Re: Non-interactive logins

2008-07-15 Thread Scott Kveton
Hi Anders,

You might want to check out OAuth ... it was developed for just such a
situation.

- Scott




On Tue, Jul 15, 2008 at 4:20 AM, Anders Feder [EMAIL PROTECTED] wrote:
 Hello,

 There have been some discussion over the years about using OpenID for
 non-interactive logins. Can someone kindly tell me what the status is of
 this feature? In particular login from non-browser applications - is
 this currently possible (e.g. using client certificate authentication)?
 Thanks.

 --
 Anders Feder [EMAIL PROTECTED]

 ___
 specs mailing list
 specs@openid.net
 http://openid.net/mailman/listinfo/specs

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: HTTPS status

2007-02-28 Thread Scott Kveton
 At this point I think I have to be contented with the knowledge that OpenId
 will be forced to change, or it will fail, this is ESPECIALLY true because
 of the sudden surge in popularity.

Absolutely ... I didn't put won't ever in any of those bullet points.
OpenID is always going to change, evolve and mature.  It has to.  It has
already in the last 18 months and will continue to do so.  If it doesn't,
that's when we really have to worry about failure.

- Scott







 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Scott Kveton
 Sent: Wednesday, February 28, 2007 8:33 PM
 To: specs@openid.net
 Subject: Re: HTTPS status
 
 [snip]
 
 Why is there such reluctance?
 
 I think there are a several reasons why:
 
 * Not everybody knows how to install/manage an SSL certificate
 * Not every web hosting company allows multiple IP's for sites
 * It wouldn't have been easy to get the adoption we're seeing
 with a MUST
 * Majority of transactions are low-value today
 
 Could we have gotten where we are today with the growth that
 we've seen _with_ a MUST?  I don't think so.
 
 The providers who are really serious about security and
 identity will have SSL.
 
 - Scott
 
 ___
 specs mailing list
 specs@openid.net
 http://openid.net/mailman/listinfo/specs
 
 
 

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Tiny RDF Schema at openid.net?

2007-01-29 Thread Scott Kveton
With just a quick look at this, it seems like a good idea.  I'd like to see
it happen somehow.

Anybody see any problems with doing this?

- Scott





On 1/29/07 2:13 AM, Benjamin Nowack [EMAIL PROTECTED] wrote:

 
 
 Hi,
 
 I was wondering if you guys could be persuaded to host a little
 RDF Schema file on the openid.net site. As far as I can tell, there
 is great support for OpenID among SemWeb folks as it can be combined
 with things like FOAF for all sorts of cool applications.
 
 People recently started to write RDF extractors for the OpenID
 hooks embedded in HTML (openid.server/delegate). As these hooks
 are in line with the Dublin Core guidelines [1], there are even
 multiple ways to do this. The only thing we're missing for more
 widespread use is an agreed-on namespace URI for the core openID
 terms (server and delegate). And ideally this would be an
 openid.net one. So here is my request: any chance we could put
 a little RDF Schema file on the openid server? We would of course
 provide the file (it'd be just 5-10 lines of XML), and the actual
 URL/path doesn't really matter. An alternative could be to host
 it in some other stable URI space, Dan Connolly (CC'd) might be
 able to provide one at w3.org, not sure. It would be cool to
 get your blessing either way, though.
 
 
 Cheers in advance for perhaps considering it,
 Ben
 
 --
 Benjamin Nowack
 
 Kruppstr. 100
 45145 Essen, Germany
 http://www.bnode.org/
 
 
 [1] http://www.dublincore.org/documents/dcq-html/
 
 ___
 specs mailing list
 specs@openid.net
 http://openid.net/mailman/listinfo/specs
 

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: [OpenID] OpenID and phishing (was Announcing OpenID Authentication2.0 - Implementor's Draft 11)

2007-01-19 Thread Scott Kveton
 Still totally unhappy about the phishing issues, which I blogged
 about here:
 
 http://www.links.org/?p=187
 
 I have a proposal which I think could greatly reduce the risk of
 phishing: identity providers should /never/ display their login form
 (or a link to the form) on a page that has been redirected to by an
 OpenID consumer.
 
 Instead, they should instruct the user to navigate to the login page
 themselves. The login page should have a short, memorable URL and
 users should be encouraged to bookmark it themselves when they sign
 up for the provider. The OpenID landing page then becomes an
 opportunity to help protect users against phishing rather than just
 being a vector for the attack.
 
 I've fleshed this out on my blog:
 
 http://simonwillison.net/2007/Jan/19/phishing/
 
 Does that sound workable?

One of the greatest strengths of OpenID is the ability for website operators
to lower the barrier to engagement ... User shows up, user enters OpenID,
user is then immediately participating in discussion/posts/comments/etc.
I'm afraid this proposal takes away from that by forcing the user to lose
the flow ... Of course its that flow that is the problem in terms of
phishing.

What if the OP cataloged where you just came from and then presented the
screen that you mention?  The user is asked to navigate via a bookmark or
entering the URL in the location bar and then upon logging in is presented
with a link back to the site they just came from.  Then the user can quickly
engage and the site can still kick of the SREG mojo instead of having to go
_back_ to the site in question to re-initiate the login.

Would that work or am I missing something obvious?

- Scott

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Mailing List etiquette question.

2006-11-30 Thread Scott Kveton
+1.  Don't be shy to speak your mind.



On 11/30/06 6:48 PM, Recordon, David [EMAIL PROTECTED] wrote:

 Hi Gavin,
 As being one that often floats proposals to the list, I'd encourage people to
 voice their opinions even if it is just agreeing with someone else.  With
 silence it is hard to know if people agree with you, think you're crazy, don't
 care, or haven't read it.
 
 --David
 
 
  -Original Message-
 From:   Gavin Baumanis [mailto:[EMAIL PROTECTED]
 Sent:   Thursday, November 30, 2006 06:35 PM Pacific Standard Time
 To: [EMAIL PROTECTED]; specs@openid.net
 Subject:Mailing List etiquette question.
 
 Hi everyone,
 
 Just a quick question.
 I was about to send a reply in support of Avery's suggestion, but before I did
 thought I would ask;
 
 Is it appropriate to respond to the list with,
 Yes - I agree  - that seems like a simple / easily implemented solution
 (in essence adding support to the proposal, allowing all subscribers to gauge
 the worthiness of the suggestion - yet, not adding in any new information)
 
 On the other hand, it almost seems like spamming the list?
 
 Thanks.
 
 Gavin
 RMIT University, Melbourne, Australia.
 ___
 specs mailing list
 specs@openid.net
 http://openid.net/mailman/listinfo/specs

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Changing Terminology (was RE: IdP term in spec (was RE: Delegationdiscussion summary))

2006-10-15 Thread Scott Kveton
 I'd really prefer not to change terminology in the spec right now.
 Seems like something we should have thought about four months ago versus
 a week after we said it would be final.  There is nothing saying user
 friendly terms that map to spec terms can't be created for the time
 being.  I do however think there will need to be healthy discussion
 around them, that takes longer than a week.  :)

+1 to all points.

- Scott

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Delegation discussion summary

2006-10-14 Thread Scott Kveton
 I would propose that the term Homesite be used when prompting the
 user to type in their IdP. I think the term Identity Provider is
 overloaded and not user friendly.

As per my last email I feel the same way about identity provider as well
... I agree with Dick; too overloaded and not user friendly.

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Delegation discussion summary

2006-10-14 Thread Scott Kveton
 I kinda get homesite, but I don't understand the thinking behind
 membersite: What is this site supposed to be a member of?
 
 It was a member of the network of sites running the protocol.

Membersite sounds too much like you have to join some club to participate.
I feel the same way about homesite.  I'm all for finding more
consumer-friendly terminology for this but I've yet to hear anything that
rings true.

In the case of http you have web server which is served up by a web site
... Instead of http provider and http destination ... Maybe we need to
make this even simpler than we are?  Could it be as simple (and I'm not
really suggesting these) as login server and login site?

What does the wider community think?  How do LiveJournal users refer to this
concept today?

- Scott

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs