RE: Backwards compatibility

nd to construct appropriate messages. In essence, it's a different protocol, and #1R is not required. Thanks! David Fuelling > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Josh Hoyt > Sent: Wednesday, September 20, 2006 4:31 PM

RE: Request for comments: Sorting fields in signature generation

Just for clarification -- if duplicate parameters of the same name are NOT allowed by the spec, would one still be able to encode multiple values in the same key/value pair? Wouldn't this accomplish the same result as allowing duplicate key names? Not sure if this would be a bad idea, or not, but

RE: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers

usion, these 2 email proposals should be no less "confusing" than trying to educate a user that the Identity URL they type in (e.g., http://aol.com) is not their identity. Both will/would take some education. Thanks! David Fuelling [EMAIL PROTECTED] > -Original Message- >

RE: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers

Please see my questions/ideas enclosed... Thanks! David Fuelling > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Drummond Reed > Sent: Friday, October 20, 2006 1:04 AM > To: 'Recordon, David'; specs@openid.net > Su

RE: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers

ally make sense to cut out the most common "value" (which is an email address)? > -Original Message- > From: Jonathan Daugherty [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 08, 2006 1:30 PM > To: David Fuelling > Cc: specs@openid.net > Subject: Re:

RE: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers

to something that OpenID can use? David Fuelling > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Dick Hardt > Sent: Sunday, October 22, 2006 12:26 PM > To: John Panzer > Cc: Kaliya *; specs@openid.net > Subject: Re: [PRO

RE: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers

er, Phillip [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 08, 2006 1:45 PM > To: David Fuelling; specs@openid.net > Subject: RE: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers > > Please don't use HTTP this way. That is not the semantics for http

RE: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers

ginal Message- > From: Jonathan Daugherty [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 08, 2006 1:45 PM > To: David Fuelling > Cc: specs@openid.net > Subject: Re: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers > > # So, if in a hypothetical

RE: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers

is a bad thing. > -Original Message- > From: Dick Hardt [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 08, 2006 5:06 PM > To: David Fuelling > Cc: specs@openid.net > Subject: Re: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers > > Hi

RE: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers

2 (Normalization). We're mapping/normalizing 'www.cnn.com' to 'http://www.cnn.com', even though www.cnn.com is not (technically) a validly schemed Http url. Why not do the same with email addresses? > -Original Message- > From: Hallam-Baker, Phillip [mailt

RE: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers

Hi Martin, This is interesting. I guess your suggestion (see your msg below) deals with a sub-topic of the whole "should email be allowed in the OpenId login form" debate, which is this: "If email is allowed in the OpenId login form, should the mapping/normalization include the email Userid...O

RE: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers

> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Martin Atkins > Sent: Thursday, November 09, 2006 5:36 PM > To: [EMAIL PROTECTED] > Subject: Re: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers > > Sometimes these things will be charact

Map/Normalize Email Address to IdP/OP URL (Was [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers)

Hey David, Thanks for your ideas. Some more thoughts below. > -Original Message- > From: David Nicol [mailto:[EMAIL PROTECTED] > Sent: Thursday, November 09, 2006 6:49 PM > To: David Fuelling > Cc: Martin Atkins; specs@openid.net; [EMAIL PROTECTED] > Subject: Re: [PROP

RE: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers

> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Martin Atkins > Sent: Friday, November 10, 2006 2:41 AM > To: [EMAIL PROTECTED] > Subject: Re: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers > > I provide email addresses to some of my f

RE: Map/Normalize Email Address to IdP/OP URL (Was [PROPOSAL] Handle"http://[EMAIL PROTECTED]" Style Identifiers)

> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On >Behalf > Of Jonathan Daugherty > # I think that all this discussion about email userid is moving us off > # track. My original proposal was that the email maps/normalizes to a > # URL of an IdP (the userid is igno

RE: Map/Normalize Email Address to IdP/OP URL (Was [PROPOSAL] Handle"http://[EMAIL PROTECTED]" Style Identifiers)

> -Original Message- > From: Dick Hardt [mailto:[EMAIL PROTECTED] > Sent: Friday, November 10, 2006 11:28 AM > To: David Fuelling > Cc: specs@openid.net; [EMAIL PROTECTED] > Subject: Re: Map/Normalize Email Address to IdP/OP URL (Was [PROPOSAL] > Handle"http:

RE: Map/Normalize Email Address to IdP/OP URL (Was [PROPOSAL] Handle"http://[EMAIL PROTECTED]" Style Identifiers)

> -Original Message- > From: Dick Hardt [mailto:[EMAIL PROTECTED] > Sent: Friday, November 10, 2006 11:28 AM > To: David Fuelling > Cc: specs@openid.net; [EMAIL PROTECTED] > Subject: Re: Map/Normalize Email Address to IdP/OP URL (Was [PROPOSAL] > Handle"http:

RE: [OpenID] "The Case for OpenID" published by ZDNet / DigitalIdentity World Blog

Looks like the article got Slashdottedthere's some interesting commentary going on, with some FUD, plenty of confusion, and some acceptance. Very interesting to read. http://it.slashdot.org/article.pl?sid=06/12/05/139204 > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL

RE: [OpenID] Questions about Spoofing OpenId

> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Carl Howells > Subject: Re: [OpenID] Questions about Spoofing OpenId > > Some care has to be > taken to make sure that direct cross-linking won't work, but that's not > too difficult. What do you mean

RE: Proposal: SMTP service extension for Yadis discovery

> -Original Message- > From: Dmitry Shechtman [mailto:[EMAIL PROTECTED] > Subject: RE: Proposal: SMTP service extension for Yadis discovery > > > there's nothing wrong with transforming an email to > > an OpenId Endpoint url (using the root domain of the email). > > That would require a r

HTML-based discovery Question...

Can anyone give me a brief overview of why HTML-Based Discovery is only allowed for Claimed Identifiers? I don't disagree with the spec here -- I'm just trying to understand things better. Thanks! David (Section 7.3.3): "HTML-Based discovery is only usable for discovery of Claimed Identifiers.

RE: [OpenID] FW: PROPOSAL: An Extension to transform an EMail Address to an OpenId URL

> -Original Message- > From: Robert Yates [mailto:[EMAIL PROTECTED] > > For what it's worth I think that this is excellent. Thanks for the positive feedback! >A couple of suggestions: > 1) You probably should take a look at the URI Template spec [1]. > These guys have done a lot of th

Yadis/XRDS Service Element URI Question

Hey All, I'm working on a draft OpenId 2.0 extension [1] and am looking for guidance on how to define a Yadis Service Element that includes a URI Template (instead of a real URI). At first, I thought that the following would be ok: http://openid.net/srv/oeat/1.0/ett https://{username}.examp

Wiki page: Attempting to document the "Email Address as OpenId" debate.

Hi List, In light of my recent extension proposal to map Email Addresses to OpenId URLs, I have setup a wiki page on openid.net that attempts to capture all the pro/cons/issues that have been shared in the debate over whether this is a good idea or not. http://openid.net/wiki/index.php?title=Deba

RE: [OpenID] FW: PROPOSAL: An Extension to transform an EMail Address to an OpenId URL

> -Original Message- > From: Robert Yates [mailto:[EMAIL PROTECTED] > > 2) Why map the e-mail address to an openid url, which then has to be > further resolved to a Yadis document? Why not, instead, map straight > to a yadis doc and make e-mails full fledged openids. An openid is > nothin

RE: [OpenID] FW: PROPOSAL: An Extension to transform an EMail Addressto an OpenId URL

> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Eric Norman > > The other vital property of URL based schemes in addition to > resolvability > is that "ownership" can be confirmed. Email addresses are indeed > resolvable in the sense detailed here.

RE: [OpenID] Wiki page: Attempting to document the "Email Address as OpenId" debate.

> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Claus Färber >> >> http://openid.net/wiki/index.php?title=Debating_Emails_as_OpenIds > > I'd prefer to call them [EMAIL PROTECTED] OpenIDs. The concept of using this > format is not only used for email

OpenId & Yadis Question

I'm wondering if the following is a correct interpretation of how OpenId 2.0 uses Yadis. Any clarifications are appreciated. 1.) User navigates to an RP, and enters a Claimed Identifier (e.g., http://sappenin.gmail.com). 2.) A Yadis doc is returned as follows: http://specs.openid.net/auth/2.0/

What Should an OpenId Be? [WAS: RE: Proposal for Modularizing Auth 2.0 Discovery]

> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Gabe Wachob > Sent: Wednesday, February 28, 2007 3:02 PM > To: 'Drummond Reed'; 'Martin Atkins'; specs@openid.net > Subject: Proposal for Modularizing Auth 2.0 Discovery > > > Basically, the Discovery

Questions about IIW Identifier Recycling Table

I wasn't at IIW, so please bear with me. In reference to the wiki at http://openid.net/wiki/index.php/IIW2007a/Identifier_Recycling, can somebody clarify what some of the terminology means? Specific questions are below. 1.) For URL+Fragment, what is the distinction between "private" and "public

Re: Questions about IIW Identifier Recycling Table

Hey Johnny, Thanks for your clarifications and answers to my questions about [1]. Over the last few days I've been thinking about your Identifier Recycling proposal[2], in addition to other proposals (Tokens, etc). Assuming I understand things correctly, it seems as if a hybrid of the public/pr

Re: Questions about IIW Identifier Recycling Table

Hey Josh, Thanks for your message and great points. See my thoughts/questions inline. On 6/7/07, Josh Hoyt < [EMAIL PROTECTED]> wrote: On 6/7/07, David Fuelling <[EMAIL PROTECTED]> wrote: > Over the last few days I've been thinking about your Identifier Recycling > p

Re: Do We Agree on the Problem We're Trying to Solve?

Wrt to the problems we're trying to solve, I think that we should define a (C) (which is similar to (A), yet instigated by the user and doesn't trigger an RP recycle) and a (D). In summary: A) Identifier recycling normally in large user-base deployments. i.e. needs a way to give 'TheBestUsern

Re: Do We Agree on the Problem We're Trying to Solve?

Assuming I understand things correctly, it seems like what we're calling a canonical URL in this thread is really a pseudo-canonical URL since a given OpenID's XRDS doc is what specifies the Canonical ID. If in 50 years, a given canonical URL domain goes away, then couldn't a given OpenId URL own

Re: Do We Agree on the Problem We're Trying to Solve?

On 6/11/07, Josh Hoyt <[EMAIL PROTECTED]> wrote: On 6/8/07, David Fuelling <[EMAIL PROTECTED]> wrote: > If in 50 years, a given canonical URL domain goes away, then couldn't a > given OpenId URL owner simply specify a new Canonical URL in his XRDS doc? If I unders

Re: OpenId as API authentication method

What is OAuth? The group appears to be private, so is not accessible. david On 7/27/07, John Panzer <[EMAIL PROTECTED]> wrote: > > You should probably check out OAuth: > http://groups.google.com/group/oauth, and its draft > spec

Re: OpenID Trusted Authentication Extension

John, Have a look at OAuth (http://groups.google.com/group/oauth). I think it's currently a private google group, but it seems like you've given a lot of thought to this type of thing, so I'm sure the group owners would welcome your input. There's a lot of activity going on over there. David O

OpenID Extension to handle Emails Addresses?

Wondering if it makes sense to talk about an OpenID Extension to handle email address, as opposed to changing the core spec? My thinking here is that EAUT could be used to solve much of this problem, but that an OpenID extension is required to add extra value. So, here's how I would see such an e

Re: [OpenID] OpenID Extension to handle Emails Addresses?

On Thu, Oct 30, 2008 at 4:01 PM, Martin Atkins <[EMAIL PROTECTED]>wrote: > David Fuelling wrote: > >> >> I would even entertain the notion of the OpenID extension doing DNS lookup >> first, then EAUT, though I need to think more on the topic. Alternatively,

Re: Proposing an OpenID Authentication 2.1 Working Group

associations over HTTPS are > > required to also support associations using Diffie-Hellman encryption > > over HTTPS connections. > > - Exploratory work as defined below assuming the Working Group finds > > it feasible to do so. > > > > Exploratory Work: > > The WG

Re: non-standard login mechanism

Sounds like you're simply mapping a SL UUID to an OpenID, so my opinion would be "no, this does not break the spec", so long as the actual OpenID transaction utilizes the OpenID URL that you have on file in the DB. This is very similar to the other discussions going on regarding using an email add

Re: Use of Qworum for indirect communication

Cool idea, although I wonder what benefit this would bring to OpenID auth? Seems like HTTP redirects and form submits work pretty well today. Would Qworum enable any sort of new features that aren't possible today because we're not using XML between RP/OP/User-agent? Thanks! david 2008/12/15 Do

DISCUSSION relating to OpenID Discovery 2.1

All, I'd like to propose that the following ideas be considered as discussion points in the OpenID 2.1 Discovery WG. I've updated the OpenID 2.1 Discovery WG wiki pageto reflect these ideas, and have provided two very rough-draft proposals

Re: Proposal to form Discovery Working Group

On Thu, Dec 25, 2008 at 10:56 AM, Nat Sakimura wrote: > 2. Separation of OP into Discovery Service and Authentication Service. > In the current terminology, OP spans both Discovery Service and > Authentication Service. > We should be explicit about it. > > +1. I would like to see discovery ser

DISCUSSION relating to OpenID Discovery 2.1

Not sure if this made it through to everyone due to the mail list malfunction, so resending just in case. david -- Forwarded message -- From: David Fuelling Date: Fri, Dec 26, 2008 at 6:58 PM Subject: DISCUSSION relating to OpenID Discovery 2.1 To: "specs@openid.net&quo

Re: [OpenID] DISCUSSION relating to OpenID Discovery 2.1

> metadata. > > > See above. I'm very confident that *if* Discovery is to be performed, then it must be done via one of the three paths in 7.3. I'm less confident about Discovery not being optional since the wording is unclear, but I think the intent was for Discovery to be non-opt

Re: [OpenID] DISCUSSION relating to OpenID Discovery 2.1

On Tue, Dec 30, 2008 at 7:00 PM, Peter Williams wrote: > I gave up half way through my careful reply, as it was approaching > formatting-incomprehensible …to the poor reader trying follow it, point by > inset counterpoint. > Yes, I encountered the same thing in my responses. :) > > > 1.is meta

CLARIFICATION: Is OpenID Discovery Optional?

All, Wondering if anybody, especially the original OIDF Board and any contributor's to the OpenID Auth 2.0 spec could comment on this question for me. *Is OpenID Discovery, as seen in section 7.3 of the Auth spec, optional? More specifically, is the information returned by discovery meant to be A

New OP-MultiAuth Draft Published

For anyone interested, I've put out a 2nd draft of my OP-MultiAuth idea. I think the first draft was pretty confusing, so hopefully this clarifies things a bit more. Wiki Page: http://wiki.openid.net/OP-MultiAuth Actual Draft: http://wiki.openid.net/f/openid-provider-multiauth-extension-1_0-2.htm

Re: New OP-MultiAuth Draft Published

ery 2.1. > > Or at minimum a naming scheme that hilites the commonality .. UAPE :-) > > paul > > David Fuelling wrote: > > For anyone interested, I've put out a 2nd draft of my OP-MultiAuth idea. I > think the first draft was pretty confusing, so hope

Re: Request for consideration of AX 2.0 Working Group Charter Proposal

+1 On Tue, Jan 27, 2009 at 3:33 PM, Dick Hardt wrote: > I'd prefer to narrow the scope of the WG and keep it focussed on a small > number of goals. > > A separate WG on SREG would be preferred, but I think it is a disservice to > the community to have two specs having such significant overlap. >

OpenID 2.1 Discovery WorkingGroup?

Hey All, There have been quite a few questions/issues raised concerning the next iteration of OpenID Discovery. I have tried (as best as I could) to document these on the "*OpenID 2.1 Discovery WG*" wiki page ( http://wiki.openid.net/OpenID-Discovery). Please feel free to add or edit if you thin

Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)

David, Great questions -- see my thoughts/opinions inline... david On Tue, Jun 9, 2009 at 6:36 PM, David Recordon wrote: > Hey David,I've been following some of the discovery work the past few > months, but don't have a clear picture if the various components are > actually solid enough to beg

Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)

On Tue, Jun 9, 2009 at 7:00 PM, Santosh Rajan wrote: > > We need to remember that XRD only addreses discovery for URL identifiers. This is not really true. The XRD document schema only demands that an identifier be a URI, both for the XRD document's "subject" (i.e., the canonical-id) and the X

Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)

On Tue, Jun 9, 2009 at 7:09 PM, Breno de Medeiros wrote: > If we start the process to form a WG for discovery now, most likely the > process would only be completed in 6 months, even if there was considerable > agreement and stable technologies to draw from. > > Right now, there is quite a bit of

Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)

My bad -- I errantly thought you were advocating the opposite. On Tue, Jun 9, 2009 at 9:15 PM, Breno de Medeiros wrote: > And I agree with you. My view is that in the absence of an OpenID discovery > WG there will be _more_ uncertainty about future directions for the spec, > not less. > > __

Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)

Great feedback. I took the liberty to add this to the "Discussion Points" on the wiki page. http://wiki.openid.net/OpenID-Discovery On Tue, Jun 9, 2009 at 8:43 PM, Allen Tom wrote: > My primary concern with changing OpenID Discovery is the upgrade path to > the new discovery mechanism. It took

Re: Are the Discovery Components Done Enough?

On Tue, Jun 9, 2009 at 9:19 PM, SitG Admin wrote: > There's a significant camp of people that believe this information should >> be included in DNS. There's also a significant group of people who believe >> it could be located an XRD file (or, "on the web"). >> > > What if the discovery document