it (that is: allow visa to REQUIRE that a
user has authenticate via two-factor means, to an accredited - i.e:
explicitly trusted by Visa - IdP) then we've not only cemented the
future of OpenID, we've gone an improved a pile of security problems
along the way.
Kind Regards,
Chris Drake
1id.com
Thursday, October
on about the fundamentals. I'm not so sure the
under-hood work is as important as the big picture, and I don't
think we've got this last bit right yet.
Kind Regards,
Chris Drake,
=1id.com
___
specs mailing list
specs@openid.net
http://openid.net/mailman
RP nonce extension). Win-win-win.
Kind Regards,
Chris Drake
=1id.com
Saturday, October 7, 2006, 2:49:17 AM, you wrote:
MA Dick Hardt wrote:
I like making all identifiers work the same way. The wording around
directed identity is somewhat confusing. Would be clearer if there
was a complete
Regards,
Chris Drake,
=1id.com
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
KT On Fri, 2006-10-06 at 16:34 -0700, Drummond Reed wrote:
Let me play the dumb customer here and say:
* A whole lot of real-world users would love OpenID-enabled bookmarks.
* A whole lot of websites would love to offer them.
* A whole lot of IdPs would love to provide them.
KT Okay
Martin wrote:
I'm surprised that our resident privacy advocates aren't making a
bigger
deal out of this. (If the privacy advocates have no problem then I'll
let this go, since this isn't a use case I feel particularly strongly
about myself.)
Dick wrote:
I was supportive of keeping the
Hi All,
Just so everyone remembers: GET encoded http://; URLs usually
appear en-mass in public lists (from proxy cache logs). If you don't
want to POST data anyplace, remember to expect replay attacks
often.
Kind Regards,
Chris Drake
Friday, October 13, 2006, 7:48:31 PM, you wrote:
JH
Hi Josh,
I do not believe the RP needs to know the IdP-specific identifier ever
(worse: I think it should never be allowed to know it, or even be
allowed to see it!).
JH Why not?
PRIVACY. Page back and read trough my posts to this list for the
intricate details.
JH Where is power being
the referrer page directly. There's a lot of anti-phishing work
taking place right now: such a scheme would allow OpenID instant
access to these new standards too.)
Kind Regards,
Chris Drake
Monday, October 16, 2006, 2:59:12 AM, you wrote:
DR +1. All of the defined algorithms for obtaining the XRDS
inside the RP's login FORM page, like a META or
LINK tag, for browser agents to use, or IdPs to find via referrer
URLs.
Kind Regards,
Chris Drake
Monday, October 16, 2006, 3:36:53 AM, you wrote:
DH Hi Chris
DH Would you clarify these IdP initiated scenarios?
DH I envisioned that an IdP learned
.
Kind Regards,
Chris Drake
Monday, October 16, 2006, 5:28:52 AM, you wrote:
RD So previously I had set the goal of the final draft coming out last
RD Friday, though we've missed that. I'm resetting this bar to Wednesday
RD which means we need to wrap up discussion on proposals where there is
RD
that works, and can be deployed ethically.
Take a long hard look at that Nun lying dead in the snow, then tell me
you still believe there's no need for IdP-initiated privacy protection
in OpenID.
Kind Regards,
Chris Drake,
=1id.com
Tuesday, October 17, 2006, 7:29:00 AM, you wrote:
DR +1. Trust
available to scripts, plugins,
software agents that encounter OpenID login
pages.
Suggestion: (for OpenID-enabled login pages):-
link rel=openid.httpauth href=http://my.rp.com/openid/blah.cgi;
---
Kind Regards,
Chris
Regards,
Chris Drake
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
it. Let me say no. Let me know each
time they ask. But most importantly, let me (my OP) provide the
correct, updated info each time the RP wants it.
Kind Regards,
Chris Drake
Wednesday, April 4, 2007, 5:45:55 PM, you wrote:
MA Anders Feder wrote:
Imagine an RP requesting your bank account
Thursday, April 5, 2007, 3:50:49 AM, Martin wrote:
MA Chris Drake wrote:
Hi Martin,
You wrote
MA The age of the information needs to be taken into account here.
When the information (rightly) lives at the OP instead of the RP, none
of that age complexity exists.
It's *my* name. It's
Thursday, April 5, 2007, 5:43:02 AM, you wrote:
[snip]
DO How these keys are handled internally could be left to the
DO consumer or RP.
[snip]
This sounds like another *strong* use-case for updating the OpenID
protocol to allow transactions to take place when the user is not
present.
I am not
.
Heck - Cardspace already did this - so we don't even have to argue
the merits: They learned the long, hard, and painful way that
excluding the user agent seriously undermines the trust and
usefulness of Identity management.
Kind Regards,
Chris Drake
Thursday, April 5, 2007, 5:14
...
Kind Regards,
Chris Drake,
=1id.com
Saturday, September 8, 2007, 5:33:20 PM, you wrote:
DR Mark,
DR I just wanted to say that based on what I learned about them at the Data
DR Sharing Summit (http://datasharingsummit.com) today, and what I read on my
DR first pass tonight, these are fine
trying to say is that Phishing-Resistant
means End Users can't be tricked into giving things to the wrong
place... is all the jargon/terminology/verbosity really necessary in
the definition?
Kind Regards,
Chris Drake
___
specs mailing list
specs
Hi Phillip,
I wasn't aware that DNSSEC existed yet (outside a few obscure European
TLDs?). Since you appear to work for Verisign, and I'd like to set
this up - can you please send me a URL when I can obtain a signed
DNSSEC certificate for my .COM domain ?
Kind Regards,
Chris Drake
Saturday
lists a few. My proposal too was a link tag.
Kind Regards,
Chris Drake
Tuesday, November 7, 2006, 12:51:15 I, you wrote:
CD Hi Johannes,
CD I proposed a solution to the single sign out problem a month or two
CD ago.
CD In fact - a whole range of solutions have been proposed, and relative
CD
22 matches
Mail list logo