Johannes invited me to lead the development of the specification for including
relationships and authorization as part of OpenID. I have the following
questions:
1. Would it be too distracting to have the conversation occur on this listserv
or should the admin establish another one?
2. I would
Hopefully, everyone had the opportunity to read document I sent that outlines
the business scenario(s) we are interested in using OpenID for. Figured I would
start taking each theme and sharing requirements with the hope that others will
react.
The requirements for relationship are as
Curious if anyone here has read the AAPML specification from Oracle
(http://www.oracle.com/technology/tech/standards/idm/igf/pdf/IGF-AAPML-spec-08.pdf).
The goal is to allow attribute authorities to specify conditions under which
information under management may be used. This sounds like
Oracle also has a similar specification named CARML
(http://www.oracle.com/technology/tech/standards/idm/igf/pdf/IGF-CARML-spec-03.pdf)
which defines how applications define their attribute requirements as it
relates to identity. CARML can be used to automate configuration of identity
I would love to see folks hear that also blog not only continue to discuss
federated identity but also consider of the course of several additional
postings also talk about the need for federated authorization. Consider an
example where a Doctor in a hospital is having an electronic interaction
The standards body for my vertical is ACORD (www.acord.org) and is where I
would like to get many of my industry peers to put together standards for
user-centric identity within an industry vertical context. Would be curious to
know whom on this list would be interested in participating once I
Hopefully everyone is noodling the previously sent requirements on relationship
and will reply back with their own thoughts. In the meantime, I figured I would
also share the requirements for attestation:
* At the high level, there are two ways that attestation can work:
* The
, January 22, 2007 3:19 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: Special Request: Client Certificates vs. OpenID
So I've been doing some asking around who might be interested in co-authoring
some kind of white paper on the subject of user-centric identity
.
-Original Message-
From: Dick Hardt [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 25, 2007 4:43 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: Federated Authorization
On 25-Jan-07, at 1:36 PM, McGovern, James F ((HTSC, IT)) wrote:
Modify your scenario as follows
May I argue that a secure end-to-end encrypted channel does not always equal
SSL? I know that PKI is pervasive, but wouldn't want to rule out the potential
of using identity-based encryption (IBE)...
Date: Wed, 28 Feb 2007 20:23:46 -0600
From: Alaric Dailey [EMAIL PROTECTED]
Subject: RE: HTTPS
I originally joined this list with the hopes of injecting support for
relationships, authorization and attestation into the specification but have
been somewhat disappointed. I do have the following questions?
1. Will OpenID avoid incorporating features where identity selectors such as
As an end-user to user-centric approaches, I have noticed an interesting
pattern. Microsoft does a wonderful job of selling Cardspace as a solution to
others who develop in Microsoft languages. Likewise, there are tons of vendors
that can offer solutions for large enterprises to purchase but no
Message-
From: Gabe Wachob [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 03, 2007 4:44 PM
To: 'Recordon, David'; McGovern, James F (HTSC, IT); specs@openid.net
Subject: RE: Promoting OpenID
More likely that the people promoting OpenID to large organizations are
vendors and don't particularly
:[EMAIL PROTECTED]
Sent: Tuesday, April 03, 2007 3:18 PM
To: McGovern, James F (HTSC, IT); specs@openid.net
Subject: RE: Promoting OpenID
People might be, though nothing real formal that I personally know of.
You volunteering? :P
--David
-Original Message-
From: [EMAIL PROTECTED] [mailto
at IBM
then I would be game to rally many of my industry peers to put some pressure...
-Original Message-
From: Dick Hardt [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 03, 2007 8:21 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: Web Access Management
Ping demoed
Great to hear that you are working with salesforce.com. Would someone else on
this list volunteer to work with Siebel, Peoplesoft, SAP, Intalio and Alfresco?
-Original Message-
From: Dick Hardt [mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 04, 2007 2:57 AM
To: McGovern, James F (HTSC
The term attestation has a distinct legal meaning but within an IT
context may be used interchangably with the notion of certification or
periodic review. There are of course several levels of attestation. I
propose that minimally OpenID incorporate the first notion where someone
certifies you are
I would think this would be better solved by leveraging the Oracle
Identity Framework and using components such as AAPML and CARML
Message: 3
Date: Thu, 5 Apr 2007 10:57:22 +
From: Vinay Gupta [EMAIL PROTECTED]
Subject: Re: Re[3]: Server-to-server channel
To: Chris Drake [EMAIL PROTECTED]
Cc:
Are there special considerations for either relying parties when they may be
protected by Web Access Management products? For example, if I initially sign
onto a web site using OpenID, I still will need for the Web Access Management
product to create a secure cookie that contains a session
VeriSign's Consumer Authentication Service authenticates customers by using
real-time automation processes in combination with unique interactive question.
Once consumers are properly authenticated by CAS, enterprises can be assured of
their identity, and they can
execute secure business
Message-
From: Johannes Ernst [mailto:[EMAIL PROTECTED]
Sent: Friday, April 06, 2007 12:29 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: Logout
So far, neither OpenID nor CardSpace define the notion of a session, so no
common logout is possible within the standard
PROTECTED]
Sent: Friday, April 06, 2007 2:25 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: Logout
That might be hard from a usability perspective, and in my experience, the
underlying user requirement tends to be a variation of I am about to go to
lunch with the guys
In thinking about this, wouldn't it be interesting if the RP could return a URL
that the selector could callback on? Of course this would be optional.
*
This communication, including attachments, is
for the exclusive use
So, what will it take to move the mentioned vendors from simply being aware
to actively participating?
-Original Message-
From: Dick Hardt [mailto:[EMAIL PROTECTED]
Sent: Sunday, April 08, 2007 2:48 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: Web Access
I have been thinking that the best contribution I could make to OpenID would be
the first enterprise that deploys OpenID into production. OpenID needs more
press than it is receiving and by showing that a large Fortune enterprise is
using would be a big win. I do however have one constraint in
Been silently observing many of the email exchanges over the last couple of
weeks and from an end-customer perspective I am somewhat concerned. Some of the
general themes I have observed are:
1. Too much focus on breaking compatibility with OpenID 1.1. While you have had
some success, now is
Recently saw a demo of Vidoop and think there approach rocks. Was
curious if there is an opportunity to express an authentication strength
and style as an attribute to be consumed by the relying party.
*
This
Currently OpenID 2.0 is targeted for supporting consumer-oriented
interactions. I would love to develop a sense as to when/if members of
OpenID have any interest in sketching out B2B interactions where not
only identity is important but also assertion of authorization
information at runtime via
OpenID 2.0 seems to have closed major security gaps and is usable in a
consumer context. Are their plans to figure out how to add functionality
to the next version of OpenID to support more enterprise considerations
including support for XACML, modeling of relationships, attestation, etc
or is
.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Bill Washburn
Sent: Tuesday, December 11, 2007 1:27 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: XACML
Hi James--
Thanks for your note. The OpenID community, made up
What is the standard recommendation for how identifiers get stored in
enterprise directory services (e.g. LDAP)?
*
This communication, including attachments, is
for the exclusive use of addressee and may contain
.
=Drummond
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of McGovern, James F (HTSC, IT)
Sent: Wednesday, January 23, 2008 1:47 PM
To: specs@openid.net
Subject: Integration with Enterprise Directory Services
What is the standard recommendation
for that ...
perhaps a separate 1-page standard?
On Jan 24, 2008, at 7:02, McGovern, James F (HTSC, IT) wrote:
For CardSpace, MS and other providers store it in the SeeAlso
attribute. Figured OpenID in the next rev of the spec should talk more
about implementation details.
-Original Message
Is there merit in also defining other aspects such as how the OP would
store history in LDAP by defining new ObjectClass?
*
This communication, including attachments, is
for the exclusive use of addressee and may contain
software should work
in enterprise settings while minimizing configuration regardless of how
easy it is.
-Original Message-
From: Schleiff, Marty [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 24, 2008 8:17 PM
To: Johannes Ernst; specs@openid.net
Cc: McGovern, James F (HTSC, IT); Drummond
Figured I would ask if anyone is interested in brainstorming the next
version of OpenID and how it can be used in Enterprise B2B settings and
not solely focusing on consumerish interactions. Some things that I
would like to see in the next version are:
1. A discussion on how AuthZ can converge
I'm not sure what there would be to say in the spec about this: SQL
injection is not party of the standard, but rather a feature of some
implementations :)
[JFM] I agree that many of the ways that have been implemented to date
are insecure and that many of the implementors would be well served
If it turns out that some particular feature absolutely can't be done
without making a new Authentication spec release then so be it, but
ideally I think we want 2.0 to be stable for many years to come to
avoid repeating all of the current pain of incompatible versions and
the poor user
Wouldn't this take the user out of the middle? I would think this would
be bad at some level.
--
Message: 1
Date: Thu, 14 Feb 2008 19:31:40 -0800
From: Brett Carter [EMAIL PROTECTED]
Subject: Login Federation
To:
party how long to
leave an otherwise idle session open before timing it out. Not sure if
this would require an extension or not.
-Original Message-
From: Brett Carter [mailto:[EMAIL PROTECTED]
Sent: Friday, February 15, 2008 10:09 PM
To: McGovern, James F (HTSC, IT)
Subject: Re: Login
: NISHITANI Masaki [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 26, 2008 1:10 AM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: OpenID 3.0
Let me confirm a point.
On #1, do you mean to enforce OpenID to control the identity-holders are
permitted to access what kind
I would be curious to know if the implementers of the various OpenID
libraries have used tools such as Ounce Labs (www.ouncelabs.com),
Coverity (www.coverity.com) and others to ensure that the OWASP Top Ten
(www.owasp.org) doesn't occur?
Madsen [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 26, 2008 1:23 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: OpenID 3.0
in a B2B case, would not the insurance agency be the OP, and its
identity carried through the relevant assertion fields?
As Masaki-san points
Is there merit in having a third-party group such as OWASP
(http://www.owasp.org) provide a third-party opinion that is public on
the security of OpenID? Having large entities market OpenID will help
spread the word even faster.
Does anyone have a perspective on Yahoo and AOL and their weak support
for OpenID? It is good that they are a provider, but shouldn't they
really also allow access based on an OpenID issued by signon.com,
myvidoop.com and others...
This would require defining an OpenID SRV record in DNS. Would make
sense for someone to get this formally defined as part of IETF. Could
kinda be done in the same way that Boeing is moving forward definition
of XRI in LDAP..
-Original Message-
Message: 1
Date: Mon, 07 Apr 2008 18:56:57
Figured I would ask a somewhat offtopic question to see if anyone has
thoughts. I am currently project leader for OWASP Certification Project
(http://www.owasp.org/index.php/Category:OWASP_Certification_Project)
which has on its roadmap, certification questions around identity.
What types of
I am attempting to put together a discussion amongst employees of PC
insurance carriers to discuss scenarios for using OpenID for independent
insurance agents. Does anyone on this list know of employees at carriers
that have an understanding at a technical level regarding OpenID?
NOTE: I am not
...
From: Nat Sakimura [mailto:[EMAIL PROTECTED]
Sent: Thursday, December 04, 2008 7:40 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: PC Insurance Carriers
That sounds interesting.
We have some member companies from PC insurance in OpenID Japan as
well
OpenID certainly has security features but are all the libraries out
there written to secure coding practices? Wouldn't it be great if all
the library creators could have their code reviewed for security
defects? Check out http://owasp.fortify.com/
...@gmail.com
Subject: Re: OpenID Security
To: McGovern, James F (HTSC, IT) james.mcgov...@thehartford.com
Cc: specs@openid.net
Message-ID:
bf26e2340902050834ybf1ae5ara6b97aaac28cd...@mail.gmail.com
Content-Type: text/plain; charset=ISO-8859-1
Yeah. Fortify is nice. I do not know what would
dbou...@gmail.com
Subject: Re: OpenID Security
To: McGovern, James F (HTSC, IT) james.mcgov...@thehartford.com
Cc: specs@openid.net
Message-ID:
26563eca0902051248o446aa21br23aeb19f743ae...@mail.gmail.com
Content-Type: text/plain; charset=UTF-8
I do not believe OWASP presently does any
-Original Message-
From: Peter Watkins [mailto:pet...@tux.org]
Sent: Friday, February 06, 2009 8:29 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: OpenID Security
What do you mean, the implementation? There is no the
implementation.
Are you arguing
Anyone here noodling how to integrate the emerging OASIS CARML/AAPML
specifications into OpenID?
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or
54 matches
Mail list logo
