Questions on Protocol

2007-01-02 Thread McGovern, James F \(HTSC, IT\)
Johannes invited me to lead the development of the specification for including relationships and authorization as part of OpenID. I have the following questions: 1. Would it be too distracting to have the conversation occur on this listserv or should the admin establish another one? 2. I would

Requirements: Relationships

2007-01-05 Thread McGovern, James F \(HTSC, IT\)
Hopefully, everyone had the opportunity to read document I sent that outlines the business scenario(s) we are interested in using OpenID for. Figured I would start taking each theme and sharing requirements with the hope that others will react. The requirements for relationship are as

AAPML

2007-01-09 Thread McGovern, James F \(HTSC, IT\)
Curious if anyone here has read the AAPML specification from Oracle (http://www.oracle.com/technology/tech/standards/idm/igf/pdf/IGF-AAPML-spec-08.pdf). The goal is to allow attribute authorities to specify conditions under which information under management may be used. This sounds like

CARML

2007-01-09 Thread McGovern, James F \(HTSC, IT\)
Oracle also has a similar specification named CARML (http://www.oracle.com/technology/tech/standards/idm/igf/pdf/IGF-CARML-spec-03.pdf) which defines how applications define their attribute requirements as it relates to identity. CARML can be used to automate configuration of identity

Federated Authorization

2007-01-18 Thread McGovern, James F \(HTSC, IT\)
I would love to see folks hear that also blog not only continue to discuss federated identity but also consider of the course of several additional postings also talk about the need for federated authorization. Consider an example where a Doctor in a hospital is having an electronic interaction

Industry Verticals and Standards Bodies

2007-01-18 Thread McGovern, James F \(HTSC, IT\)
The standards body for my vertical is ACORD (www.acord.org) and is where I would like to get many of my industry peers to put together standards for user-centric identity within an industry vertical context. Would be curious to know whom on this list would be interested in participating once I

Requirements: Attestation

2007-01-18 Thread McGovern, James F \(HTSC, IT\)
Hopefully everyone is noodling the previously sent requirements on relationship and will reply back with their own thoughts. In the meantime, I figured I would also share the requirements for attestation: * At the high level, there are two ways that attestation can work: * The

RE: Special Request: Client Certificates vs. OpenID

2007-01-22 Thread McGovern, James F \(HTSC, IT\)
/press_releases/2005/03/29/) where to look at their problem space in 2007, would they have chosen client certificates. -Original Message- From: Alaric Dailey [mailto:[EMAIL PROTECTED] Sent: Monday, January 22, 2007 2:02 PM To: McGovern, James F (HTSC, IT); specs@openid.net Subject: RE: Special

RE: Special Request: Client Certificates vs. OpenID

2007-01-23 Thread McGovern, James F \(HTSC, IT\)
, January 22, 2007 3:19 PM To: McGovern, James F (HTSC, IT) Cc: specs@openid.net Subject: Re: Special Request: Client Certificates vs. OpenID So I've been doing some asking around who might be interested in co-authoring some kind of white paper on the subject of user-centric identity

RE: Federated Authorization

2007-01-25 Thread McGovern, James F \(HTSC, IT\)
. -Original Message- From: Dick Hardt [mailto:[EMAIL PROTECTED] Sent: Thursday, January 25, 2007 4:43 PM To: McGovern, James F (HTSC, IT) Cc: specs@openid.net Subject: Re: Federated Authorization On 25-Jan-07, at 1:36 PM, McGovern, James F ((HTSC, IT)) wrote: Modify your scenario as follows

RE: HTTPS status

2007-03-01 Thread McGovern, James F \(HTSC, IT\)
May I argue that a secure end-to-end encrypted channel does not always equal SSL? I know that PKI is pervasive, but wouldn't want to rule out the potential of using identity-based encryption (IBE)... Date: Wed, 28 Feb 2007 20:23:46 -0600 From: Alaric Dailey [EMAIL PROTECTED] Subject: RE: HTTPS

Features for Future Versions

2007-04-02 Thread McGovern, James F \(HTSC, IT\)
I originally joined this list with the hopes of injecting support for relationships, authorization and attestation into the specification but have been somewhat disappointed. I do have the following questions? 1. Will OpenID avoid incorporating features where identity selectors such as

Promoting OpenID

2007-04-03 Thread McGovern, James F \(HTSC, IT\)
As an end-user to user-centric approaches, I have noticed an interesting pattern. Microsoft does a wonderful job of selling Cardspace as a solution to others who develop in Microsoft languages. Likewise, there are tons of vendors that can offer solutions for large enterprises to purchase but no

RE: Promoting OpenID

2007-04-03 Thread McGovern, James F \(HTSC, IT\)
Message- From: Gabe Wachob [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 03, 2007 4:44 PM To: 'Recordon, David'; McGovern, James F (HTSC, IT); specs@openid.net Subject: RE: Promoting OpenID More likely that the people promoting OpenID to large organizations are vendors and don't particularly

RE: Promoting OpenID

2007-04-03 Thread McGovern, James F \(HTSC, IT\)
:[EMAIL PROTECTED] Sent: Tuesday, April 03, 2007 3:18 PM To: McGovern, James F (HTSC, IT); specs@openid.net Subject: RE: Promoting OpenID People might be, though nothing real formal that I personally know of. You volunteering? :P --David -Original Message- From: [EMAIL PROTECTED] [mailto

RE: Web Access Management

2007-04-04 Thread McGovern, James F \(HTSC, IT\)
at IBM then I would be game to rally many of my industry peers to put some pressure... -Original Message- From: Dick Hardt [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 03, 2007 8:21 PM To: McGovern, James F (HTSC, IT) Cc: specs@openid.net Subject: Re: Web Access Management Ping demoed

RE: Promoting OpenID

2007-04-04 Thread McGovern, James F \(HTSC, IT\)
Great to hear that you are working with salesforce.com. Would someone else on this list volunteer to work with Siebel, Peoplesoft, SAP, Intalio and Alfresco? -Original Message- From: Dick Hardt [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 04, 2007 2:57 AM To: McGovern, James F (HTSC

Attestation

2007-04-05 Thread McGovern, James F \(HTSC, IT\)
The term attestation has a distinct legal meaning but within an IT context may be used interchangably with the notion of certification or periodic review. There are of course several levels of attestation. I propose that minimally OpenID incorporate the first notion where someone certifies you are

Server-to-server channel

2007-04-05 Thread McGovern, James F \(HTSC, IT\)
I would think this would be better solved by leveraging the Oracle Identity Framework and using components such as AAPML and CARML Message: 3 Date: Thu, 5 Apr 2007 10:57:22 + From: Vinay Gupta [EMAIL PROTECTED] Subject: Re: Re[3]: Server-to-server channel To: Chris Drake [EMAIL PROTECTED] Cc:

Web Access Management

2007-04-06 Thread McGovern, James F \(HTSC, IT\)
Are there special considerations for either relying parties when they may be protected by Web Access Management products? For example, if I initially sign onto a web site using OpenID, I still will need for the Web Access Management product to create a secure cookie that contains a session

Verisign Customer Authentication Service

2007-04-06 Thread McGovern, James F \(HTSC, IT\)
VeriSign's Consumer Authentication Service authenticates customers by using real-time automation processes in combination with unique interactive question. Once consumers are properly authenticated by CAS, enterprises can be assured of their identity, and they can execute secure business

RE: Logout

2007-04-06 Thread McGovern, James F \(HTSC, IT\)
Message- From: Johannes Ernst [mailto:[EMAIL PROTECTED] Sent: Friday, April 06, 2007 12:29 PM To: McGovern, James F (HTSC, IT) Cc: specs@openid.net Subject: Re: Logout So far, neither OpenID nor CardSpace define the notion of a session, so no common logout is possible within the standard

RE: Logout

2007-04-06 Thread McGovern, James F \(HTSC, IT\)
PROTECTED] Sent: Friday, April 06, 2007 2:25 PM To: McGovern, James F (HTSC, IT) Cc: specs@openid.net Subject: Re: Logout That might be hard from a usability perspective, and in my experience, the underlying user requirement tends to be a variation of I am about to go to lunch with the guys

Logout

2007-04-06 Thread McGovern, James F \(HTSC, IT\)
In thinking about this, wouldn't it be interesting if the RP could return a URL that the selector could callback on? Of course this would be optional. * This communication, including attachments, is for the exclusive use

RE: Web Access Management

2007-04-09 Thread McGovern, James F \(HTSC, IT\)
So, what will it take to move the mentioned vendors from simply being aware to actively participating? -Original Message- From: Dick Hardt [mailto:[EMAIL PROTECTED] Sent: Sunday, April 08, 2007 2:48 PM To: McGovern, James F (HTSC, IT) Cc: specs@openid.net Subject: Re: Web Access

Java RP

2007-04-11 Thread McGovern, James F \(HTSC, IT\)
I have been thinking that the best contribution I could make to OpenID would be the first enterprise that deploys OpenID into production. OpenID needs more press than it is receiving and by showing that a large Fortune enterprise is using would be a big win. I do however have one constraint in

Enterprise Concerns

2007-05-29 Thread McGovern, James F \(HTSC, IT\)
Been silently observing many of the email exchanges over the last couple of weeks and from an end-customer perspective I am somewhat concerned. Some of the general themes I have observed are: 1. Too much focus on breaking compatibility with OpenID 1.1. While you have had some success, now is

Thoughts on Vidoop

2007-10-23 Thread McGovern, James F (HTSC, IT)
Recently saw a demo of Vidoop and think there approach rocks. Was curious if there is an opportunity to express an authentication strength and style as an attribute to be consumed by the relying party. * This

OpenID support for XACML

2007-10-31 Thread McGovern, James F (HTSC, IT)
Currently OpenID 2.0 is targeted for supporting consumer-oriented interactions. I would love to develop a sense as to when/if members of OpenID have any interest in sketching out B2B interactions where not only identity is important but also assertion of authorization information at runtime via

XACML

2007-12-11 Thread McGovern, James F (HTSC, IT)
OpenID 2.0 seems to have closed major security gaps and is usable in a consumer context. Are their plans to figure out how to add functionality to the next version of OpenID to support more enterprise considerations including support for XACML, modeling of relationships, attestation, etc or is

RE: XACML

2007-12-12 Thread McGovern, James F (HTSC, IT)
. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Washburn Sent: Tuesday, December 11, 2007 1:27 PM To: McGovern, James F (HTSC, IT) Cc: specs@openid.net Subject: Re: XACML Hi James-- Thanks for your note. The OpenID community, made up

Integration with Enterprise Directory Services

2008-01-23 Thread McGovern, James F (HTSC, IT)
What is the standard recommendation for how identifiers get stored in enterprise directory services (e.g. LDAP)? * This communication, including attachments, is for the exclusive use of addressee and may contain

RE: Integration with Enterprise Directory Services

2008-01-24 Thread McGovern, James F (HTSC, IT)
. =Drummond -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McGovern, James F (HTSC, IT) Sent: Wednesday, January 23, 2008 1:47 PM To: specs@openid.net Subject: Integration with Enterprise Directory Services What is the standard recommendation

RE: Integration with Enterprise Directory Services

2008-01-24 Thread McGovern, James F (HTSC, IT)
for that ... perhaps a separate 1-page standard? On Jan 24, 2008, at 7:02, McGovern, James F (HTSC, IT) wrote: For CardSpace, MS and other providers store it in the SeeAlso attribute. Figured OpenID in the next rev of the spec should talk more about implementation details. -Original Message

Integration with Enterprise Directory Services

2008-01-25 Thread McGovern, James F (HTSC, IT)
Is there merit in also defining other aspects such as how the OP would store history in LDAP by defining new ObjectClass? * This communication, including attachments, is for the exclusive use of addressee and may contain

RE: Integration with Enterprise Directory Services

2008-01-25 Thread McGovern, James F (HTSC, IT)
software should work in enterprise settings while minimizing configuration regardless of how easy it is. -Original Message- From: Schleiff, Marty [mailto:[EMAIL PROTECTED] Sent: Thursday, January 24, 2008 8:17 PM To: Johannes Ernst; specs@openid.net Cc: McGovern, James F (HTSC, IT); Drummond

OpenID 3.0

2008-02-01 Thread McGovern, James F (HTSC, IT)
Figured I would ask if anyone is interested in brainstorming the next version of OpenID and how it can be used in Enterprise B2B settings and not solely focusing on consumerish interactions. Some things that I would like to see in the next version are: 1. A discussion on how AuthZ can converge

RE: OpenID 3.0

2008-02-04 Thread McGovern, James F (HTSC, IT)
I'm not sure what there would be to say in the spec about this: SQL injection is not party of the standard, but rather a feature of some implementations :) [JFM] I agree that many of the ways that have been implemented to date are insecure and that many of the implementors would be well served

OpenID 3.0

2008-02-04 Thread McGovern, James F (HTSC, IT)
If it turns out that some particular feature absolutely can't be done without making a new Authentication spec release then so be it, but ideally I think we want 2.0 to be stable for many years to come to avoid repeating all of the current pain of incompatible versions and the poor user

Login Federation

2008-02-15 Thread McGovern, James F (HTSC, IT)
Wouldn't this take the user out of the middle? I would think this would be bad at some level. -- Message: 1 Date: Thu, 14 Feb 2008 19:31:40 -0800 From: Brett Carter [EMAIL PROTECTED] Subject: Login Federation To:

RE: Login Federation

2008-02-18 Thread McGovern, James F (HTSC, IT)
party how long to leave an otherwise idle session open before timing it out. Not sure if this would require an extension or not. -Original Message- From: Brett Carter [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 10:09 PM To: McGovern, James F (HTSC, IT) Subject: Re: Login

RE: OpenID 3.0

2008-02-26 Thread McGovern, James F (HTSC, IT)
: NISHITANI Masaki [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 26, 2008 1:10 AM To: McGovern, James F (HTSC, IT) Cc: specs@openid.net Subject: Re: OpenID 3.0 Let me confirm a point. On #1, do you mean to enforce OpenID to control the identity-holders are permitted to access what kind

OWASP

2008-02-26 Thread McGovern, James F (HTSC, IT)
I would be curious to know if the implementers of the various OpenID libraries have used tools such as Ounce Labs (www.ouncelabs.com), Coverity (www.coverity.com) and others to ensure that the OWASP Top Ten (www.owasp.org) doesn't occur?

RE: OpenID 3.0

2008-02-27 Thread McGovern, James F (HTSC, IT)
Madsen [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 26, 2008 1:23 PM To: McGovern, James F (HTSC, IT) Cc: specs@openid.net Subject: Re: OpenID 3.0 in a B2B case, would not the insurance agency be the OP, and its identity carried through the relevant assertion fields? As Masaki-san points

OWASP Review

2008-03-10 Thread McGovern, James F (HTSC, IT)
Is there merit in having a third-party group such as OWASP (http://www.owasp.org) provide a third-party opinion that is public on the security of OpenID? Having large entities market OpenID will help spread the word even faster.

Web Services

2008-03-19 Thread McGovern, James F (HTSC, IT)
Out on the Wiki is a discussion on creating a WS-Security profile to support OpenID. Is anyone planning on taking this further? * This communication, including attachments, is for the exclusive use of addressee and may

OpenID and Yahoo

2008-04-02 Thread McGovern, James F (HTSC, IT)
Does anyone have a perspective on Yahoo and AOL and their weak support for OpenID? It is good that they are a provider, but shouldn't they really also allow access based on an OpenID issued by signon.com, myvidoop.com and others...

Using email address as OpenID identifier

2008-04-07 Thread McGovern, James F (HTSC, IT)
This would require defining an OpenID SRV record in DNS. Would make sense for someone to get this formally defined as part of IETF. Could kinda be done in the same way that Boeing is moving forward definition of XRI in LDAP.. -Original Message- Message: 1 Date: Mon, 07 Apr 2008 18:56:57

OWASP Certification

2008-08-15 Thread McGovern, James F (HTSC, IT)
Figured I would ask a somewhat offtopic question to see if anyone has thoughts. I am currently project leader for OWASP Certification Project (http://www.owasp.org/index.php/Category:OWASP_Certification_Project) which has on its roadmap, certification questions around identity. What types of

PC Insurance Carriers

2008-12-04 Thread McGovern, James F (HTSC, IT)
I am attempting to put together a discussion amongst employees of PC insurance carriers to discuss scenarios for using OpenID for independent insurance agents. Does anyone on this list know of employees at carriers that have an understanding at a technical level regarding OpenID? NOTE: I am not

RE: PC Insurance Carriers

2008-12-05 Thread McGovern, James F (HTSC, IT)
... From: Nat Sakimura [mailto:[EMAIL PROTECTED] Sent: Thursday, December 04, 2008 7:40 PM To: McGovern, James F (HTSC, IT) Cc: specs@openid.net Subject: Re: PC Insurance Carriers That sounds interesting. We have some member companies from PC insurance in OpenID Japan as well

OpenID Security

2009-02-04 Thread McGovern, James F (HTSC, IT)
OpenID certainly has security features but are all the libraries out there written to secure coding practices? Wouldn't it be great if all the library creators could have their code reviewed for security defects? Check out http://owasp.fortify.com/

OpenID Security

2009-02-05 Thread McGovern, James F (HTSC, IT)
...@gmail.com Subject: Re: OpenID Security To: McGovern, James F (HTSC, IT) james.mcgov...@thehartford.com Cc: specs@openid.net Message-ID: bf26e2340902050834ybf1ae5ara6b97aaac28cd...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 Yeah. Fortify is nice. I do not know what would

OpenID Security

2009-02-06 Thread McGovern, James F (HTSC, IT)
dbou...@gmail.com Subject: Re: OpenID Security To: McGovern, James F (HTSC, IT) james.mcgov...@thehartford.com Cc: specs@openid.net Message-ID: 26563eca0902051248o446aa21br23aeb19f743ae...@mail.gmail.com Content-Type: text/plain; charset=UTF-8 I do not believe OWASP presently does any

RE: OpenID Security

2009-02-09 Thread McGovern, James F (HTSC, IT)
-Original Message- From: Peter Watkins [mailto:pet...@tux.org] Sent: Friday, February 06, 2009 8:29 PM To: McGovern, James F (HTSC, IT) Cc: specs@openid.net Subject: Re: OpenID Security What do you mean, the implementation? There is no the implementation. Are you arguing

IGF: CARML

2009-04-13 Thread McGovern, James F (HTSC, IT)
Anyone here noodling how to integrate the emerging OASIS CARML/AAPML specifications into OpenID? This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or