Re: More questions about openid.ax.update_url

2007-10-22 Thread James Henstridge
On 18/10/2007, Johnny Bufu <[EMAIL PROTECTED]> wrote: > Hi James, > > On 17-Oct-07, at 2:42 AM, James Henstridge wrote: > > > I have a few more questions about the update_url feature of OpenID > > attribute exchange that I feel could do with answers in the > > specification. > > > > For the questio

Re: OpenID 2.0 finalization progress

2007-10-22 Thread Dick Hardt
On 19-Oct-07, at 10:20 PM, David Recordon wrote: > Completely agreed with Johannes. We are very close with the IPR > policy/process being in place and assuming all the contributors agree > to it, 2.0 can be declared final within 30 days of October 30th as > that is the end of the public review p

RE: OpenID 2.0 finalization progress

2007-10-22 Thread Gabe Wachob
Dick is right here regarding the certainty that an IPR policy provides with respect to patent. And IPR policy can never ensure that everyone in the world will refrain from making patent claims. With regards to patent, an IPR policy and procedure can only really affect those who choose to be subje

Re: More questions about openid.ax.update_url

2007-10-22 Thread Johnny Bufu
On 22-Oct-07, at 3:23 AM, James Henstridge wrote: >> If the RP does not store any user attributes (and requests them with >> each transaction from the OP), why does it want to be updated when >> the user changes an attribute value at their OP? > > What I meant was that the RP would act as a cache

Re: OpenID 2.0 finalization progress

2007-10-22 Thread Kevin Turner
On Fri, 2007-10-19 at 16:12 -0700, Johannes Ernst wrote: > [...] and after they had produced a spec, Rambus said "but we have > some patents". This lead to at least one lawsuit I believe. > > I have heard wildly diverging assessments on whether or not this > could happen here. Ok, I'm looking f

An OAuth OpenID Extension

2007-10-22 Thread David Recordon
Hey all, I know John did some work in September (http://extremeswank.com/ openid_trusted_auth.html and http://extremeswank.com/ openid_inline_auth.html). Both solve extremely important use-cases and are becoming increasingly discussed especially with the advent of OAuth. I'd really like to

Re: PAPE Extension Specification

2007-10-22 Thread David Recordon
Great! Let's try to publish Draft 2 of PAPE either later today or tomorrow morning. Few more emails coming shortly on this stuff. --David On Oct 11, 2007, at 9:28 AM, Johnny Bufu wrote: > > On 8-Oct-07, at 8:20 AM, David Recordon wrote: > # On the same topic, I have suggested before and

Defining PAPE "active authentication" (WAS: Re: PAPE Extension Specification)

2007-10-22 Thread David Recordon
Agreed with Jonathan here, don't think we need to define a policy URI for "active". Rather need to clarify what is meant in section 5.1. (Optional) If the End User has not actively authenticated to the OP within the number of seconds specified in a manner fitting the requested

Re: PAPE Extension Specification (part 2)

2007-10-22 Thread David Recordon
On Oct 9, 2007, at 10:08 AM, Jonathan Daugherty wrote: > Hi all, > > Here are a few more items. > > Section 5.1 > > - The spec doesn't specify what should be done in the absence of > max_auth_age in a PAPE request. I could assume, but it would be > easy enough to specify, say, that the

RE: OpenID 2.0 finalization progress

2007-10-22 Thread Gabe Wachob
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Kevin Turner > Sent: Monday, October 22, 2007 1:34 PM > To: specs > Subject: Re: OpenID 2.0 finalization progress > > On Fri, 2007-10-19 at 16:12 -0700, Johannes Ernst wrote: > > [...] and after they

Re: Defining PAPE "active authentication" (WAS: Re: PAPE Extension Specification)

2007-10-22 Thread Paul Madsen
SAML 2.0 expresses it in terms of whether or not the authentication is 'passive' paul David Recordon wrote: > Agreed with Jonathan here, don't think we need to define a policy URI > for "active". Rather need to clarify what is meant in section 5.1. > (Optional) If the End User has not a

Re: Question about PAPE

2007-10-22 Thread David Recordon
Hey Siddharth, Just to be clear, a OTP hardware token is considered a "one-time password device token" not a "Hard token" given SP 800-63, section 6 on page 15. This means that a OTP device can satisfy up to level 3, though a FIPS compliant Hard token would be needed for level 4. Level 3 al

Re: Defining PAPE "active authentication" (WAS: Re: PAPE Extension Specification)

2007-10-22 Thread David Recordon
Hey Paul, How do you guys define "passive". Seems like the opposite problem of defining "active". Thanks, --David On Oct 22, 2007, at 3:18 PM, Paul Madsen wrote: > SAML 2.0 expresses it in terms of whether or not the authentication > is 'passive' > > paul > > David Recordon wrote: >> Agreed

Re: OpenID 2.0 finalization progress

2007-10-22 Thread Josh Hoyt
On 10/22/07, Gabe Wachob <[EMAIL PROTECTED]> wrote: > 3) the community calls the spec final and a contributor raises a potential > patent infringement issue, and since the community has already implemented > and deployed 2.0, the patent owner has more leverage because the costs of > "engineering ar

Re: Defining PAPE "active authentication" (WAS: Re: PAPE Extension Specification)

2007-10-22 Thread Paul Madsen
Hey David, IsPassive is an attribute on the AuthnRequest that allows the SP to indicate policy for how the user is authenticated IsPassive [Optional] A Boolean value. If "true", the identity provider and the user agent itself MUST NOT visibly take control of the user interface from the requeste

RE: OpenID 2.0 finalization progress

2007-10-22 Thread Gabe Wachob
I think that's exactly right, though it's really easy to have blind spots when it comes to figuring out the permutations of how one can game group behavior... so I won't guarantee anything else could happen (I've learned that much from law school ;) As I said, I *believe* the all the actors involv

Some PAPE Wording Clarifications

2007-10-22 Thread David Recordon
Hey Johnny and Jonathan, Just checked in some clarifications, review would be appreciated. http://openid.net/pipermail/commits/2007-October/000381.html Thanks, --David ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs

Re: An OAuth OpenID Extension

2007-10-22 Thread Joseph Holsten
Wow, these are neat. Thanks for the links david, and especially the work john! OK, so the Inline Auth use case seems like a straightforward case for OAuth: resource url => identifier, user auth url => delegate. Successfully accessing the resource after negotiation would imply that the use