sage-
From: Paul Madsen [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 26, 2008 1:23 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: OpenID 3.0
in a B2B case, would not the insurance agency be the OP, and its
identity carried through the relevant assertion fields?
As Mas
f the agent but also
>> the insurance agency, the insurance agent is employed by.
>>
>> -Original Message-
>> From: NISHITANI Masaki [mailto:[EMAIL PROTECTED]
>> Sent: Tuesday, February 26, 2008 1:10 AM
>> To: McGovern, James F (HTSC, IT)
>> Cc: specs@openi
gt; From: NISHITANI Masaki [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, February 26, 2008 1:10 AM
> To: McGovern, James F (HTSC, IT)
> Cc: specs@openid.net
> Subject: Re: OpenID 3.0
>
> Let me confirm a point.
>
> On #1, do you mean to enforce OpenID to control the identity-hol
: NISHITANI Masaki [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 26, 2008 1:10 AM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: OpenID 3.0
Let me confirm a point.
On #1, do you mean to enforce OpenID to control the identity-holders are
permitted to access what kind of
Let me confirm a point.
On #1, do you mean to enforce OpenID to control the
identity-holders are permitted to access what kind of
content or service on RP or provide some kind of help making
RP's decision easier?
I feel it is natural for RP to do access-control be itself,
but on the other
+1. Let's get 2.0 deployed and figure out what it might be lacking
before just starting on 3.0.
On Feb 3, 2008, at 11:05 PM, Johannes Ernst wrote:
> Amen. Let's build (optional) extensions, and only if that absolutely
> does not work for an essential feature, meekly suggest that the
> smallest
McGovern, James F (HTSC, IT) wrote:
One of the scenarios that reputation would need to consider is the
security of all channels. For example, in my role I may deem that I will
only trust interactions that occurred 100% over SSL. If someone
specified an HTTP Open ID (e.g. http://james.myopenid.com
McGovern, James F (HTSC, IT) wrote:
The provider authentication policy extension handles half of this
already (telling you what checking the OP did). It does not cover the
trust issue though, so without a pre-existing trust relationship there
is no reason to believe the PAP assertions.
Right
I'm not sure what there would be to say in the spec about this: SQL
injection is not party of the standard, but rather a feature of some
implementations :)
[JFM] I agree that many of the ways that have been implemented to date
are insecure and that many of the implementors would be well served by
u may want to read it as
well.
http://www.sakimura.org/en/modules/wordpress/index.php?p=30
Re: OpenID 3.0
While we were writing (are still writing) OpenID Trusted data Exchange
(TX) proposal, we started to feel that if we introduce Reputation
Service appropreately, we can
Amen. Let's build (optional) extensions, and only if that absolutely
does not work for an essential feature, meekly suggest that the
smallest possible set of changes be made to an existing spec.
Note that any term such as "OpenID 3.0" is mostly a marketing /
branding term, just like "OpenID
On 04/02/2008, Eddy Nigg (StartCom Ltd.) <[EMAIL PROTECTED]> wrote:
> > James Henstridge wrote:
> > Of course, the OP is restricted to returning identities that it is
> > authoritative for. This is what allows any yahoo user to enter
> > "yahoo.com" as their OpenID identifier while still letting R
James Henstridge wrote:
Thanks for your reply...
When used in directed identity mode, the OP can pick the identity:
http://openid.net/specs/openid-authentication-2_0.html#responding_to_authentication
Of course, the OP is restricted to returning identities that it is
authoritative for. Th
On 02/02/2008, Eddy Nigg (StartCom Ltd.) <[EMAIL PROTECTED]> wrote:
> Yes, I also wonder why the IDP can't just return the ID. As of now I think
> it's
> two steps for this, with the RP explicit requesting it? Or am I wrong with
> that?
When used in directed identity mode, the OP can pick the id
I apologise that this message doesn't directly address any of the points
you've made, but others have been doing that.
I just want to make a general point:
In my opinion, we should resist the urge to start specing "OpenID 3.0"
(aka OpenID vNext) and try to do everything else that needs to be do
Yes, I also wonder why the IDP can't just return the ID. As of now I
think it's two steps for this, with the RP explicit requesting it? Or am
I wrong with that?
James Henstridge wrote:
On 02/02/2008, Kevin Turner <[EMAIL PROTECTED]> wrote:
On Sat, 2008-02-02 at 08:51 +1100, James Henstridg
On 02/02/2008, Kevin Turner <[EMAIL PROTECTED]> wrote:
> On Sat, 2008-02-02 at 08:51 +1100, James Henstridge wrote:
> > > 5. A way for OpenID relying parties to filter out Ops. In a business
> > > scenario, if I run the Sun employee store, I may only want the Sun OP to
> > > talk with me.
> >
> > T
On Sat, 2008-02-02 at 08:51 +1100, James Henstridge wrote:
> > 5. A way for OpenID relying parties to filter out Ops. In a business
> > scenario, if I run the Sun employee store, I may only want the Sun OP to
> > talk with me.
>
> This is already possible with OpenID 2.0:
[snip]
This is already p
On 02/02/2008, McGovern, James F (HTSC, IT)
<[EMAIL PROTECTED]> wrote:
> Figured I would ask if anyone is interested in brainstorming the next
> version of OpenID and how it can be used in Enterprise B2B settings and not
> solely focusing on consumerish interactions. Some things that I would like
>
I'm not sure what the new intellectual property policy means as
regards to discussing on the mailing lists. Do I implicitly agree
to this policy by posting ideas here? Can someone explain?
More info at
http://www.mail-archive.com/[EMAIL PROTECTED]/msg2.html
Thanks,
Hans
On 2/1/08, McGovern,
20 matches
Mail list logo
