RE: Delegation discussion summary

2006-10-13 Thread Marius Scurtescu
On Thu, 2006-12-10 at 22:47 -0700, Drummond Reed wrote: +1 to Josh's point. IMHO identifier portability is sacred. If anyone disagrees, please post, can we assume we have consensus on this? Yes, portability is sacred. I was suggesting that portability can be resolved between the user and the

Re: Consolidated Delegate Proposal

2006-10-13 Thread Martin Atkins
Dick Hardt wrote: Won't the IdP will still have to resolve the i-name? The IdP can't trust the RP, or know that the i-name and i-number are really linked unless it checks itself. The IdP is only authenticating the i-number. The i-name is for display to the user and possibly to allow

Re: Delegation discussion summary

2006-10-13 Thread Martin Atkins
Drummond Reed wrote: +1 to getting it done. This area of terminology is more a usability/marketing issue at this point. I agree we need to converge on good, simple user-facing terms for describing OpenID in ways ordinary Web users can easily understand. Although I have great respect for

Re: [PROPOSAL] request nonce and name

2006-10-13 Thread Martin Atkins
Marius Scurtescu wrote: On 12-Oct-06, at 5:07 PM, Josh Hoyt wrote: On 10/12/06, Marius Scurtescu [EMAIL PROTECTED] wrote: If passing through all unrecognized parameters can cause problems then there could be a special namespace for this purpose. For example, all parameters with names

Re[2]: [PROPOSAL] request nonce and name

2006-10-13 Thread Chris Drake
Hi All, Just so everyone remembers: GET encoded http://; URLs usually appear en-mass in public lists (from proxy cache logs). If you don't want to POST data anyplace, remember to expect replay attacks often. Kind Regards, Chris Drake Friday, October 13, 2006, 7:48:31 PM, you wrote: JH On

RE: Delegation discussion summary

2006-10-13 Thread Hallam-Baker, Phillip
Title: RE: Delegation discussion summary There is an established vocabulary, it should be used. Sent from my GoodLink Wireless Handheld (www.good.com) -Original Message- From: Recordon, David [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 12, 2006 09:04 PM Pacific Standard

RE: Delegation discussion summary

2006-10-13 Thread Recordon, David
Title: RE: Delegation discussion summary +1 -Original Message- From: Drummond Reed [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 12, 2006 10:46 PM Pacific Standard Time To: 'Josh Hoyt'; 'Marius Scurtescu' Cc: specs@openid.net Subject: RE: Delegation discussion summary +1 to

RE: Delegation discussion summary

2006-10-13 Thread Granqvist, Hans
I can see potential use-cases where Alice doesn't want the idp to know what her portable URL is. This would not work if the protocol requires both as per below. Can it be solved by sending a hash of the portable identifier? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL

RE: Delegation discussion summary

2006-10-13 Thread Drummond Reed
Hans, This has come up a few times and the mapping between the portable identifier and the IdP-specific identifier is available in public XRDS documents. So there's no point in trying to hide that information from the IdP -- and it may even be misleading to suggest to end-users that they could

RE: Delegation discussion summary

2006-10-13 Thread Drummond Reed
But I suggest we move that terminology discussion to the marketing list. What marketing list? http://lists.iwantmyopenid.org/mailman/listinfo/marketing. =Drummond ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs

RE: Delegation discussion summary

2006-10-13 Thread Granqvist, Hans
Makes sense, but do you *have* to put delegation info in an XRDS document? I'd like to think if I were to use an RP that I trust not to 'collude' with the IDP, there would be no reason for the IDP to know potential delegation? That gives me true identity portability and an open choice of IDPs.

Use of i-numbers (was RE: Consolidated Delegate Proposal)

2006-10-13 Thread Drummond Reed
Martin wrote: I think this is the intention, though it does show an interesting inconsistency between the use of XRIs and the use of i-numbers. I currently have three URL-based identifiers all pointing at the same server and the same Yadis document, yet those identifiers are distinct.

RE: Delegation discussion summary

2006-10-13 Thread Drummond Reed
Marius wrote: I was suggesting that portability can be resolved between the user and the IdP. I cannot see how the protocol can help this by passing two identifiers. And if only the portable identifier is passed then there is no need to mention the IdP-specific identifier. Marius,

Identifier portability: the fundamental issue

2006-10-13 Thread Drummond Reed
Yesterday we established consensus that with OpenID, identifier portability is sacred. Today I'd like to establish consensus on the following postulate: To achieve identifier portability in OpenID, it MUST be possible for the RP and the IdP to identify the user using two different identifiers:

Re: Identifier portability: the fundamental issue

2006-10-13 Thread Johannes Ernst
On Oct 13, 2006, at 12:59, Drummond Reed wrote: Yesterday we established consensus that with OpenID, identifier portability is sacred. Could somebody please post a succinct definition of identifier portability somewhere. If we have a new religion, we might as well agree what it is ;-)

Re: Identifier portability: the fundamental issue

2006-10-13 Thread Johannes Ernst
On Oct 13, 2006, at 12:59, Drummond Reed wrote: 1) If the RP sends the IdP-specific identifier, the RP must keep state to maintain mapping to the portable identifier (bad), and I agree, but I'm not sure that this is a big issue. Won't a simple cookie be sufficient? Johannes Ernst

RE: Identifier portability: the fundamental issue

2006-10-13 Thread Granqvist, Hans
To achieve identifier portability in OpenID, it MUST be possible for the RP and the IdP to identify the user using two different identifiers: an identifier by which the RP knows the user (the portable identifier), and an identifier by which the IdP knows the user (the IdP-specific

RE: Identifier portability: the fundamental issue

2006-10-13 Thread Brad Fitzpatrick
On Fri, 13 Oct 2006, Granqvist, Hans wrote: To achieve identifier portability in OpenID, it MUST be possible for the RP and the IdP to identify the user using two different identifiers: an identifier by which the RP knows the user (the portable identifier), and an identifier by which

Re: Delegation discussion summary

2006-10-13 Thread Marius Scurtescu
On 13-Oct-06, at 12:20 PM, Drummond Reed wrote: Marius wrote: I was suggesting that portability can be resolved between the user and the IdP. I cannot see how the protocol can help this by passing two identifiers. And if only the portable identifier is passed then there is no need to

Re: Identifier portability: the fundamental issue

2006-10-13 Thread Marius Scurtescu
On 13-Oct-06, at 12:59 PM, Drummond Reed wrote: Yesterday we established consensus that with OpenID, identifier portability is sacred. Today I'd like to establish consensus on the following postulate: To achieve identifier portability in OpenID, it MUST be possible for the RP and

RE: Identifier portability: the fundamental issue

2006-10-13 Thread Hallam-Baker, Phillip
Title: RE: Identifier portability: the fundamental issue We must have different understandings of the term sacred then. My understanding of the term is that it refers to a tenet of faith which might cause offense if contradicted. Sent from my GoodLink Wireless Handheld (www.good.com)

Re: Consolidated Delegate Proposal

2006-10-13 Thread Marius Scurtescu
On 12-Oct-06, at 11:40 PM, Drummond Reed wrote: Drummond wrote: Since the RP has to do discovery on the i-name, the RP already has the i-number (CanonicalID). Further, as explained in previous threads, the CanonicalID is the primary key the RP wants to store for the user, not the

Re: Consolidated Delegate Proposal

2006-10-13 Thread Josh Hoyt
On 10/13/06, Marius Scurtescu [EMAIL PROTECTED] wrote: The IdP is issuing a signed assertion about these identifiers, I would assume the IdP to check the link between these identifiers. Sending two identifiers does not *prevent* the IdP from checking to make sure they match. What if a bad RP

RE: Identifier portability: the fundamental issue

2006-10-13 Thread Drummond Reed
Drummond wrote: To achieve identifier portability in OpenID, it MUST be possible for the RP and the IdP to identify the user using two different identifiers: an identifier by which the RP knows the user (the portable identifier), and an identifier by which the IdP knows the user (the