Re[4]: [PROPOSAL] authentication age

2006-10-04 Thread Chris Drake
it (that is: allow visa to REQUIRE that a user has authenticate via two-factor means, to an accredited - i.e: explicitly trusted by Visa - IdP) then we've not only cemented the future of OpenID, we've gone an improved a pile of security problems along the way. Kind Regards, Chris Drake 1id.com Thursday, October

Adoption questions

2006-10-05 Thread Chris Drake
on about the fundamentals. I'm not so sure the under-hood work is as important as the big picture, and I don't think we've got this last bit right yet. Kind Regards, Chris Drake, =1id.com ___ specs mailing list specs@openid.net http://openid.net/mailman

Re[2]: [PROPOSAL] Separate Public Identifier from IdP Identifier

2006-10-06 Thread Chris Drake
RP nonce extension). Win-win-win. Kind Regards, Chris Drake =1id.com Saturday, October 7, 2006, 2:49:17 AM, you wrote: MA Dick Hardt wrote: I like making all identifiers work the same way. The wording around directed identity is somewhat confusing. Would be clearer if there was a complete

Re[2]: [PROPOSAL] Separate Public Identifier from IdP Identifier

2006-10-06 Thread Chris Drake
Regards, Chris Drake, =1id.com ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs

Re[2]: [PROPOSAL] bare response / bare request

2006-10-06 Thread Chris Drake
KT On Fri, 2006-10-06 at 16:34 -0700, Drummond Reed wrote: Let me play the dumb customer here and say: * A whole lot of real-world users would love OpenID-enabled bookmarks. * A whole lot of websites would love to offer them. * A whole lot of IdPs would love to provide them. KT Okay

Re[2]: Consolidated Delegate Proposal

2006-10-11 Thread Chris Drake
Martin wrote: I'm surprised that our resident privacy advocates aren't making a bigger deal out of this. (If the privacy advocates have no problem then I'll let this go, since this isn't a use case I feel particularly strongly about myself.) Dick wrote: I was supportive of keeping the

Re[2]: [PROPOSAL] request nonce and name

2006-10-13 Thread Chris Drake
Hi All, Just so everyone remembers: GET encoded http://; URLs usually appear en-mass in public lists (from proxy cache logs). If you don't want to POST data anyplace, remember to expect replay attacks often. Kind Regards, Chris Drake Friday, October 13, 2006, 7:48:31 PM, you wrote: JH

Re[2]: Identifier portability: the fundamental issue

2006-10-14 Thread Chris Drake
Hi Josh, I do not believe the RP needs to know the IdP-specific identifier ever (worse: I think it should never be allowed to know it, or even be allowed to see it!). JH Why not? PRIVACY. Page back and read trough my posts to this list for the intricate details. JH Where is power being

Re[2]: Discussion: RP Yadis URL?

2006-10-15 Thread Chris Drake
the referrer page directly. There's a lot of anti-phishing work taking place right now: such a scheme would allow OpenID instant access to these new standards too.) Kind Regards, Chris Drake Monday, October 16, 2006, 2:59:12 AM, you wrote: DR +1. All of the defined algorithms for obtaining the XRDS

Re[4]: Discussion: RP Yadis URL?

2006-10-15 Thread Chris Drake
inside the RP's login FORM page, like a META or LINK tag, for browser agents to use, or IdPs to find via referrer URLs. Kind Regards, Chris Drake Monday, October 16, 2006, 3:36:53 AM, you wrote: DH Hi Chris DH Would you clarify these IdP initiated scenarios? DH I envisioned that an IdP learned

Re: Summarizing Where We're At

2006-10-15 Thread Chris Drake
. Kind Regards, Chris Drake Monday, October 16, 2006, 5:28:52 AM, you wrote: RD So previously I had set the goal of the final draft coming out last RD Friday, though we've missed that. I'm resetting this bar to Wednesday RD which means we need to wrap up discussion on proposals where there is RD

Re[2]: Identifier portability: the fundamental issue

2006-10-16 Thread Chris Drake
that works, and can be deployed ethically. Take a long hard look at that Nun lying dead in the snow, then tell me you still believe there's no need for IdP-initiated privacy protection in OpenID. Kind Regards, Chris Drake, =1id.com Tuesday, October 17, 2006, 7:29:00 AM, you wrote: DR +1. Trust

Re[2]: [dix] Re: Gathering requirements for in-browser OpenID support

2006-10-18 Thread Chris Drake
available to scripts, plugins, software agents that encounter OpenID login pages. Suggestion: (for OpenID-enabled login pages):- link rel=openid.httpauth href=http://my.rp.com/openid/blah.cgi; --- Kind Regards, Chris

Re[2]: Server-to-server channel

2007-04-04 Thread Chris Drake
Regards, Chris Drake ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs

Re[2]: Server-to-server channel

2007-04-04 Thread Chris Drake
it. Let me say no. Let me know each time they ask. But most importantly, let me (my OP) provide the correct, updated info each time the RP wants it. Kind Regards, Chris Drake Wednesday, April 4, 2007, 5:45:55 PM, you wrote: MA Anders Feder wrote: Imagine an RP requesting your bank account

Re[2]: Server-to-server channel

2007-04-04 Thread Chris Drake
Thursday, April 5, 2007, 3:50:49 AM, Martin wrote: MA Chris Drake wrote: Hi Martin, You wrote MA The age of the information needs to be taken into account here. When the information (rightly) lives at the OP instead of the RP, none of that age complexity exists. It's *my* name. It's

Re[2]: Server-to-server channel

2007-04-04 Thread Chris Drake
Thursday, April 5, 2007, 5:43:02 AM, you wrote: [snip] DO How these keys are handled internally could be left to the DO consumer or RP. [snip] This sounds like another *strong* use-case for updating the OpenID protocol to allow transactions to take place when the user is not present. I am not

Re[3]: Server-to-server channel

2007-04-05 Thread Chris Drake
. Heck - Cardspace already did this - so we don't even have to argue the merits: They learned the long, hard, and painful way that excluding the user agent seriously undermines the trust and usefulness of Identity management. Kind Regards, Chris Drake Thursday, April 5, 2007, 5:14

Re[2]: Specifying identifier recycling

2007-06-06 Thread Chris Drake
the time. Not my ideal concept of anything that's supposed to be persistent. Oh - and the obvious thing while I'm here - nobody's got public keys anyhow, with the exception of a few geeks here and there, and everyone involved in cybercrime. Kind Regards, Chris Drake, =1id.com Wednesday, June 6, 2007

Re[2]: [Idschemas] identity schema element metadata: using existingspecifications

2007-09-08 Thread Chris Drake
... Kind Regards, Chris Drake, =1id.com Saturday, September 8, 2007, 5:33:20 PM, you wrote: DR Mark, DR I just wanted to say that based on what I learned about them at the Data DR Sharing Summit (http://datasharingsummit.com) today, and what I read on my DR first pass tonight, these are fine

Re[2]: [osis-general] OSIS PAPE call results

2007-11-08 Thread Chris Drake
trying to say is that Phishing-Resistant means End Users can't be tricked into giving things to the wrong place... is all the jargon/terminology/verbosity really necessary in the definition? Kind Regards, Chris Drake ___ specs mailing list specs

Re[2]: OpenID Email Discovery

2008-01-05 Thread Chris Drake
Hi Phillip, I wasn't aware that DNSSEC existed yet (outside a few obscure European TLDs?). Since you appear to work for Verisign, and I'd like to set this up - can you please send me a URL when I can obtain a signed DNSSEC certificate for my .COM domain ? Kind Regards, Chris Drake Saturday

Re: IDMML (was RE: Using email address as OpenID identifier)

2008-04-02 Thread Chris Drake
lists a few. My proposal too was a link tag. Kind Regards, Chris Drake Tuesday, November 7, 2006, 12:51:15 I, you wrote: CD Hi Johannes, CD I proposed a solution to the single sign out problem a month or two CD ago. CD In fact - a whole range of solutions have been proposed, and relative CD