Re: openid.delegate explained.

2006-10-04 Thread Dick Hardt
On 4-Oct-06, at 1:27 PM, Martin Atkins wrote: > Dick Hardt wrote: >> >> The RP needs to resolve the identifier to check who is authorative >> for it. >> >> If you create a mechanism for how to resolve who owns >> "mailto:[EMAIL PROTECTED]", then it works. >> >> That functionality is needed to pre

Re: openid.delegate explained.

2006-10-04 Thread Martin Atkins
Dick Hardt wrote: > > The RP needs to resolve the identifier to check who is authorative > for it. > > If you create a mechanism for how to resolve who owns > "mailto:[EMAIL PROTECTED]", then it works. > > That functionality is needed to prevent any IdP from being > authoritative for an ar

Re: openid.delegate explained.

2006-10-04 Thread Dick Hardt
On 4-Oct-06, at 10:52 AM, Martin Atkins wrote: > >>> And all you've achieved here is to hand your identifier over to >>> Brad. >> >> Not at all! My IdP will only accept my credentials. If Brad pointed >> his identifier to my IdP, he'd have handed it over to me, but >> there is >> no way that

Re: openid.delegate explained.

2006-10-04 Thread Martin Atkins
>> And all you've achieved here is to hand your identifier over to Brad. > > Not at all! My IdP will only accept my credentials. If Brad pointed > his identifier to my IdP, he'd have handed it over to me, but there is > no way that he can use MY IdP even though it would make an assertion > about

Re: openid.delegate explained.

2006-10-04 Thread Josh Hoyt
On 10/3/06, Martin Atkins <[EMAIL PROTECTED]> wrote: > And all you've achieved here is to hand your identifier over to Brad. Not at all! My IdP will only accept my credentials. If Brad pointed his identifier to my IdP, he'd have handed it over to me, but there is no way that he can use MY IdP even

RE: openid.delegate explained.

2006-10-04 Thread Drummond Reed
>> Josh Hoyt wrote: >> >> An example to illustrate how delegation can make it hard to understand >> what's going on: >> >> 1. Set up an IdP that will let me verify, say "bradfitz.com." This >> does not mean that I have any control of bradfitz.com, just that if I >> did, I could use this IdP. >>

Re: openid.delegate explained.

2006-10-03 Thread Martin Atkins
Josh Hoyt wrote: > > An example to illustrate how delegation can make it hard to understand > what's going on: > > 1. Set up an IdP that will let me verify, say "bradfitz.com." This > does not mean that I have any control of bradfitz.com, just that if I > did, I could use this IdP. > > 2. Set up

Re: openid.delegate explained.

2006-10-03 Thread Dick Hardt
On 3-Oct-06, at 7:11 PM, Drummond Reed wrote: > Dick, > > I'm afraid we just disagree on this. > > You cite the Google definition, which is the general English-language > meaning of the term. which is what most people will know. The person editing the HTML page to put in the delegate tag is no

RE: openid.delegate explained.

2006-10-03 Thread Drummond Reed
o that problem? Has anyone else on the list never run into that problem? =Drummond -Original Message- From: Dick Hardt [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 03, 2006 6:12 PM To: Drummond Reed Cc: 'Marius Scurtescu'; specs@openid.net Subject: Re: openid.delegate ex

Re: openid.delegate explained.

2006-10-03 Thread Dick Hardt
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf > Of Dick Hardt > Sent: Tuesday, October 03, 2006 4:52 PM > To: Marius Scurtescu > Cc: specs@openid.net > Subject: Re: openid.delegate explained. > > fwiw: I was -1 on Josh

RE: openid.delegate explained.

2006-10-03 Thread Drummond Reed
equivalent", "maps to", or "canonical". =Drummond -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dick Hardt Sent: Tuesday, October 03, 2006 4:52 PM To: Marius Scurtescu Cc: specs@openid.net Subject: Re: openid.delegate exp

Re: openid.delegate explained.

2006-10-03 Thread Dick Hardt
fwiw: I was -1 on Josh's proposal. I am now a 0. I think the name "delegate" is the right name though. It made sense to me right away. One URI is delegating to another URI to be authoritative about it. Drummonds explanation just reinforced my view. But perhaps I am missing something there.

Re: openid.delegate explained.

2006-10-03 Thread Josh Hoyt
On 10/3/06, Marius Scurtescu <[EMAIL PROTECTED]> wrote: > 3. Bare responses will not work. Ditto for IdP-driven identifier selection for a delegated identifier. > A question about doing discovery on delegated identifiers. Would you > expect the exactly same XRDS from both the claimed and delegate

Re: openid.delegate explained.

2006-10-03 Thread Marius Scurtescu
I think that the proposal made by Josh makes sense. First of all, why would you hide the claimed identifier from the IdP? If you don't trust your IdP you should not use it. Same thing if the IdP tries to charge you more because you are using delegate identifiers. If it is unreasonable then m

Re: openid.delegate explained.

2006-10-03 Thread Johannes Ernst
On Oct 3, 2006, at 11:58, Brad Fitzpatrick wrote: I don't care what openid.delegate is renamed to. But I feel strongly it has to survive ... I think it's one of the most important things to OpenID, just not well understood. Amen. (This comes from a guy -- me -- who took some months to get it.

RE: openid.delegate explained.

2006-10-03 Thread Drummond Reed
Brad, thanks much for posting this. Having spent a ton of time on identifier abstraction -- largely for the benefit of identifier portability -- I have enormous respect for this feature. So I am committed to being super-careful we don't break it just by renaming it. My proposal was limited to jus

Re: openid.delegate explained.

2006-10-03 Thread Josh Hoyt
On 10/3/06, Brad Fitzpatrick <[EMAIL PROTECTED]> wrote: > but LiveJournal.com knows jack shit about bradfitz.com ... and > perhaps Brad doesn't trust LJ to know about bradfitz.com ... > or fears LJ might charge more to use that feature. etc. What my protocol change proposal[1] amounts to is makin