[OpenID] [OIDFSC] FW: Proposal to create the TX working group

Peter Williams pwilliams at rapattoni.com
Wed Dec 24 08:17:20 UTC 2008


If there is any proposal that will ever evoke (d), surely it's the topic you are touching. If it is the same one as a draft I read a while ago, its proposing the infrastructure normalize the means of giving signed notice of (freeform) legal terms attached to the assertion sent to an SP.

If that assumption about legal notices is true,  this is the same as a core innovation VeriSign added  to RSA secure server certificates early on : (a) delivery of a copyright notice in the certificate OU field, in order to give notice of data ownership and establish associated legal controls over repurposers, (b) include a url to incorporate by reference a legal agreement  to which any the relying party(s) and/or user(s)are deemed to be bound, upon making any user of the certificate. If in OpenID Auth v2 you now sign with a public key signing operation the assertion's (h)mac, and the mac covers the text of the legal terms present in a new extension, you have essentially reinvented the OP as an entity performing on-demand certificate issuing (if the AX response extension contains the user's public key(s)).

I'd have sympathy with the founders of openid objecting to that proposal, if cast in the terms above. I _can_ see them applying their collective veto on the grounds that such a capability is not consistent with the "purpose" of openid. Treated separately, though, each element of your elements is a very useful (reusable) function.

I suspect folks are going to have to extend their definition of the "purpose" of openid to accommodate your proposal, even if presented as a series of individual elements. Ill guess that this will mean persuading a majority of the spec council that the type of OP/SP they are now dealing with needs the kinds of instruments you are proposing.

This feels like another "NSF/NASA gives operational control to MCI" moment (*). The spec council members might do well to consult our very own Foundation EO  for counsel on how to navigate a shift  of this magnitude.

(*) the transition that gave birth of the _commercial_ internet.

From: Nat Sakimura [mailto:sakimura at gmail.com]
Sent: Tuesday, December 23, 2008 7:43 PM
To: Peter Williams
Cc: Sakimura Nat; general at openid.net
Subject: Re: [OpenID] [OIDFSC] FW: Proposal to create the TX working group

Well, yeah, but I think specs-committee is not talking about (d).

I also considered splitting it into dsig and cx, but current spec process is a kind of heavy lifting, so I was hoping that I could do it in one shot. Also, one of the beauty of OpenID specs were not being modularized so much, so that you do not have to go through so many specs. From the point of veiw of the modularity, I would split the authentication spec as well into (1) Discovery (of both canonical ID e.g., URI with fragment and services), (2) Assertion Format (3) Signature methods (4) Protocols. [I actually prefer this way, but I've got a feeling that this community wants a monolithic spec.]



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081224/78fc05cd/attachment-0002.htm>


More information about the general mailing list