Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)
If we start the process to form a WG for discovery now, most likely the process would only be completed in 6 months, even if there was considerable agreement and stable technologies to draw from. Right now, there is quite a bit of momentum and excitement about Webfinger. The XRI TC is hoping to publish draft specs for XRD withing the next 30 days. Concurrently, and in particular after that, it is hoped that progress on webfinger will be speedy. Webfinger spec discussion may take place at either XRI TC or IETF. Should we just start responding to all threads about OpenID 2.x discovery by saying that the discussion is taking place at some other mailing list? On Tue, Jun 9, 2009 at 11:36 AM, David Recordon da...@sixapart.com wrote: These questions and the lack of adoption of XRD, site-meta or completion of WebFinger have all contributed to my belief that we're still just not ready to redefine how OpenID's discovery process should work. -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)
David, Great questions -- see my thoughts/opinions inline... david On Tue, Jun 9, 2009 at 6:36 PM, David Recordon da...@sixapart.com wrote: Hey David,I've been following some of the discovery work the past few months, but don't have a clear picture if the various components are actually solid enough to begin working with. This is a valid concern. From what I can gather from the XRD discussions, it seems like the last remaining issue with XRD is the signature format to adopt. Other than that it seems like XRD is very close (XRI TC particpants correct me if I'm wrong -- I don't speak for the TC as I've mainly been lurking there). Granted, it will take time to get community feedback on XRD, and move through the OASIS standards mechanisms, but it seems like there's enough meat there to begin drafting a document that would outline how the OpenID community should utilize XRD (I think that's the expected deliverable from the Discovery 2.1 WG, anyway). To me, it seems like the 2.1 Discovery WG _could_ be happening in parallel. After all, the 2.1 Discovery WG is only producing a recommendations doc. The official 2.1 WG could choose to ignore that doc. I know XRD is moving forward, but what's the state of site-meta ( http://tools.ietf.org/html/draft-nottingham-site-meta-01)http://tools.ietf.org/html/draft-nottingham-site-meta-01%29or now WebFinger ( http://code.google.com/p/webfinger/)?http://code.google.com/p/webfinger/%29? Is there something in WebFinger which wouldn't solve OpenID discovery entirely? I'll defer to Eran on the state of site-meta. I have been participating in some preliminary (and brief) discussions on the webfinger list (see here: http://groups.google.com/group/webfinger/browse_thread/thread/7936700f02b0049b). I tend to agree with Eran about not needing to normatively specify webfinger. XRD really takes care of the entire discovery process for email addresses (we just need the intro part that says where to look when presented with an email-like identifier). Essentially, webfinger would be a 2 sentence spec: 1.) Look for an @, split the identifier around the @, and use the domain portion of the email to get the host-meta file. 2.) Use XRD to perform discovery on the identifier. I wouldn't be opposed to making a normative spec out of webfinger, but in my experience with EAUT and the discussions around email as an OpenID, there were some fundamental disagreements about authorities for email addresses. There's a significant camp of people that believe this information should be included in DNS. There's also a significant group of people who believe it could be located an XRD file (or, on the web). And some (like me) who believe it could be located in both places, with one taking precendence over the other, plus clear rules of how to behave if one authority is missing. All that to say, I think the OpenID community should take the _principles_ of webfinger, and create its own spec to deal with email addresses. The notion of getting a normative webfinger spec that satisfies every use case on the Internet (i.e., a generic webfinger spec) seems a bit unlikely to me (I could be wrong). All that to say, I think we in OpenID land should specify how _we_ treat email-like identifiers in our own normative spec, using the principles of webfinger. (whew -- sorry for being so long winded). ;) These questions and the lack of adoption of XRD, site-meta or completion of WebFinger have all contributed to my belief that we're still just not ready to redefine how OpenID's discovery process should work. My opinion is that we know enough to get the ball rolling. There are a lot of other outstanding issues relating to discovery than just XRD. It's a valid point, though, and I would be open to the counter-arguement that says, we should wait till XRD, LRDD, etc are finalized before we consider them. I guess I'm more of the opinion that the 2.1 Discovery WG is going to produce a guidance document about 2.1 Discovery, and it seems like we know enough about XRD and its associated protocols to begin discussing and drafting that document. I guess an additional, if not bigger, question is: do we need a 2.1 Discovery WG to produce a best practices doc? Thoughts? Thanks, --David ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)
On Tue, Jun 9, 2009 at 7:09 PM, Breno de Medeiros br...@google.com wrote: If we start the process to form a WG for discovery now, most likely the process would only be completed in 6 months, even if there was considerable agreement and stable technologies to draw from. Right now, there is quite a bit of momentum and excitement about Webfinger. The XRI TC is hoping to publish draft specs for XRD withing the next 30 days. Concurrently, and in particular after that, it is hoped that progress on webfinger will be speedy. Webfinger spec discussion may take place at either XRI TC or IETF. Even if webfinger does become its own spec, I'm not confident it will be end up looking the same in the context of OpenID (there are thorny issues like Authority to contend with: e.g., what system is the meta-data authority for an email address? DNS? Web (Host-meta?)? Both? Something-else? I guess my opinion is that this work needs to happen in both places, so why not start it here as well. Should we just start responding to all threads about OpenID 2.x discovery by saying that the discussion is taking place at some other mailing list? Last point to reiterate: There are a lot of Discovery issues besides email addresses and XRD. See the wiki for more. ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)
And I agree with you. My view is that in the absence of an OpenID discovery WG there will be _more_ uncertainty about future directions for the spec, not less. On Tue, Jun 9, 2009 at 2:13 PM, David Fuelling sappe...@gmail.com wrote: On Tue, Jun 9, 2009 at 7:09 PM, Breno de Medeiros br...@google.comwrote: If we start the process to form a WG for discovery now, most likely the process would only be completed in 6 months, even if there was considerable agreement and stable technologies to draw from. Right now, there is quite a bit of momentum and excitement about Webfinger. The XRI TC is hoping to publish draft specs for XRD withing the next 30 days. Concurrently, and in particular after that, it is hoped that progress on webfinger will be speedy. Webfinger spec discussion may take place at either XRI TC or IETF. Even if webfinger does become its own spec, I'm not confident it will be end up looking the same in the context of OpenID (there are thorny issues like Authority to contend with: e.g., what system is the meta-data authority for an email address? DNS? Web (Host-meta?)? Both? Something-else? I guess my opinion is that this work needs to happen in both places, so why not start it here as well. Should we just start responding to all threads about OpenID 2.x discovery by saying that the discussion is taking place at some other mailing list? Last point to reiterate: There are a lot of Discovery issues besides email addresses and XRD. See the wiki for more. -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)
Great feedback. I took the liberty to add this to the Discussion Points on the wiki page. http://wiki.openid.net/OpenID-Discovery On Tue, Jun 9, 2009 at 8:43 PM, Allen Tom a...@yahoo-inc.com wrote: My primary concern with changing OpenID Discovery is the upgrade path to the new discovery mechanism. It took way too long for everyone to upgrade to OpenID 2.0, so I'd like to have a better understanding the upgrade path to OpenID 2.1 and/or the new Discovery mechanism. Allen ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)
I am in full agreement. Indeed, the proposed charter for the WG has always indicated that the deliverable would be a guidance document, not a separate spec. It should be up to the 2.1 authentication WG to later decide if the guidance document should be published as a separate spec, or if instead it should be incorporated in part or as a whole in the authentication core spec, or any other disposition that is suitable. I think we all understand that discovery is too close to the core that it should be standardized by the authentication WG. On the other hand, the set of problems (and scope for changes) in discovery is quite different from authentication, and that is the rationale to allow this WG to form. On Tue, Jun 9, 2009 at 3:05 PM, David Recordon da...@sixapart.com wrote: Hey Breno,I think this is a good point and judging from this thread already, there seems to be a group of people really interested in working on discovery for OpenID. If we can frame the working group in the right way (David Fuelling framed it well as I guess I'm more of the opinion that the 2.1 Discovery WG is going to produce a guidance document about 2.1 Discovery) then I think it should be a good thing. That said, let's do a really good job of defining the goals. I'll spend some time going over the wiki page WG proposal this week. --David On Jun 9, 2009, at 2:15 PM, Breno de Medeiros wrote: And I agree with you. My view is that in the absence of an OpenID discovery WG there will be _more_ uncertainty about future directions for the spec, not less. On Tue, Jun 9, 2009 at 2:13 PM, David Fuelling sappe...@gmail.com wrote: On Tue, Jun 9, 2009 at 7:09 PM, Breno de Medeiros br...@google.comwrote: If we start the process to form a WG for discovery now, most likely the process would only be completed in 6 months, even if there was considerable agreement and stable technologies to draw from. Right now, there is quite a bit of momentum and excitement about Webfinger. The XRI TC is hoping to publish draft specs for XRD withing the next 30 days. Concurrently, and in particular after that, it is hoped that progress on webfinger will be speedy. Webfinger spec discussion may take place at either XRI TC or IETF. Even if webfinger does become its own spec, I'm not confident it will be end up looking the same in the context of OpenID (there are thorny issues like Authority to contend with: e.g., what system is the meta-data authority for an email address? DNS? Web (Host-meta?)? Both? Something-else? I guess my opinion is that this work needs to happen in both places, so why not start it here as well. Should we just start responding to all threads about OpenID 2.x discovery by saying that the discussion is taking place at some other mailing list? Last point to reiterate: There are a lot of Discovery issues besides email addresses and XRD. See the wiki for more. -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs