Re: Proposal: An anti-phishing compromise

2007-02-02 Thread john kemp
PROTECTED] On Behalf Of john kemp Sent: Thursday, February 01, 2007 7:13 PM To: Granqvist, Hans Cc: OpenID specs list Subject: Re: Proposal: An anti-phishing compromise Granqvist, Hans wrote: Proposed Change === Add a single, required, boolean field to the authentication response

Re: Proposal: An anti-phishing compromise

2007-02-02 Thread john kemp
Hi Josh, In addition to the protocol parameter that you have proposed, I'd hope that we can add something like what you wrote below as part of the security considerations section of the OpenID 2.0 Auth specification, as this text seems to capture quite succinctly the issues that RPs and OPs

Re: Proposal: An anti-phishing compromise

2007-02-02 Thread john kemp
Johnny Bufu wrote: On 2-Feb-07, at 7:05 AM, George Fletcher wrote: but I'm still not sure how this helps with the phishing problem. As you pointed out John, the issue is a rogue RP redirecting to a rogue OP. So the rogue OP just steals the credentials and returns whatever it wants. In

Re: Proposal: An anti-phishing compromise

2007-02-02 Thread john kemp
Josh Hoyt wrote: On 2/2/07, john kemp [EMAIL PROTECTED] wrote: Don't get me wrong - I think it's a good idea for the OP to make a statement about the authentication method used (although I would prefer it to say something like authn_method=urn:openid:2.0:aqe:method:password, rather than

Re: Proposal: An anti-phishing compromise

2007-02-01 Thread john kemp
Granqvist, Hans wrote: Proposed Change === Add a single, required, boolean field to the authentication response that specifies whether or not the method the OP used to authenticate the user is phishable. The specification will have to provide guidelines on what properties an

Re: OpenID Auth 2.0 and user-agent neutrality (or, OpenID with REST/SOAP)

2006-11-17 Thread John Kemp
Dick Hardt wrote: On 16-Nov-06, at 11:41 PM, Matt Pelletier wrote: On Nov 17, 2006, at 1:24 AM, Dick Hardt wrote: Hi John So that a message can be more then 2K of data. Is it possible to update the language so 1) we don't deprecate HTTP redirects and 2) the form redirect method is

Re: OpenID Auth 2.0 and user-agent neutrality (or, OpenID with REST/SOAP)

2006-11-17 Thread John Kemp
Dick Hardt wrote: Supporting payloads larger then 2K is a requirement. I guess I don't understand what this 2K limit is (and this is not mentioned in the spec) - are you talking about limits on the URL size when doing an HTTP GET? yes If so, why not use POST instead? Now I am really

Re: OpenID Auth 2.0 and user-agent neutrality (or, OpenID with REST/SOAP)

2006-11-16 Thread John Kemp
Hi, Sorry I'm just reading this, but I just wanted to put in a point very much in favour of NOT deprecating support for HTTP redirects in OpenID 2.0. I'll note that requiring the user to press a 'submit' button to push seems like a dodgy UI strategy. So then you require JavaScript to produce a

Re: Authentication Authority (was RE: IdP vs OP (WAS: RE: Editors Conference Call))

2006-11-08 Thread John Kemp
in various lights and have multiple names (roles!).) FWIW, Eve John Kemp wrote: Hi Drummond, Drummond Reed wrote: So why, indeed, is there so much interest in OpenID? I believe it's because of the trust model. To the best of my knowledge, it is radically different than the trust

Re: IdP vs OP (WAS: RE: Editors Conference Call)

2006-11-07 Thread John Kemp
] [mailto:[EMAIL PROTECTED] On Behalf Of Recordon, David Sent: Monday, November 06, 2006 11:46 AM To: Dick Hardt; John Kemp; Patrick Harding Cc: specs@openid.net Subject: IdP vs OP (WAS: RE: Editors Conference Call) I see both sides of this discussion. I think John is correct that the role

Re: IdP vs OP (WAS: RE: Editors Conference Call)

2006-11-07 Thread John Kemp
Dick Hardt wrote: On 7-Nov-06, at 7:59 AM, John Kemp wrote: I don't believe that trust is a differentiator between SAML specifications and OpenID Authentication specifications. It is AFAICT, in both cases, simply out of scope. I should have been more clear, IdP is a Federation term

Re: IdP vs OP (WAS: RE: Editors Conference Call)

2006-11-07 Thread John Kemp
Eve L. Maler wrote: On balance I prefer identity provider because it's intuitive in an English sense, it's used in several technology contexts (not just SAML and OpenID), and it avoids a terminological branding that would otherwise seem to suggest a conceptual divergence that doesn't --

Re: Making identities persistent?

2006-11-01 Thread John Kemp
Hello, I think you need the ability for a user to change his identifier at the RP (as George notes below) and also at the IdP. In addition, it should be possible for the IdP to providing OpenID forwarding if the user leaves for another IdP (perhaps the user will even pay for a forwarding

Re: Editors Conference Call

2006-11-01 Thread John Kemp
Hi Dick, It would be nice to see a clear definition of an OP in order to determine the exact differences between such an entity and an IdP, but, in the absence of such, some questions: Dick Hardt wrote: Thanks David! ;-) Patrick, as you point out, Identity Provider is a well understood

Re: Editors Conference Call

2006-11-01 Thread John Kemp
Dick Hardt wrote: It would be nice to see a clear definition of an OP in order to determine the exact differences between such an entity and an IdP, but, in the absence of such, some questions: Dick Hardt wrote: Thanks David! ;-) Patrick, as you point out, Identity Provider is a well