Re: Google OpenID is now live

2008-04-10 Thread James Henstridge 
On 10/04/2008, Brad Fitzpatrick <[EMAIL PROTECTED]> wrote:
> On Thu, Apr 10, 2008 at 12:40 AM, James Henstridge <[EMAIL PROTECTED]>
> wrote:
>
> >
> > On 10/04/2008, Vinay Gupta <[EMAIL PROTECTED]> wrote:
> > > I think that kind of misses the point. The *namespace* that google
> manages
> > > is now open for business as an OpenID provider. It's an unanticipated
> > > side-effect of the APIs.
> > >
> > > I think it's kind of a big deal, actually, in terms of how OpenID is
> right
> > > from an engineering perspective and how it can spread in unexpected
> ways. If
> > > only login were so easy.
> >
> > This service seems pretty much equivalent to Simon Willison's
> > idproxy.net service for Yahoo accounts.
> >
> > The big difference between this sort of service and actial OpenID
> > Provider support from Google/Yahoo is a matter of trust.
> >
> > With an OP run by Google, the user needs to trust Google.  With this
> > OP, the user needs to trust whoever is running the OP not to
> > impersonate them.  Given the lack of contact information, I'd be
> > hesitant to use identities managed by that service and would not
> > recommend others rely on it.
>
> James,
>
> openid-provider.appspot.com was written by a Google engineer, Ryan Barrett,
> who also did most the work (including all the initial work) on Blogger's
> OpenID support:
>
> References:
>
> http://appgallery.appspot.com/about_app?app_id=agphcHBnYWxsZXJ5chMLEgxBcHBsaWNhdGlvbnMYrwIM
> http://snarfed.org/space/2008-04-07_google_app_engine_launched
> http://snarfed.org/space/2007-12-02_openid_comments_in_blogger

Okay.  It wasn't clear who was running the service just by looking at
the URL originally posted.


> Further, App Engine apps don't process user credentials directly.  They go
> through an OpenID-like auth process with Google, who actually processes the
> email/password and tells the App Engine app that somebody logged in, at what
> email.  You can verify this yourself by looking at the form targets and HTTP
> traffic.  See:
>
> http://code.google.com/appengine/docs/users/
>
> So I'd say you can pretty much trust an openid-provider.a.com assertion that
> the person has a Google account.   But like others have said, it's not an
> official Google product.

I realise that Google's authsub service doesn't reveal a user's email
+ password to the relying site (in this case
openid-provider.appspot.com).  If you are using an OpenID provider
that I control, you are trusting me not to add a backdoor that lets me
authenticate to RPs as your identity URL.  And given the way OpenID
works, I'd have a pretty good idea of which RPs to go after.

Based on the info in the links you provided it is probably safe to
trust the site not to do these things, but it is not clear from the
information on that site alone.

James.
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Google OpenID is now live

2008-04-10 Thread Brad Fitzpatrick 
On Thu, Apr 10, 2008 at 12:40 AM, James Henstridge <[EMAIL PROTECTED]>
wrote:

> On 10/04/2008, Vinay Gupta <[EMAIL PROTECTED]> wrote:
> > I think that kind of misses the point. The *namespace* that google
> manages
> > is now open for business as an OpenID provider. It's an unanticipated
> > side-effect of the APIs.
> >
> > I think it's kind of a big deal, actually, in terms of how OpenID is
> right
> > from an engineering perspective and how it can spread in unexpected
> ways. If
> > only login were so easy.
>
> This service seems pretty much equivalent to Simon Willison's
> idproxy.net service for Yahoo accounts.
>
> The big difference between this sort of service and actial OpenID
> Provider support from Google/Yahoo is a matter of trust.
>
> With an OP run by Google, the user needs to trust Google.  With this
> OP, the user needs to trust whoever is running the OP not to
> impersonate them.  Given the lack of contact information, I'd be
> hesitant to use identities managed by that service and would not
> recommend others rely on it.


James,

openid-provider.appspot.com was written by a Google engineer, Ryan Barrett,
who also did most the work (including all the initial work) on Blogger's
OpenID support:

References:

http://appgallery.appspot.com/about_app?app_id=agphcHBnYWxsZXJ5chMLEgxBcHBsaWNhdGlvbnMYrwIM
http://snarfed.org/space/2008-04-07_google_app_engine_launched
http://snarfed.org/space/2007-12-02_openid_comments_in_blogger

Further, App Engine apps don't process user credentials directly.  They go
through an OpenID-like auth process with Google, who actually processes the
email/password and tells the App Engine app that somebody logged in, at what
email.  You can verify this yourself by looking at the form targets and HTTP
traffic.  See:

http://code.google.com/appengine/docs/users/

So I'd say you can pretty much trust an openid-provider.a.com assertion that
the person has a Google account.   But like others have said, it's not an
official Google product.

Brad
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Google OpenID is now live

2008-04-10 Thread James Henstridge 
On 10/04/2008, Vinay Gupta <[EMAIL PROTECTED]> wrote:
> I think that kind of misses the point. The *namespace* that google manages
> is now open for business as an OpenID provider. It's an unanticipated
> side-effect of the APIs.
>
> I think it's kind of a big deal, actually, in terms of how OpenID is right
> from an engineering perspective and how it can spread in unexpected ways. If
> only login were so easy.

This service seems pretty much equivalent to Simon Willison's
idproxy.net service for Yahoo accounts.

The big difference between this sort of service and actial OpenID
Provider support from Google/Yahoo is a matter of trust.

With an OP run by Google, the user needs to trust Google.  With this
OP, the user needs to trust whoever is running the OP not to
impersonate them.  Given the lack of contact information, I'd be
hesitant to use identities managed by that service and would not
recommend others rely on it.

James.
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Google OpenID is now live

2008-04-09 Thread John Panzer 

Any sufficiently advanced web site system is indistinguishable from an OP.

Or, rather, can be turned into an OP. :)

Vinay Gupta wrote:


I think that kind of misses the point. The *namespace* that google 
manages is now open for business as an OpenID provider. It's an 
unanticipated side-effect of the APIs.


I think it's kind of a big deal, actually, in terms of how OpenID is 
right from an engineering perspective and how it can spread in 
unexpected ways. If only login were so easy.


Vinay







--
Vinay Gupta - Designer, Hexayurt Project - an excellent public domain 
refugee shelter system
Gizmo Project VOIP: 775-743-1851 (usually works!)  
 http://hexayurt.com/
Cell: Iceland (+354) 869-4605   
 Skype/Gizmo/Gtalk: hexayurt 
People with courage and character always seem sinister to the rest
  Herman Hesse



On Apr 9, 2008, at 7:45 PM, John Ehn wrote:
I agree.  I think this is an excellent technology demonstration, but 
it is a third-party, not Google, that is enabling the ID.
 
John


2008/4/9 Immad Akhund <[EMAIL PROTECTED] >:

When Google eventually does make a proper OpenID provider all the
OpenIDs provided by openid-provider.appspot.com
 would not match.

Would get very confusing apart from advanced users that
understand the distinction.

Immad


On Wed, Apr 9, 2008 at 12:49 PM, Paul Madsen
<[EMAIL PROTECTED] > wrote:

I expect Google might have a (legal) opinion on
characterizing this
application as 'Google OpenID'

I think I'll wait for Google itself to enable my Gmail as an
OpenID.

paul

Vinay Gupta wrote:
> http://openid-provider.appspot.com/
>
> Somebody used their app hosting service and implemented an
OpenID
> provider.
>
> That kind of changes things, doesn't it?
>
> Vinay
>
>
>
>
>
>
>
>
> --
> Vinay Gupta - Designer, Hexayurt Project - an excellent
public domain
> refugee shelter system
> Gizmo Project VOIP: 775-743-1851 (usually works!)
>  http://hexayurt.com/
> Cell: Iceland (+354) 869-4605
>  Skype/Gizmo/Gtalk: hexayurt
> People with courage and character always seem sinister to
the rest
>   Herman Hesse
>
>
>

>
> ___
> specs mailing list
> specs@openid.net 
> http://openid.net/mailman/listinfo/specs
>
>

>
> No virus found in this incoming message.
> Checked by AVG.
> Version: 7.5.519 / Virus Database: 269.22.9/1365 - Release
Date: 4/8/2008 7:30 AM
>

--
Paul Madsene:paulmadsen @ ntt-at.com

NTTp:613-482-0432
  m:613-282-8647
  aim:PaulMdsn5
  web:connectid.blogspot.com


___
specs mailing list
specs@openid.net 
http://openid.net/mailman/listinfo/specs




-- 
Cell: +1 617 460 7271

Skype: i.akhund
Blog: http://immadsnewworld.com 

Clickpass, CTO
___
specs mailing list
specs@openid.net 
http://openid.net/mailman/listinfo/specs


___
specs mailing list
specs@openid.net 
http://openid.net/mailman/listinfo/specs




___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
  


___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Google OpenID is now live

2008-04-09 Thread Paul Madsen 
if and when Google manages its own namespace as OpenIDs, I hope they 
provide more consistent QoS - I havent seen this one work yet

paul

Vinay Gupta wrote:
>
> I think that kind of misses the point. The *namespace* that google 
> manages is now open for business as an OpenID provider. It's an 
> unanticipated side-effect of the APIs.
>
> I think it's kind of a big deal, actually, in terms of how OpenID is 
> right from an engineering perspective and how it can spread in 
> unexpected ways. If only login were so easy.
>
> Vinay
>
>
>
>
>
>
>
> -- 
> Vinay Gupta - Designer, Hexayurt Project - an excellent public domain 
> refugee shelter system
> Gizmo Project VOIP: 775-743-1851 (usually works!)  
>  http://hexayurt.com/
> Cell: Iceland (+354) 869-4605   
>  Skype/Gizmo/Gtalk: hexayurt 
> People with courage and character always seem sinister to the rest
>   Herman Hesse
>
>
> On Apr 9, 2008, at 7:45 PM, John Ehn wrote:
>> I agree.  I think this is an excellent technology demonstration, but 
>> it is a third-party, not Google, that is enabling the ID.
>>  
>> John
>>
>> 2008/4/9 Immad Akhund <[EMAIL PROTECTED] >:
>>
>> When Google eventually does make a proper OpenID provider all the
>> OpenIDs provided by openid-provider.appspot.com
>>  would not match.
>>
>> Would get very confusing apart from advanced users that
>> understand the distinction.
>>
>> Immad
>>
>>
>> On Wed, Apr 9, 2008 at 12:49 PM, Paul Madsen
>> <[EMAIL PROTECTED] > wrote:
>>
>> I expect Google might have a (legal) opinion on
>> characterizing this
>> application as 'Google OpenID'
>>
>> I think I'll wait for Google itself to enable my Gmail as an
>> OpenID.
>>
>> paul
>>
>> Vinay Gupta wrote:
>> > http://openid-provider.appspot.com/
>> >
>> > Somebody used their app hosting service and implemented an
>> OpenID
>> > provider.
>> >
>> > That kind of changes things, doesn't it?
>> >
>> > Vinay
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > --
>> > Vinay Gupta - Designer, Hexayurt Project - an excellent
>> public domain
>> > refugee shelter system
>> > Gizmo Project VOIP: 775-743-1851 (usually works!)
>> >  http://hexayurt.com/
>> > Cell: Iceland (+354) 869-4605
>> >  Skype/Gizmo/Gtalk: hexayurt
>> > People with courage and character always seem sinister to
>> the rest
>> >   Herman Hesse
>> >
>> >
>> >
>> 
>> 
>> >
>> > ___
>> > specs mailing list
>> > specs@openid.net 
>> > http://openid.net/mailman/listinfo/specs
>> >
>> >
>> 
>> 
>> >
>> > No virus found in this incoming message.
>> > Checked by AVG.
>> > Version: 7.5.519 / Virus Database: 269.22.9/1365 - Release
>> Date: 4/8/2008 7:30 AM
>> >
>>
>> --
>> Paul Madsene:paulmadsen @ ntt-at.com
>> 
>> NTTp:613-482-0432
>>   m:613-282-8647
>>   aim:PaulMdsn5
>>   web:connectid.blogspot.com
>> 
>>
>> ___
>> specs mailing list
>> specs@openid.net 
>> http://openid.net/mailman/listinfo/specs
>>
>>
>>
>>
>> -- 
>> Cell: +1 617 460 7271
>> Skype: i.akhund
>> Blog: http://immadsnewworld.com 
>>
>> Clickpass, CTO
>> ___
>> specs mailing list
>> specs@openid.net 
>> http://openid.net/mailman/listinfo/specs
>>
>>
>> ___
>> specs mailing list
>> specs@openid.net 
>> http://openid.net/mailman/listinfo/specs
>
> 
>
> ___
> specs mailing list
> specs@openid.net
> http://openid.net/mailman/listinfo/specs
>   
> 
>
> No virus found in this incoming message.
> Checked by AVG. 
> Version: 7.5.519 / Virus Database: 269.22.10/1367 - Release Date: 4/9/2008 
> 7:10 AM
>   

-- 
Paul Madsene:paulmadsen @

Re: Google OpenID is now live

2008-04-09 Thread Vinay Gupta 


I think that kind of misses the point. The *namespace* that google  
manages is now open for business as an OpenID provider. It's an  
unanticipated side-effect of the APIs.


I think it's kind of a big deal, actually, in terms of how OpenID is  
right from an engineering perspective and how it can spread in  
unexpected ways. If only login were so easy.


Vinay







--
Vinay Gupta - Designer, Hexayurt Project - an excellent public domain  
refugee shelter system
Gizmo Project VOIP: 775-743-1851 (usually  
works!)   http://hexayurt.com/
Cell: Iceland (+354) 869-4605 
Skype/Gizmo/Gtalk: hexayurt
People with courage and character always seem sinister to the  
rest  Herman Hesse



On Apr 9, 2008, at 7:45 PM, John Ehn wrote:

I agree.  I think this is an excellent technology demonstration,  
but it is a third-party, not Google, that is enabling the ID.


John

2008/4/9 Immad Akhund <[EMAIL PROTECTED]>:
When Google eventually does make a proper OpenID provider all the  
OpenIDs provided by openid-provider.appspot.com would not match.


Would get very confusing apart from advanced users that understand  
the distinction.


Immad


On Wed, Apr 9, 2008 at 12:49 PM, Paul Madsen  
<[EMAIL PROTECTED]> wrote:

I expect Google might have a (legal) opinion on characterizing this
application as 'Google OpenID'

I think I'll wait for Google itself to enable my Gmail as an OpenID.

paul

Vinay Gupta wrote:
> http://openid-provider.appspot.com/
>
> Somebody used their app hosting service and implemented an OpenID
> provider.
>
> That kind of changes things, doesn't it?
>
> Vinay
>
>
>
>
>
>
>
>
> --
> Vinay Gupta - Designer, Hexayurt Project - an excellent public  
domain

> refugee shelter system
> Gizmo Project VOIP: 775-743-1851 (usually works!)
>  http://hexayurt.com/
> Cell: Iceland (+354) 869-4605
>  Skype/Gizmo/Gtalk: hexayurt
> People with courage and character always seem sinister to the rest
>   Herman Hesse
>
>
>  
-- 
--

>
> ___
> specs mailing list
> specs@openid.net
> http://openid.net/mailman/listinfo/specs
>
>  
-- 
--

>
> No virus found in this incoming message.
> Checked by AVG.
> Version: 7.5.519 / Virus Database: 269.22.9/1365 - Release Date:  
4/8/2008 7:30 AM

>

--
Paul Madsene:paulmadsen @ ntt-at.com
NTTp:613-482-0432
  m:613-282-8647
  aim:PaulMdsn5
  web:connectid.blogspot.com

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs



--
Cell: +1 617 460 7271
Skype: i.akhund
Blog: http://immadsnewworld.com

Clickpass, CTO
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Google OpenID is now live

2008-04-09 Thread John Ehn 
I agree.  I think this is an excellent technology demonstration, but it is a
third-party, not Google, that is enabling the ID.

John

2008/4/9 Immad Akhund <[EMAIL PROTECTED]>:

> When Google eventually does make a proper OpenID provider all the OpenIDs
> provided by openid-provider.appspot.com would not match.
>
> Would get very confusing apart from advanced users that understand the
> distinction.
>
> Immad
>
>
> On Wed, Apr 9, 2008 at 12:49 PM, Paul Madsen <[EMAIL PROTECTED]>
> wrote:
>
> > I expect Google might have a (legal) opinion on characterizing this
> > application as 'Google OpenID'
> >
> > I think I'll wait for Google itself to enable my Gmail as an OpenID.
> >
> > paul
> >
> > Vinay Gupta wrote:
> > > http://openid-provider.appspot.com/
> > >
> > > Somebody used their app hosting service and implemented an OpenID
> > > provider.
> > >
> > > That kind of changes things, doesn't it?
> > >
> > > Vinay
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > > Vinay Gupta - Designer, Hexayurt Project - an excellent public domain
> > > refugee shelter system
> > > Gizmo Project VOIP: 775-743-1851 (usually works!)
> > >  http://hexayurt.com/
> > > Cell: Iceland (+354) 869-4605
> > >  Skype/Gizmo/Gtalk: hexayurt
> > > People with courage and character always seem sinister to the rest
> > >   Herman Hesse
> > >
> > >
> > >
> > 
> > >
> > > ___
> > > specs mailing list
> > > specs@openid.net
> > > http://openid.net/mailman/listinfo/specs
> > >
> > >
> > 
> > >
> > > No virus found in this incoming message.
> > > Checked by AVG.
> > > Version: 7.5.519 / Virus Database: 269.22.9/1365 - Release Date:
> > 4/8/2008 7:30 AM
> > >
> >
> > --
> > Paul Madsene:paulmadsen @ ntt-at.com
> > NTTp:613-482-0432
> >   m:613-282-8647
> >   aim:PaulMdsn5
> >   web:connectid.blogspot.com
> >
> > ___
> > specs mailing list
> > specs@openid.net
> > http://openid.net/mailman/listinfo/specs
> >
>
>
>
> --
> Cell: +1 617 460 7271
> Skype: i.akhund
> Blog: http://immadsnewworld.com
>
> Clickpass, CTO
> ___
> specs mailing list
> specs@openid.net
> http://openid.net/mailman/listinfo/specs
>
>
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Google OpenID is now live

2008-04-09 Thread Immad Akhund 
When Google eventually does make a proper OpenID provider all the OpenIDs
provided by openid-provider.appspot.com would not match.

Would get very confusing apart from advanced users that understand the
distinction.

Immad

On Wed, Apr 9, 2008 at 12:49 PM, Paul Madsen <[EMAIL PROTECTED]> wrote:

> I expect Google might have a (legal) opinion on characterizing this
> application as 'Google OpenID'
>
> I think I'll wait for Google itself to enable my Gmail as an OpenID.
>
> paul
>
> Vinay Gupta wrote:
> > http://openid-provider.appspot.com/
> >
> > Somebody used their app hosting service and implemented an OpenID
> > provider.
> >
> > That kind of changes things, doesn't it?
> >
> > Vinay
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > Vinay Gupta - Designer, Hexayurt Project - an excellent public domain
> > refugee shelter system
> > Gizmo Project VOIP: 775-743-1851 (usually works!)
> >  http://hexayurt.com/
> > Cell: Iceland (+354) 869-4605
> >  Skype/Gizmo/Gtalk: hexayurt
> > People with courage and character always seem sinister to the rest
> >   Herman Hesse
> >
> >
> > 
> >
> > ___
> > specs mailing list
> > specs@openid.net
> > http://openid.net/mailman/listinfo/specs
> >
> > 
> >
> > No virus found in this incoming message.
> > Checked by AVG.
> > Version: 7.5.519 / Virus Database: 269.22.9/1365 - Release Date:
> 4/8/2008 7:30 AM
> >
>
> --
> Paul Madsene:paulmadsen @ ntt-at.com
> NTTp:613-482-0432
>   m:613-282-8647
>   aim:PaulMdsn5
>   web:connectid.blogspot.com
>
> ___
> specs mailing list
> specs@openid.net
> http://openid.net/mailman/listinfo/specs
>



-- 
Cell: +1 617 460 7271
Skype: i.akhund
Blog: http://immadsnewworld.com

Clickpass, CTO
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Google OpenID is now live

2008-04-09 Thread Paul Madsen 
I expect Google might have a (legal) opinion on characterizing this 
application as 'Google OpenID'

I think I'll wait for Google itself to enable my Gmail as an OpenID.

paul

Vinay Gupta wrote:
> http://openid-provider.appspot.com/
>
> Somebody used their app hosting service and implemented an OpenID 
> provider.
>
> That kind of changes things, doesn't it?
>
> Vinay
>
>
>
>
>
>
>
>
> -- 
> Vinay Gupta - Designer, Hexayurt Project - an excellent public domain 
> refugee shelter system
> Gizmo Project VOIP: 775-743-1851 (usually works!)  
>  http://hexayurt.com/
> Cell: Iceland (+354) 869-4605   
>  Skype/Gizmo/Gtalk: hexayurt 
> People with courage and character always seem sinister to the rest
>   Herman Hesse
>
>
> 
>
> ___
> specs mailing list
> specs@openid.net
> http://openid.net/mailman/listinfo/specs
>   
> 
>
> No virus found in this incoming message.
> Checked by AVG. 
> Version: 7.5.519 / Virus Database: 269.22.9/1365 - Release Date: 4/8/2008 
> 7:30 AM
>   

-- 
Paul Madsene:paulmadsen @ ntt-at.com
NTTp:613-482-0432
   m:613-282-8647
   aim:PaulMdsn5
   web:connectid.blogspot.com 

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Google OpenID is now live

2008-04-09 Thread Vinay Gupta 

http://openid-provider.appspot.com/

Somebody used their app hosting service and implemented an OpenID  
provider.


That kind of changes things, doesn't it?

Vinay








--
Vinay Gupta - Designer, Hexayurt Project - an excellent public domain  
refugee shelter system
Gizmo Project VOIP: 775-743-1851 (usually  
works!)   http://hexayurt.com/
Cell: Iceland (+354) 869-4605 
Skype/Gizmo/Gtalk: hexayurt
People with courage and character always seem sinister to the  
rest  Herman Hesse



___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs