On 18/10/2007, Johnny Bufu <[EMAIL PROTECTED]> wrote:
> Hi James,
>
> On 17-Oct-07, at 2:42 AM, James Henstridge wrote:
>
> > I have a few more questions about the update_url feature of OpenID
> > attribute exchange that I feel could do with answers in the
> > specification.
> >
> > For the questio
On 19-Oct-07, at 10:20 PM, David Recordon wrote:
> Completely agreed with Johannes. We are very close with the IPR
> policy/process being in place and assuming all the contributors agree
> to it, 2.0 can be declared final within 30 days of October 30th as
> that is the end of the public review p
Dick is right here regarding the certainty that an IPR policy provides with
respect to patent.
And IPR policy can never ensure that everyone in the world will refrain from
making patent claims. With regards to patent, an IPR policy and procedure
can only really affect those who choose to be subje
On 22-Oct-07, at 3:23 AM, James Henstridge wrote:
>> If the RP does not store any user attributes (and requests them with
>> each transaction from the OP), why does it want to be updated when
>> the user changes an attribute value at their OP?
>
> What I meant was that the RP would act as a cache
On Fri, 2007-10-19 at 16:12 -0700, Johannes Ernst wrote:
> [...] and after they had produced a spec, Rambus said "but we have
> some patents". This lead to at least one lawsuit I believe.
>
> I have heard wildly diverging assessments on whether or not this
> could happen here.
Ok, I'm looking f
Hey all,
I know John did some work in September (http://extremeswank.com/
openid_trusted_auth.html and http://extremeswank.com/
openid_inline_auth.html). Both solve extremely important use-cases
and are becoming increasingly discussed especially with the advent of
OAuth. I'd really like to
Great! Let's try to publish Draft 2 of PAPE either later today or
tomorrow morning. Few more emails coming shortly on this stuff.
--David
On Oct 11, 2007, at 9:28 AM, Johnny Bufu wrote:
>
> On 8-Oct-07, at 8:20 AM, David Recordon wrote:
>
# On the same topic, I have suggested before and
Agreed with Jonathan here, don't think we need to define a policy URI
for "active". Rather need to clarify what is meant in section 5.1.
(Optional) If the End User has not actively authenticated to the OP
within the number
of seconds specified in a manner fitting the requested
On Oct 9, 2007, at 10:08 AM, Jonathan Daugherty wrote:
> Hi all,
>
> Here are a few more items.
>
> Section 5.1
>
> - The spec doesn't specify what should be done in the absence of
> max_auth_age in a PAPE request. I could assume, but it would be
> easy enough to specify, say, that the
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
> Of Kevin Turner
> Sent: Monday, October 22, 2007 1:34 PM
> To: specs
> Subject: Re: OpenID 2.0 finalization progress
>
> On Fri, 2007-10-19 at 16:12 -0700, Johannes Ernst wrote:
> > [...] and after they
SAML 2.0 expresses it in terms of whether or not the authentication is
'passive'
paul
David Recordon wrote:
> Agreed with Jonathan here, don't think we need to define a policy URI
> for "active". Rather need to clarify what is meant in section 5.1.
> (Optional) If the End User has not a
Hey Siddharth,
Just to be clear, a OTP hardware token is considered a "one-time
password device token" not a "Hard token" given SP 800-63, section 6
on page 15. This means that a OTP device can satisfy up to level 3,
though a FIPS compliant Hard token would be needed for level 4.
Level 3 al
Hey Paul,
How do you guys define "passive". Seems like the opposite problem of
defining "active".
Thanks,
--David
On Oct 22, 2007, at 3:18 PM, Paul Madsen wrote:
> SAML 2.0 expresses it in terms of whether or not the authentication
> is 'passive'
>
> paul
>
> David Recordon wrote:
>> Agreed
On 10/22/07, Gabe Wachob <[EMAIL PROTECTED]> wrote:
> 3) the community calls the spec final and a contributor raises a potential
> patent infringement issue, and since the community has already implemented
> and deployed 2.0, the patent owner has more leverage because the costs of
> "engineering ar
Hey David, IsPassive is an attribute on the AuthnRequest that allows the
SP to indicate policy for how the user is authenticated
IsPassive [Optional]
A Boolean value. If "true", the identity provider and the user agent
itself MUST NOT visibly take control
of the user interface from the requeste
I think that's exactly right, though it's really easy to have blind spots
when it comes to figuring out the permutations of how one can game group
behavior... so I won't guarantee anything else could happen (I've learned
that much from law school ;)
As I said, I *believe* the all the actors involv
Hey Johnny and Jonathan,
Just checked in some clarifications, review would be appreciated.
http://openid.net/pipermail/commits/2007-October/000381.html
Thanks,
--David
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
Wow, these are neat. Thanks for the links david, and especially the
work john!
OK, so the Inline Auth use case seems like a straightforward case for
OAuth: resource url => identifier, user auth url => delegate.
Successfully accessing the resource after negotiation would imply
that the use
18 matches
Mail list logo
