Hey David,
I've been following some of the discovery work the past few months,
but don't have a clear picture if the various components are actually
solid enough to begin working with. I know XRD is moving forward, but
what's the state of site-meta (http://tools.ietf.org/html/draft-nottingham-site-meta-01
) or now WebFinger (http://code.google.com/p/webfinger/)? Is there
something in WebFinger which wouldn't solve OpenID discovery entirely?
These questions and the lack of adoption of XRD, site-meta or
completion of WebFinger have all contributed to my belief that we're
still just not ready to redefine how OpenID's discovery process should
work.
Thoughts?
Thanks,
--David
Begin forwarded message:
From: David Fuelling <sappe...@gmail.com>
Date: June 9, 2009 10:07:20 AM PDT
To: Allen Tom <a...@yahoo-inc.com>
Cc: secur...@openid.net, gene...@openid.net
Subject: Re: [security] OpenID Security Best Practices Doc
Reply-To: sappe...@gmail.com
On Tue, Jun 9, 2009 at 5:38 AM, Allen Tom <a...@yahoo-inc.com> wrote:
Is the community ready to move forward with OpenID 2.1?
I can't necessarily speak for the community, but I'd at least like
to move forward with the 2.1 Discovery WG. The output of that is
expected to be a "best practices" document relating to Discovery
that would (it is expected) be used in the regular OpenID 2.1 WG.
I'm not opposed to doing all of this in parallel.
I do believe that we really need a security best practices document,
and it shouldn't have to wait until OpenID 2.1 is finalized.
+1
Anyway, when you said you had been "nominated", it made me think
there's some shadow process going on behind the scenes when it comes
to these Working Groups.
At the December 2008 IIW, I was either nominated or was volunteered
to work on Security Best Practices document after I strongly
advocated that the community write one.
Cool. Like I said, I wasn't trying to say you shouldn't be doing
this work. I just wanted to make sure it was "open". I wasn't at
IIW, so that explains my disconnect.
Am I missing something? Are there "private" WG discussions going on
that the rest of us can't see?
The security best practices document was first discussed at the
December 2008 IIW session on OpenID 2.1, completely in the open.
See my comment above.
Or are you just "taking some initiative", as it were?
Well, I'd been procrastinating for more than 6 months, but I think
we waited long enough. More and more sites want to deploy OpenID,
and it's about time we had a security document that potential
implementers can read, other than just reading the specs, and
various blog posts.
:) -- I'm glad you've started working on this. It's important to
have.
-- I'm really just looking to get "in the loop" on this Working
Group business, assuming I'm out if currently).
I believe that the process requires the WG proposers to take their
proposal to the Specifications council who will review the proposal
and give their recommendation to the general membership of the OIDF
to either approve or deny the request to form the WG. The general
membership then votes on the proposal, and if the proposal is
approved, the WG is formed. There's also a very painful process for
the WG members to get their employers to approve their participation
in the WG.
The WG proposals that seem to be stalled right now appear to be
OpenID 2.1, SREG 1.1, and AX 2.0.
At least with regards to SREG 1.1 and AX 2.0, I believe that the
proposers are waiting for their employers to approve their
participation. Where is Dick Hardt? The OpenID world misses you!
I'm not sure about the status on OpenID 2.1, but at least for
myself, I'm more focused on the immediate goals of getting OpenID
OAuth Hybrid and the OpenID UI Extensions finalized.
I for one would like to move forward on the 2.1 Discovery WG. XRD
will be a big part of that, but at this point it seems like much of
XRD has been solidified (at least, enough for us to begin the 2.1
Discovery WG).
The OpenID Wiki says that the Discovery WG proposal has been sent to
the specs council, but I have not seen the proposal yet.
I think this is the proposal:
http://wiki.openid.net/OpenID-Discovery
_______________________________________________
security mailing list
secur...@openid.net
http://openid.net/mailman/listinfo/security
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs