On Mon, Jul 13, 2009 at 11:08 AM, Peter Williams <pwilli...@rapattoni.com>wrote:

> its not free to join the OASIS TC, merely to get general info. There are IP
> implications -  right's one gives up in consideration for access to timely
> info and a voice. Here on openid general, there are no such implications.
>
> Take my counsel: let the discussion happen on the OASIS list - lead by
> highly trusted and discovery-competent-folks who work in both communities.
> But agree that the ONLY legitimate and authorized use of the experimental
> openid namespace is by protocols whose spec has been dumped onto the specs
> list of openid. At that point, prototyping users know that the use of the
> material falls under openid IP rules, patent covenants, and all the rules
> around "non-finalized" specs etc.


There is no spec yet (not even a draft). Our proof-of-concept implementation
simply synthesizes the discussion that has been going on on that list. If we
had a draft, then this would be easy - I would simply implement the draft.
As it is, I'm providing an implementation to show that the concepts we have
discussed over there in fact enable a useful use case, which hopefully will
help us move towards a draft.

Dirk.


>
>
> I doesn't seem a large burden on the mover of the motion to post the
> relevant cut of the TC discovery draft to specs - providing s/he is
> authorized under OASIS rules to do so.
>
> ________________________________
> From: general-boun...@openid.net [general-boun...@openid.net] On Behalf Of
> Dirk Balfanz [balf...@google.com]
> Sent: Monday, July 13, 2009 10:10 AM
> To: Breno de Medeiros
> Cc: OpenID Specs Mailing List; gene...@openid.net List
> Subject: Re: [OpenID] experimental namespace for openid.net
>
> Hi guys,
>
> somehow I only get sporadic messages from this mailing list (I'll have to
> dig through my spam settings, etc, to find out what's going on there), so I
> read the various responses on the web archives. Let me try to respond to
> them:
>
> - XMLDSIG vs. other kinds of signatures: This is exactly the kind of
> discussion going on at the XRI TC right now. There are those on the TC that
> think xmldsig with constrained c14n will work, and those that think that
> this is still too complicated. You're welcome to join the TC and participate
> in the discussion.
>
> - Google "gatewaying" users through itself (by hosting host-meta files for
> domains at Google): we have no intention of gatewaying users through Google.
> When a domain hosts its own host-meta, the discovery will of course just
> work. We simply asked ourselves the question: How can we give all our Google
> Apps users an OpenID with the least amount of work required on the part of
> the Google Apps domain admins? Domains should host their own host-meta. If
> they don't (and many won't), RPs should find a way to still perform
> discovery for that user. Trying Google _first_, and then the domain, will in
> the vast majority of cases result in lower latency from
> user-supplied-identifier to discovery information than the other way 'round.
> But RPs can do whatever they want. They could, for example, try both in
> parallel and go with whatever host-meta comes back first (be that from
> Google, from another hosting provider, or from the actual domain).
>
> - Having said all that, what I was trying to figure out in this thread was
> that assuming that a provider wants to launch a proof-of-concept
> implementation of a feature that I think we all agree is needed in OpenID
> (in this case, better discovery), what namespace should the provider use for
> the various pieces in the protocol that haven't officially been approved
> yet. The responses that actually tried to address that question seemed to
> think that http://experimental.openid.net was a good idea, but that some
> sort of process might be needed to hand out chunks of that namespace. I
> assume that that process should make sure that the provider in question is
> making a good-faith effort to actually contribute to the OpenID community
> during the further development of the feature in question, as opposed to
> grabbing just a chunk of semi-official-sounding namespace? I'm a wee bit
> concerned that the processes that people want to see in place for this might
> take a bit of time to establish (feel free to prove me wrong by setting up a
> registry, etc!), so I'm wondering whether in this case we could follow the
> spirit of the yet-to-be-established process (assuming I captured it
> correctly), as opposed to the letter (which doesn't exist yet), and just
> agree that it is ok for us, in this case, to use that namespace.
>
> Cheers,
>
> Dirk.
>
>
> On Fri, Jul 10, 2009 at 5:13 PM, Breno de Medeiros <br...@google.com
> <mailto:br...@google.com>> wrote:
> A charter proposal for the WG already exists.
>
> On Fri, Jul 10, 2009 at 4:49 PM, David Recordon<da...@sixapart.com<mailto:
> da...@sixapart.com>> wrote:
> > Should this experimental namespace only apply to work being done by
> OpenID
> > working groups?  I'm very supportive of pushing the standards forward via
> > prototypes, but that should be done as part of the OpenID community
> instead
> > of by a single company.
> >
> > I'd be very happy to help get a discovery working group spun up and
> charter
> > them to modernize OpenID 2.0's discovery process.
> >
> > --David
> >
> > On Jul 10, 2009, at 11:58 AM, George Fletcher wrote:
> >
> >> +1 to http://experimental.openid.net
> >>
> >> It would be good to add this to the "repository" work Breno and John are
> >> doing as having a registry for experimental URIs would be good as well.
> >>
> >> Thanks,
> >> George
> >>
> >> Dirk Balfanz wrote:
> >>>
> >>> [+gene...@openid.net<mailto:gene...@openid.net> <mailto:
> gene...@openid.net<mailto:gene...@openid.net>> for a broader audience]
> >>>
> >>> On Thu, Jul 9, 2009 at 4:45 PM, Dirk Balfanz <balf...@google.com
> <mailto:balf...@google.com>
> >>> <mailto:balf...@google.com<mailto:balf...@google.com>>> wrote:
> >>>
> >>>   Hi guys,
> >>>   Google would like to launch a feature in which we're allowing our
> >>>   Google Apps hosted domains to become OpenID providers. The
> >>>   authentication part of it is pretty simple - Google is already
> >>>   logging in users to their apps, so we can also host an OP endpoint
> >>>   for those domains and send assertions back to Relying Parties.
> >>>   What is more difficult is the discovery part. We have been working
> >>>   with the XRI TC to define a XRD-based discovery protocol that
> >>>   would allow this kind of hosting of discovery documents on behalf
> >>>   of our customers.
> >>>   We believe that providing proof-of-concept implementations drives
> >>>   standardization processes forward, so in this spirit we want to
> >>>   launch this feature in the near future, using a discovery protocol
> >>>   that as far as we can tell meets all the requirements of what the
> >>>   XRI TC is currently converging on, but which has not been vetted
> >>>   as an official standard (it's a chicken and egg thing - without
> >>>   PoC no standards, without standards by definition no
> >>>   standards-compliant implementations).
> >>>
> >>>   While we were tossing around ideas
> >>> <http://markmail.org/message/ixc5led2lobdwij2>in the
> >>>   standardization committees we just used random identifiers for new
> >>>   XML namespaces, etc. that we would need for this discovery
> >>>   protocol. Now that we're about to launch we need to decide what to
> >>>   call these things. We would like to use a namespace
> >>>   in http://specs.openid.net/... because we want this kind of
> >>>   discovery protocol to be part of OpenID, but we can't really use
> >>>   them because we don't have a next-generation discovery protocol yet.
> >>>   So what should we use? How
> >>>   about http://experimental.openid.net/... ? That way, Relying
> >>>   Parties know that what we're trying to do is be a part of the
> >>>   OpenID community and bring the protocol forward. On the other
> >>>   hand, this would also be a signal to the RP that they're using a
> >>>   feature that has not been vetted as a standard yet.
> >>>   For example, a discovery document for a domain balfanz.net<
> http://balfanz.net>
> >>>   <http://balfanz.net> at Google might look like this (notice the
> >>>   "experimental" namespace and the XML elements using it):
> >>>
> >>>   <?xml version="1.0" encoding="UTF-8"?>
> >>>   <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
> >>>     <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> >>>     <ds:SignedInfo>
> >>>     <ds:CanonicalizationMethod
> >>> Algorithm="
> http://docs.oasis-open.org/xri/xrd/2009/01#canonicalize-raw-octets";
> >>> />
> >>>     <ds:SignatureMethod
> >>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
> >>>     </ds:SignedInfo>
> >>>     <ds:KeyInfo>
> >>>     <ds:X509Data>
> >>>     <ds:X509Certificate>
> >>>     MIICgjCCA...
> >>>     </ds:X509Certificate>
> >>>     <ds:X509Certificate>
> >>>     MIICsDCCAhmgAwIB...
> >>>     </ds:X509Certificate>
> >>>     </ds:X509Data>
> >>>     </ds:KeyInfo>
> >>>     </ds:Signature>
> >>>     <XRD>
> >>>     <CanonicalID>balfanz.net<http://balfanz.net> <http://balfanz.net
> ></CanonicalID>
> >>>     <Service priority="0">
> >>>     <Type>http://specs.openid.net/auth/2.0/server</Type>
> >>>     <Type>http://openid.net/srv/ax/1.0</Type>
> >>>     <Type>http://specs.openid.net/extensions/pape/1.0</Type>
> >>>     <URI>https://www.google.com/a/balfanz.net/o8/ud?be=o8</URI>
> >>>     </Service>
> >>>     <Service priority="0"
> >>> xmlns:experimental="
> http://experimental.openid.net/google/2009/07/xmlns/";>
> >>>     <Type>http://www.iana.org/assignments/relation/describedby</Type>
> >>>     <MediaType>application/xrds+xml</MediaType>
> >>>
> >>> <experimental:URITemplate>
> https://www.google.com/accounts/o8/user-xrds?uri={%uri}
> >>>
> >>> <https://www.google.com/accounts/o8/user-xrds?uri=%7B%uri%7D
> ></experimental:URITemplate>
> >>>     <experimental:NextAuthority>hosted-id.google.com<
> http://hosted-id.google.com>
> >>>   <http://hosted-id.google.com></experimental:NextAuthority>
> >>>     </Service>
> >>>     </XRD>
> >>>   </xrds:XRDS>
> >>>
> >>>   What do you guys think?
> >>>
> >>>   Dirk.
> >>>
> >>>
> >>>
> ------------------------------------------------------------------------
> >>>
> >>> _______________________________________________
> >>> specs mailing list
> >>> specs@openid.net<mailto:specs@openid.net>
> >>> http://openid.net/mailman/listinfo/specs
> >>>
> >>
> >> _______________________________________________
> >> specs mailing list
> >> specs@openid.net<mailto:specs@openid.net>
> >> http://openid.net/mailman/listinfo/specs
> >
> > _______________________________________________
> > general mailing list
> > gene...@openid.net<mailto:gene...@openid.net>
> > http://openid.net/mailman/listinfo/general
> >
>
>
>
> --
> --Breno
>
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
>
>
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Reply via email to