solution for a software agent representing itself. Software agents don't need an OpenID Provider in the same

XRD-based Service Discovery - Draft 1

2007-03-03 Thread Martin Atkins
In respose to the discussion recently about modularizing the discovery part of OpenID Authentication 2.0, I've put together a possible first draft of a specification for doing service discovery using XRDS. This document is really just the XRDS-related parts of Yadis but refactored slightly.

Re: Modularizing Auth 2.0 Discovery

2007-02-28 Thread Martin Atkins
Dmitry Shechtman wrote: Then we'd publish in parallel the following two ancillary specifications: * OpenID Discovery for HTTP and HTTPS URIs * OpenID Discovery for XRI URIs. The latter being prepend http://xri.net/ to the XRI and use OpenID Discovery for HTTP. I think as a

Re: Modularizing Auth 2.0 Discovery

2007-02-28 Thread Martin Atkins
rob wrote: Martin Atkins wrote: My proposal is that we make the core Auth 2.0 spec scheme-agnostic. It would just state that an identifier is a URI. Later in the spec, where currently it enumerates a bunch of ways to do discovery, it'd just say do discovery on the URI using an appropriate

Re: Modularizing Auth 2.0 Discovery

2007-02-28 Thread Martin Atkins
Drummond Reed wrote: I've always been supportive of breaking out OpenID Discovery into a separate spec. I wouldn't break it out into separate specs, however, because discovery for any OpenID identifier has have much more in common than they have different. For example, they all need to explain

Re: Modularizing Auth 2.0 Discovery

2007-02-28 Thread Martin Atkins
Recordon, David wrote: Well there already is the Yadis spec. Maybe the Yadis spec remains separate versus becoming part of the OASIS XRI Resolution document? The XRDS-related parts of the Yadis specification seem to duplicate requirements from XRI Resolution chapter 3. In the interests of

Re: Modularizing Auth 2.0 Discovery

2007-02-28 Thread Martin Atkins
Drummond Reed wrote: Under this approach, discovery all identifiers (URLs, XRI i-names/i-numbers, email addresses, phone numbers, etc.) would be handled by OpenID Discovery. I disagree that a single spec can contain discovery rules for all conceivable discovery types without becoming

Re: Modularizing Auth 2.0 Discovery

2007-02-28 Thread Martin Atkins
Recordon, David wrote: Works for me, one thing though is the Yadis spec specifically highlights the bits of the XRDS file which are relevant in this sort of use case. If chapter 3 is separate then this would be a smaller concern for me, but I think part of the *ugh* feeling people get is

Re: Modularizing Auth 2.0 Discovery

2007-02-28 Thread Martin Atkins
Having reflected on people's comments a bit, I have a slightly adjusted set of proposals. 1. Take the bits about parsing XRD service elements from the Yadis spec and call it XRD service discovery for URIs. 2. Have XRD service discovery delegate the actual mapping of a URI onto an XRD

Re: Proposal for Modularizing Auth 2.0 Discovery

2007-02-28 Thread Martin Atkins
Gabe Wachob wrote: Basically, the Discovery Spec would specify that for any identifier scheme to work with OpenID, it MUST define a way of being constructed into an HTTP URI and then returning a XRDS with an HTTP GET on that HTTP URI. If there are other ways of resolving it, then

Re: HTTPS status

2007-02-28 Thread Martin Atkins
Alaric Dailey wrote: Eddy Nigg and I brought up the issue of requiring SSL a while back, since then I have been swamped, it looked like there was some more talk about it since then. I know that there are several other people, that are concerned about this too, and it has even been

Re: [OpenID] OpenId Yadis Question

2007-02-25 Thread Martin Atkins
David Fuelling wrote: I'm wondering if the following is a correct interpretation of how OpenId 2.0 uses Yadis. Any clarifications are appreciated. 1.) User navigates to an RP, and enters a Claimed Identifier (e.g., http://sappenin.gmail.com). 2.) A Yadis doc is returned as follows:

Re: [OpenID] Wiki page: Attempting to document the Email Address as OpenIddebate.

2007-02-12 Thread Martin Atkins
Hallam-Baker, Phillip wrote: Over time everyone will own their own DNS domain and it will form the hub of their personal communications system. All communication modes will map onto the single unified communication identifier. I don't necessarily disagree with many of your arguments,

Re: Proposal: An anti-phishing compromise

2007-02-09 Thread Martin Atkins
Recordon, David wrote: I agree that things like age should be in an extension, though I think this single piece of data is useful in the core protocol. I'm sure the exact definition of phishing resistant will come back to bite us in sometime in the future, but lets deal with it then instead

OA2.0d11: Minor nit-pick regarding normalization

2007-02-01 Thread Martin Atkins
Hi, This is a really minor thing I just spotted due to leaving my browser open on the relevant part of the spec and coming back to it later. :) The normalization table in appendix A.1 lists several examples of the normalization of URIs. The last few examples are as follows:

Re: HTML parsing in HTML-based discovery

2007-01-26 Thread Martin Atkins
Claus Färber wrote: In order to facilitate regexp parsing, just requiring the start and end tags is not enough. Additional restrictions may also be necessary to avoid cases where too simple regexp-based parsers might fail: - head start with attributes. - order of attributes within the

Re: DRAFT 11 - FINAL?

2007-01-25 Thread Martin Atkins
Since your list is long, I'm only going to address things I have an answer to. I'll leave the rest to other people. :) Claus Färber wrote: - | 4.1.1. Key-Value Form Encoding | | A message in Key-Value form is a sequence of lines. Each line begins | with a key, followed by a colon, and

Re: OpenID.net Service Type Namespaces

2007-01-05 Thread Martin Atkins
Recordon, David wrote: http://specs.openid.net/authentication/2.0/signon http://specs.openid.net/authentication/2.0/server http://specs.openid.net/authentication/2.0/identifier_select These seem just fine to me. (+1, I guess!) So very verbose and organized. There is no need for an xmlns

Re: OpenID Exchange

2006-12-15 Thread Martin Atkins
Recordon, David wrote: Awesome, glad to see this! Would be great as Johannes said to see some flow examples and how you'd see it integrate to do something like exchange profile data or post a photo on your blog. Would love to see this formalized and happy to help however I can! I'm hoping

Re: [OpenID] Assertion Quality Extension = openid.importance

2006-12-13 Thread Martin Atkins
Manger, James H wrote: A related hassle is that when my OP supports a new authentication method (such as a strong password-authenticated key agreement scheme (eg SRP)), existing RPs will not recognize this method as strong enough for the RP’s expectations – regardless of the method’s actual

Re: [OpenID] Assertion Quality Extension = openid.importance

2006-12-13 Thread Martin Atkins
Justin S. Peavey wrote: I fully agree with you in your example above until you mention money. In the Amazon example for book purchases, the user is not the one affected by a mis-authenticated transaction, Amazon and the credit-card companies are; the user is indemnified by most credit card

OpenID Exchange

2006-12-13 Thread Martin Atkins
I have made an early draft of a spec called OpenID Exchange on the wiki: http://openid.net/wiki/index.php/OpenID_Exchange_1.0 The goal of this protocol is to allow user-accompanied HTTP requests. user-accompanied means that a consumer makes a request to a service on behalf of a user and

Re: Consistency of negative responses to checkid_immediate requests

2006-12-13 Thread Martin Atkins
Josh Hoyt wrote: It's confusing to me make the failure response to an immediate mode request be id_res, especially if that is not the failure response for setup mode. I can't see a reason that they can't both use the cancel response to indicate that the OP or end user do not wish to

Re: [OpenID] Assertion Quality Extension = openid.importance

2006-12-12 Thread Martin Atkins
Manger, James H wrote: The user-centric solution is not for the RP to specify a max auth age (or captcha or email verification or handbio or hardotp…), but for the RP to indicate the importance of the authentication. The user (with a little help from their OP) decides how to react (eg

Re: [OpenID] Assertion Quality Extension = openid.importance

2006-12-12 Thread Martin Atkins
Paul Madsen wrote: Is there not a potential contradiction between an RP expressing both of 'this is very very important to me' and 'I leave it to you as to the specifics'? Perhaps, but that is the case in both the IdP reports and the RP suggests case: either way the IdP is calling the

Re: OpenID IPR Policy Draft

2006-12-07 Thread Martin Atkins
Recordon, David wrote: http://openid.net/wiki/index.php/IPR_Policy Is it really possible to use mailing list subscription as a trigger for a contract like this? The whole idea scares me a little bit, to be honest. It seems more sensible to me to put these restrictions on actual

Re: Yet Another Delegation Thread

2006-10-25 Thread Martin Atkins
Pete Rowley wrote: Actually I think this is a consequence of using URLs as identifiers and wanting to use my site to host the portable identifiers - you're probably thinking separate domains per portable identifier or using some well known IdP. Each identifier can be correlated by

Re: Yet Another Delegation Thread

2006-10-25 Thread Martin Atkins
Dick Hardt wrote: The RP can't trust state that it has sent to the IdP since the message may have been modified in transit between the RP and the IdP. Perhaps someone can explain what state needs to be maintained? And if the RP wants to put state in the message, I thought we had that as

Re: Two Identifiers - no caching advantage

2006-10-22 Thread Martin Atkins
Dick Hardt wrote: On 21-Oct-06, at 10:52 PM, Josh Hoyt wrote: On 10/21/06, Dick Hardt [EMAIL PROTECTED] wrote: 2) the RP does not verify the binding between the portable identifier and the IdP-specific identifier in the response. to the one the attacker controls and the IdP has

Re: OpenID Login Page Link Tag

2006-10-20 Thread Martin Atkins
Drummond Reed wrote: I initially agreed as well. But to play devil's advocate, the link-to-XRDS option could actually be pretty efficient. Any HTML page could simply advertise the availability of its Yadis XRDS file using an XRDS link in the header. Assuming that many or all of the pages on a

Re: Discussion: RP Yadis URL?

2006-10-16 Thread Martin Atkins
Recordon, David wrote: I'm torn if this parameter should be added to the spec at this time or not. Adding the parameter is conceptually simple, though I don't think there is agreement on what the RP should be publishing in their Yadis file. There is the section

Re: Identifier portability: the fundamental issue

2006-10-16 Thread Martin Atkins
Chris Drake wrote: There seem to be a lot of people on this list who want to hate and loathe the IdP, and grant all power to the RP. I do not understand this reasoning: our users will select the IdP they trust and like, then they will be using a multitude of possibly hostile RPs

Re: Identifier portability: the fundamental issue

2006-10-14 Thread Martin Atkins
Brad Fitzpatrick wrote: Counter-argument: but OpenID 1.1 does have two parameters: one's just in the return_to URL and managed by the client library, arguably in its own ugly namespace (not IdP/RP managed, not openid., but something else... the Perl library uses oic. or something). So

Re: Consolidated Delegate Proposal

2006-10-13 Thread Martin Atkins
Dick Hardt wrote: Won't the IdP will still have to resolve the i-name? The IdP can't trust the RP, or know that the i-name and i-number are really linked unless it checks itself. The IdP is only authenticating the i-number. The i-name is for display to the user and possibly to allow

Re: Delegation discussion summary

2006-10-13 Thread Martin Atkins
Drummond Reed wrote: +1 to getting it done. This area of terminology is more a usability/marketing issue at this point. I agree we need to converge on good, simple user-facing terms for describing OpenID in ways ordinary Web users can easily understand. Although I have great respect for

Re: [PROPOSAL] request nonce and name

2006-10-13 Thread Martin Atkins
Marius Scurtescu wrote: On 12-Oct-06, at 5:07 PM, Josh Hoyt wrote: On 10/12/06, Marius Scurtescu [EMAIL PROTECTED] wrote: If passing through all unrecognized parameters can cause problems then there could be a special namespace for this purpose. For example, all parameters with names

Re: [PROPOSAL] request nonce and name

2006-10-12 Thread Martin Atkins
Recordon, David wrote: We thus believe that any state tracking needed by a stateless RP must be maintained as GET parameters within the return_to argument. In the case of a stateful RP, it can either do the same thing, or store state via other means such as using a session id within a

Re: Consolidated Delegate Proposal

2006-10-10 Thread Martin Atkins
Recordon, David wrote: Dick, It is needed in the case where there is delegation with a URL, openid.identity is the actual URL on the IdP and then openid.rpuserid is the URL that the user entered which delegates to openid.identity. This is then also used in the similar case with XRI

Re: Strong Authencation (was [PROPOSAL] authentication age

2006-10-06 Thread Martin Atkins
Chris Drake wrote: Hi All, 1. Amazon asks the IdP Please assert this user is not a Robot How can it trust this occurred? 2. Amazon asks the IdP Please re-authenticate this user, via two-factor, two-way strong authentication How can it trust *this* occurred? The IdP can *say*

Re: One last plea: fix problem with delegate terminology

2006-10-03 Thread Martin Atkins
Drummond Reed wrote: However, in the two months since I last had that conversation, I've had to explain the concept of OpenID delegate to a bunch more people, and I'm telling you, STICKING WITH THIS TERMINOLOGY IS GOING TO BITE OPENID IN THE BUTT!! The problem is: the more OpenID grows,