On Mon, 2006-09-25 at 14:24 -0700, Dick Hardt wrote:
> 2) fetching signed claims (part of attribute exchange)
[...]
> IdP sends a fetch response to Issuer containing any attributes
> required by Issuer, and also user identifier
> * there was no preceding fetch request
>
Re-writing all your applications every time a new technology pops up is
not a very efficient use of resources. New technologies that can
leverage an existing install base will likely fare better than those
that demand a completely clean slate. So I won't argue that existing
applications are never
On Sun, 2006-10-01 at 20:07 +0100, Martin Atkins wrote:
[...]
> then some/most IdPs just won't bother. [...]
> a completely uncheckable assumption and is therefore broken by design.
>
> The best we can do is make it a MAY (that is, max_age is a *suggestion*
> from the RP) and hope that most IdPs d
On Sun, 2006-10-01 at 13:08 -0700, Recordon, David wrote:
> It could be augmented to also contain a response parameter telling the
> RP if the IdP acknowledged it, then the RP could make the decision if
> it wants to proceed.
You will want that response parameter. Otherwise, couldn't I (as the
a
On Sat, 2006-09-30 at 20:09 -0400, Dick Hardt wrote:
> Motivating Use Case
>
> The IdP would like to allow the user to click a link on the IdP to
> login to an RP. This requires a bare response to be able to be sent.
How will RPs that customarily use a request nonce
On Mon, 2006-10-02 at 22:52 -0700, Drummond Reed wrote:
> Although it's easy to dismiss the privacy issue, there *can* be use
> cases under which an end-user may not want to reveal to their IP the
> identifier they present to the RP.
The problem is, the mapping of RP-facing-identifier to
IdP-facin
On Wed, 2006-10-04 at 19:40 +0100, Martin Atkins wrote:
> it's been my experience that users are willing to trade an awful lot of
> security to avoid software nagging at them repeatedly.
Which goes back to what Dick was saying about his myopenid.com login
cookie not expiring. Users didn't like l
Pretty much the *only* relationship that exists between the RP and the
IdP is that the authentication method is trustworthy because the user
has decided it is. I believe this proposal places additional demands on
that, and that those are demands that the protocol cannot fully support.
When you as
On Thu, 2006-10-05 at 13:25 +1000, Chris Drake wrote:
> Hi Kevin,
>
> Sounds like you're leaning towards a root authority for IdPs who can
> audit procedures and verify protection in order to sign the IdP's
> keys?
Woah, slow down there. I won't say this is completely crazy talk, but I
want to b
On Fri, 2006-10-06 at 13:26 +1000, Chris Drake wrote:
> Is my understanding accurate: OpenID is unable to support single sign
> on. If not - lets assume it's 9am. I just signed on. I can visit
> RP#1 then RP#2 then RP#3 and go back and forth all day without
> hindrance, until I next sign off - y
On Thu, 2006-10-05 at 18:08 -0700, Marius Scurtescu wrote:
> The only problem it seems to solve is that of vanity identifiers.
> Switching IdPs where you had an IdP issued identity for the original
> IdP does not seem to be possible, you have no control over that
> original identity so you c
On Fri, 2006-10-06 at 12:30 -0700, Drummond Reed wrote:
In other words, can a user just login to their IdP/i-broker, lthen follow “OpenID-enabled bookmarks” they have stored there to be directly logged in to sites where the user has logged in before?
[...]
(I suspect this may be par
>From http://www.lifewiki.net/openid/SeparateIdentifierFromIdPToken
(change #3):
> Impact on XRI-based auth:
>
> An XRI is, for this purpose, a URI that can be resolved into a URL at
> which we can do Yadis discovery. Once Yadis discovery begins, flow
> continues as in the original proposal, where
On Tue, 2006-10-03 at 19:42 -0700, Dick Hardt wrote:
> On 2-Oct-06, at 12:34 PM, Kevin Turner wrote:
> > On Sat, 2006-09-30 at 20:09 -0400, Dick Hardt wrote:
> >> Motivating Use Case
> >>
> >> The IdP would like to allow th
On Fri, 2006-10-06 at 16:34 -0700, Drummond Reed wrote:
> Let me play the dumb customer here and say:
>
> * A whole lot of real-world users would love OpenID-enabled bookmarks.
> * A whole lot of websites would love to offer them.
> * A whole lot of IdPs would love to provide them.
Okay Customer
On Tue, 2006-10-17 at 13:29 +1000, Chris Drake wrote:
> Now - how comfortable are you with
> the idea of letting 1.5 billion Chinese people use OpenID
Ideally we'd have the input of the SocialBrain Foundation on that.
Those are the folks who put together OpenID.cn. Has anyone on this list
talked
Sorry it took me a few months to notice this, but xri://$dns? No. I'm
referring here to spec rev 274, the diff for which is attached. Can we
roll that patch back, please?
I'm not even sure where you're getting an XRI Syntax 2.1 reference from,
there's not so much as a working draft of it publis
On Fri, 2007-04-13 at 16:53 +0100, Kevin Richards wrote:
> In the spec it shows an example of the 'signed' fields returned from a
> check_id_* request as "mode,identity,return_to". However if you try
> and do a
> check_authentication it will always fail because the mode will always
> be check_auth
On Fri, 2007-05-18 at 22:21 +0200, Boris Erdmann wrote:
> http://openid.net/specs/openid-authentication-2_0-11.html#anchor34
>
> Should the document be placed under
> http://relyingparty.com/ or http://relyingparty.com/return_to_url?
> or does it have to be link rel'ed in every page?
For the prop
On Fri, 2007-10-19 at 10:02 -0700, Paul C. Bryan wrote:
> On Thu, 2007-10-18 at 19:13 -0700, Dick Hardt wrote:
>
> > I don't see why the two processes need to be any more dependant on
> > each other then they are already.
>
> With all due respect, why take the risk that there are intellectual
>
On Fri, 2007-10-19 at 16:12 -0700, Johannes Ernst wrote:
> [...] and after they had produced a spec, Rambus said "but we have
> some patents". This lead to at least one lawsuit I believe.
>
> I have heard wildly diverging assessments on whether or not this
> could happen here.
Ok, I'm looking f
On Sat, 2008-02-02 at 08:51 +1100, James Henstridge wrote:
> > 5. A way for OpenID relying parties to filter out Ops. In a business
> > scenario, if I run the Sun employee store, I may only want the Sun OP to
> > talk with me.
>
> This is already possible with OpenID 2.0:
[snip]
This is already p
On Mon, 2008-03-10 at 11:27 +0100, Oliver Welter wrote:
> 1) Is an individual session dedicated to an Identifier/OP Combo, or is a
> secret/session used for different Identifiers which are served by the
> same OP?
Associations are for a pair of (RP, OP), usable for any communication
between them
On Wed, 2008-03-12 at 16:28 +0200, techtonik wrote:
> But 1.1 OpenID server doesn't know anything about openid.ns, because
> it was added only in 2.0 Therefore server fails to authenticate and
> this should be considered a bug in consumer, which should not send
> openid.ns at all. If everything ab
Here's the change most likely to get accepted. Amend the specification
to say:
A request for an OpenID Identifier SHALL NOT issue a 303
response.
and, if you're feeling ambitious, pick one -- or two? -- of the assorted
30x redirect codes that an OP may use for particular cases, a
On Wed, 2008-03-19 at 23:54 +0900, James Henstridge wrote:
> The fact that some sites incorrectly resolved the redirect to
> "/about/" is probably due to the non-standard response headers for
> http://bytesexual.org/ -- it contains a relative URI reference in the
> location header, while the spec r
On Fri, 2008-03-21 at 09:38 -0700, Will Norris wrote:
> Regardless of what specific spec addition we're talking about, I don't
> think the technical difficulty to implement it should ever be a
> determining factor in weighing the merit of the proposal.
I disagree here. We don't write specs just s
See section 11.4.2. Verifying Directly with the OpenID Provider.
or encode your state in a signed cookie or the return_to URL or somesuch.
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
28 matches
Mail list logo