From signup at nholz.com Wed Jul 1 05:51:57 2009 From: signup at nholz.com (Nicolas Holzapfel) Date: Wed, 1 Jul 2009 13:51:57 +0100 Subject: [OpenID] allowing users to switch to opendid-only: pointless? In-Reply-To: <216e54900906261841h52dc4f9fk81b30ef06e731db8@mail.gmail.com> References: <12118b110906061414u4f6cf96k57d1017dcd614520@mail.gmail.com> <216e54900906062058g5f17c181y8118d0d68c953449@mail.gmail.com> <12118b110906261531g2116ba3bm28f809351de25901@mail.gmail.com> <216e54900906261841h52dc4f9fk81b30ef06e731db8@mail.gmail.com> Message-ID: <12118b110907010551h7ceaf155j5f0e66d2d3e8f061@mail.gmail.com> --000e0cd2459879b3c2046da4631c Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Thanks once again Shade and Andrew; I think I have enough to present an official counter-argument to the anonymous co-designer, so I'll see what happens. --000e0cd2459879b3c2046da4631c Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Thanks once again Shade and Andrew; I think I have enough to present an official counter-argument to the anonymous co-designer, so I'll see what happens.
--000e0cd2459879b3c2046da4631c-- From david at sixapart.com Wed Jul 1 14:19:22 2009 From: david at sixapart.com (David Recordon) Date: Wed, 1 Jul 2009 14:19:22 -0700 Subject: [OpenID] Sears Adopts OpenID Message-ID: --Apple-Mail-5--259493367 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit I saw this press release earlier today about Sears integrating OpenID sign in to the MySears and MyKmart communities. You can see it at MySears.com and it looks like a very nice implementation that has taken a lot of the recent OpenID usability work into account including the pop-up extension via Google. While it looks a lot like JanRain's RPX, I'm not seeing direct references to RPX in their code and some of the screens in the log in process are custom built. This is pretty incredible and I'd love to see the Foundation engage Sears as well as write about it on OpenID.net. I'm happy to take a crack at a post, though being able to do some joint press outreach with Sears would be even better. http://www.earthtimes.org/articles/show/sears-adopts-openid-technology,879090.shtml --David --Apple-Mail-5--259493367 Content-Disposition: inline; filename="Picture 17.png" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit A non-text attachment was scrubbed... Name: Picture 17.png Type: image/png Size: 73389 bytes Desc: not available URL: --Apple-Mail-5--259493367 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit --Apple-Mail-5--259493367 Content-Disposition: inline; filename="Picture 18.png" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit A non-text attachment was scrubbed... Name: Picture 18.png Type: image/png Size: 88067 bytes Desc: not available URL: --Apple-Mail-5--259493367 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit --Apple-Mail-5--259493367 Content-Disposition: inline; filename="Picture 16.png" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit A non-text attachment was scrubbed... Name: Picture 16.png Type: image/png Size: 66446 bytes Desc: not available URL: --Apple-Mail-5--259493367 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit --Apple-Mail-5--259493367-- From sysadmin at shadowsinthegarden.com Wed Jul 1 14:25:09 2009 From: sysadmin at shadowsinthegarden.com (SitG Admin) Date: Wed, 1 Jul 2009 14:25:09 -0700 Subject: [OpenID] Feedback from OpenID demo Message-ID: >Then you have chosen not to support checkid_immediate. Additional thought on checkid_immediate: I could see an OP flow where regular login has a default of non-authentication (to RP's), with explicit user activity being required to change this action; and checkid_immediate login having a default of authentication, with the user reserving the option to click (their OP's) cancel within 3 seconds. -Shade From david at sixapart.com Wed Jul 1 15:02:51 2009 From: david at sixapart.com (David Recordon) Date: Wed, 1 Jul 2009 15:02:51 -0700 Subject: [OpenID] Sears Adopts OpenID In-Reply-To: References: Message-ID: <8744FD25-9949-46D7-ACEA-05912F5AAE74@sixapart.com> A bit more information from the JanRain blog: http://blog.janrain.com/2009/07/sears-adopts-openid-facebook-connect.html On Jul 1, 2009, at 2:19 PM, David Recordon wrote: > I saw this press release earlier today about Sears integrating > OpenID sign in to the MySears and MyKmart communities. You can see > it at MySears.com and it looks like a very nice implementation that > has taken a lot of the recent OpenID usability work into account > including the pop-up extension via Google. While it looks a lot > like JanRain's RPX, I'm not seeing direct references to RPX in their > code and some of the screens in the log in process are custom built. > > This is pretty incredible and I'd love to see the Foundation engage > Sears as well as write about it on OpenID.net. I'm happy to take a > crack at a post, though being able to do some joint press outreach > with Sears would be even better. > > http://www.earthtimes.org/articles/show/sears-adopts-openid-technology,879090.shtml > > --David > > > > > > > > > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general From bkissel at janrain.com Wed Jul 1 15:05:22 2009 From: bkissel at janrain.com (Brian Kissel) Date: Wed, 1 Jul 2009 22:05:22 +0000 Subject: [OpenID] Sears Adopts OpenID In-Reply-To: References: Message-ID: <1460824957-1246485898-cardhu_decombobulator_blackberry.rim.net-1338523967-@bxe1072.bisx.prod.on.blackberry> I'm already working w Don on a blog post. ======== Brian Kissel JanRain - OpenID Platform Solutions 503.866.4424 (cell) 503.296.5502 (fax) -----Original Message----- From: David Recordon Date: Wed, 1 Jul 2009 17:19:22 To: OpenID List Cc: Don Thibeau; Brian Kissel; ChrisMessina Subject: Sears Adopts OpenID I saw this press release earlier today about Sears integrating OpenID sign in to the MySears and MyKmart communities. You can see it at MySears.com and it looks like a very nice implementation that has taken a lot of the recent OpenID usability work into account including the pop-up extension via Google. While it looks a lot like JanRain's RPX, I'm not seeing direct references to RPX in their code and some of the screens in the log in process are custom built. This is pretty incredible and I'd love to see the Foundation engage Sears as well as write about it on OpenID.net. I'm happy to take a crack at a post, though being able to do some joint press outreach with Sears would be even better. http://www.earthtimes.org/articles/show/sears-adopts-openid-technology,879090.shtml --David From lshepard at facebook.com Wed Jul 1 16:20:15 2009 From: lshepard at facebook.com (Luke Shepard) Date: Wed, 1 Jul 2009 16:20:15 -0700 Subject: [OpenID] Checking signature on an unsolicited positive assertion Message-ID: --_000_C6713D3FE9BDlshepardfacebookcom_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I have a question about the spec that hopefully someone on the list can hel= p with. I'd like to accept an unsolicited positive OpenID assertion from a provider= . So, instead of the RP issuing a request to the provider and then getting = a response, the provider would just form the correct URL and send the user = to it. The RP can then verify the signature and continue as though it had m= ade the original request. For performance reasons, it would be nice to use a shared secret, if one ex= ists. That way the RP wouldn't have to make an extra HTTP request to the OP= every time. However, section 11.4.2.1 of the spec says that doing so is fo= rbidden as it opens up replay attacks. http://openid.net/specs/openid-authentication-2_0.html#check_auth Can someone clarify why this is disallowed? It seems to me that as long as = the provider supplies a nonce, and the RP checks the nonce, then there is n= o replay attack possible. Thanks, Luke --_000_C6713D3FE9BDlshepardfacebookcom_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Checking signature on an unsolicited positive assertion I have a question about the spec that hopefully someone on the list c= an help with.

I’d like to accept an unsolicited positive OpenID assertion from a pr= ovider. So, instead of the RP issuing a request to the provider and then ge= tting a response, the provider would just form the correct URL and send the= user to it. The RP can then verify the signature and continue as though it= had made the original request.

For performance reasons, it would be nice to use a shared secret, if one ex= ists. That way the RP wouldn’t have to make an extra HTTP request to = the OP every time. However, section 11.4.2.1 of the spec says that doing so= is forbidden as it opens up replay attacks.

http://openid.net/specs/openid-authentication-2_0.html#check_auth
Can someone clarify why this is disallowed? It seems to me that as long as = the provider supplies a nonce, and the RP checks the nonce, then there is n= o replay attack possible.

Thanks,
Luke --_000_C6713D3FE9BDlshepardfacebookcom_-- From johnny.bufu at gmail.com Sun Jul 5 02:12:21 2009 From: johnny.bufu at gmail.com (Johnny Bufu) Date: Sun, 05 Jul 2009 02:12:21 -0700 Subject: [OpenID] Delegation leading to new accounts on websites In-Reply-To: <216e54900906211729o110f93c9labefad2d14a90c43@mail.gmail.com> References: <4A3EB277.1000206@btinternet.com> <216e54900906211729o110f93c9labefad2d14a90c43@mail.gmail.com> Message-ID: <4A506E75.2080500@gmail.com> On 21/06/09 05:29 PM, Andrew Arnott wrote: > Google doesn't support delegation at all. Some concern about asserting > an Identifier it has no control over... Perhaps they are just being too cautious. The OP's assertion is about openid.identity, which is always under their control. The end-users presenting a valid assertion issued by their OP are claiming they control the openid.claimed_id. The OP's assertion is the tool that makes the claim verifiable. An OP's (valid) assertion alone cannot be used to prove ownership of another claimed identifier without actually having control over that claimed identifier (to configure delegation to the OP). Johnny From pwilliams at rapattoni.com Sun Jul 5 09:46:02 2009 From: pwilliams at rapattoni.com (Peter Williams) Date: Sun, 5 Jul 2009 09:46:02 -0700 Subject: [OpenID] Delegation leading to new accounts on websites In-Reply-To: <4A506E75.2080500@gmail.com> References: <4A3EB277.1000206@btinternet.com> <216e54900906211729o110f93c9labefad2d14a90c43@mail.gmail.com>, <4A506E75.2080500@gmail.com> Message-ID: Yes - and in "denying" openid-delegation flows, Google are somewhat undermining and denying UCI - a founding mission of the movement. They are apparently taking a slice of openid auth protocol and superimposing SAML2 semantics -- an IDP-centric control model. But I also think that openid architecure has in the XRD exactly what's needed to find the middle ground - addressing the concerns of the "overly-cautious OP" with a mega-brand to worry about. I think we would be further maturing as a community if we could accommodate in openid auth 2.1 the "control" issues facing such mega-brands. 1. As OP, Google could be resolving to a 100% Google-controlled XRD any discovery request for the HTTP URL they currently place in the openid.identity response (a persistent, per RP, law#4 URL). That XRD is Google property, is licensed and copyrighted by Google, and is "theirs". No, the user may not add an SEP that points to Yahoo's openid endpoint, despite the nature of underlying XRD architecture. That XRD is Google property, is under the firm's control, brings Google Governance to the world (do not harm etc), and hopefully still addresses Google goals for funding their (world-beating) OP on the most famous home page in the world : google.com. (This is a "just-stunning" openid movement accomplishment; and complementary recognition MUST be given to Google for taking such a risk. It takes my breath away each time I consider what has really happened in the security world, here...) 2. Independently, the user can go purchase an XRI. Or, weirdos like me learn to operate a "delegated XRI child authority" server in their data center - a glorified DNS server administering a child domain. (I received lots of open-source help on that from the http://openxri.org crew last week, proving to my satisfaction that I *can* opt retain my independence from the XDI.org governance apparatus). As a result, each user optionally has their own XRD - that can now be used in the opend delegation flow of openid auth, promote UCI, and thus provide portability. Now, let's put the 2 together. Let's now make Google-OP happy - exercise "protective control". And, lets make users happy - they retain portability. Lets make the XRI folks happy - their linked-identifier vision get applied . Lets even keep the ever-testy W3C TAG happy - only use XRD's whose ids align with semweb's own globally distributed identifier architecture. Not that it matters much, let's even make Peter happy: UCI is retained. To "arm" the openid-delegation feature at a Google OP, a google-governed-user must establish equivalency of his/her own XRD with the Google-governed XRD. Logged on to Google Accounts locally - an act by which any Google-user admits and confirms the governance relationship of Google over the Google XRD - the now Google-governed-user induces Google-OP to add an EquivID to the Google XRD for that google-user - pointing back at the user's own XRD. Being a google-governed session, the Google use terms are in control, and the private-party user must license Google to store/apply/cite/verify/validate/... that user-owned/copyrighted backpointer value ... to his/her own XRD. As with all openid-delegation, the user must alter his/her own XRD to complement what just happened at Google-OP. The user of course adds an SEP that points to Google's OP endpoints. But now, the user (or rather a tool-wizard in practice...) adds the canonicalid of the Google XRD as a "canonicalEquivID" field in the SEP entry. The result would seem to be that user may now apply his/her own identifier at RPs, without the RPs storing any Google-governed property. Google-OP only participates in openid-delegation for those Google-users who have registered (and previously authenticated to Google-OP during registration) their own XRD. Now, Im sure I have my XRI v2 resolver theory slightly wrong, in the above. Perhaps the SEP in the user's XRD would better have a XRD "ref" to the google XRD, vs a canonicalEquivID. XRI is far to hard for my class of brain, to understand such technical subtleties But, regardless of final techniques chosen, hopefully one sees the pattern Im advocating - reaching for a middle ground by exploiting linkages between XRDs. Im aiming to find a half way house between the impuse of an OP to want to project legal-control over a users life at an RP, and the users desire to be retain independence from any one OP while on that RP site. Such a form of formal independence would allow the OP/user relationship to subsequently terminate, but terminate in a manner than has zero impact on the still-ongoing RP/user relationship. ________________________________________ From: Johnny Bufu [johnny.bufu at gmail.com] Sent: Sunday, July 05, 2009 2:12 AM To: Andrew Arnott Cc: Peter Williams; general at openid.net Subject: Re: [OpenID] Delegation leading to new accounts on websites On 21/06/09 05:29 PM, Andrew Arnott wrote: > Google doesn't support delegation at all. Some concern about asserting > an Identifier it has no control over... Perhaps they are just being too cautious. The OP's assertion is about openid.identity, which is always under their control. The end-users presenting a valid assertion issued by their OP are claiming they control the openid.claimed_id. The OP's assertion is the tool that makes the claim verifiable. An OP's (valid) assertion alone cannot be used to prove ownership of another claimed identifier without actually having control over that claimed identifier (to configure delegation to the OP). Johnny From andrewarnott at gmail.com Sun Jul 5 14:31:35 2009 From: andrewarnott at gmail.com (Andrew Arnott) Date: Sun, 5 Jul 2009 14:31:35 -0700 Subject: [OpenID] My 2 Cents to the OpenID foundation In-Reply-To: <87C39644-686C-4C4C-B078-0BAA97E8DA13@wingaa.com> References: <87C39644-686C-4C4C-B078-0BAA97E8DA13@wingaa.com> Message-ID: <216e54900907051431l50981814k2148256c19f87525@mail.gmail.com> --0016e64eabf4594023046dfc1e7d Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Just digging up an old thread and finding some interesting guesses at MySpace' OpenID support. Just feeling like defending someone here... :) *Does MySpace support OpenID 1.1? * *No. *The individual user identifiers that MySpace issues only provides OpenID 2.0 discoverable endpoints. I also tried rigging up a delegating identifier that forces the RP to discover a 1.1 endpoint to MySpace, and MySpace choked on it. So it's a 2.0-only OP. *Which association types does MySpace support? * HMAC-SHA1 and HMAC-SHA256. This is in contradiction to earlier in this thread where MySpace allegedly didn't support HMAC-SHA1. *Why do we see HMAC-SHA512 coming from MySpace? Doesn't that compromise interoperability with RPs? Isn't this a deviation from the spec?* MySpace uses HMAC-SHA512 for its private associations only, and this is an internal detail. It does *not* use these for shared associations (unless the RP specifically asks for them), so it should not adversely affect interoperability. Perhaps if some RPs are hard-coded to break if a signature is too long it might break, but IMO this is a poorly written RP if it even exists. The spec doesn't forbid use of association types that are not described in the spec, either. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre 2009/4/7 John Bradley > Santrajan, > The symmetric encryption is key SHA1 or SHA256 is set per RP/OP > association. > > It would take some real bending of the protocol for the RP to have two > associations and choose the one to use based on what the OP might send back. > > It is also unlikely that PCI rules are going to allow any OP to store > credit cards numbers and make them available via AX. > There is going to have to be something other than AX as it is now for > authenticating financial transactions. > > We also need to remember this signature is only intended to prevent > tampering and is not used for encryption. > For AX including the attributes in the signed portion of the message is > optional in any event. > > Yes the OP may send back attributes that could be modified by the user > without the RP knowing. > > The AX 1.0 spec allows OP's and RPs to negotiate any sort of signing > and/or encryption they like for attributes. > However there is no standard for that, so at the moment the most OPs can > do is include the AX attributes in the signed part of the response. > > We have talked for a while about the need for AX 2.0 to address some of the > ambiguities and add things like encryption and structured attributes. > > I am hopping work on that can get started soon! > > John Bradley > > On 7-Apr-09, at 7:23 PM, general-request at openid.net wrote: > > Date: Tue, 7 Apr 2009 18:56:52 -0700 (PDT) > From: santrajan > Subject: Re: [OpenID] My 2 Cents to the OpenID foundation > To: general at openid.net > Message-ID: <22941702.post at talk.nabble.com> > Content-Type: text/plain; charset=us-ascii > > > I think the degree of security required must be proportional to the value > of > the information you are carrying. SHA1 is fine for basic profile data. You > need SHA256 only for things like credit card no, social security no, bank > account no etc etc. > > > Allen Tom-2 wrote: > > > John Bradley wrote: > > > Yahoo and I have an ongoing disagreement over the requirement for > > openID 2.0 OPs to support HMAC-SHA256, they believe that HMAC-SHA1 is > > sufficient. I think that if an RP ask for a SHA256 association they > > should support it. (Allen feel free to defend yourself:) > > Hi John, > > > I don't think any RP has asked us to support HMAC-SHA256, so we haven't > > gotten around to implementing it yet. As far as I can tell, Section 6.2 > > of the OpenID 2.0 spec does not require OPs to support HMAC-SHA256. > > > Thanks > > Allen > > > > > > _______________________________________________ > > general mailing list > > general at openid.net > > http://openid.net/mailman/listinfo/general > > > > > > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > > --0016e64eabf4594023046dfc1e7d Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Just digging up an old thread and finding some interesting guesses at MySpa= ce' OpenID support.=A0 Just feeling like defending someone here... :)
Does MySpace support OpenID 1.1?=A0
No.=A0 The indi= vidual user identifiers that MySpace issues only provides OpenID 2.0 discov= erable endpoints.=A0 I also tried rigging up a delegating identifier that f= orces the RP to discover a 1.1 endpoint to MySpace, and MySpace choked on i= t.=A0 So it's a 2.0-only OP.

Which association types does MySpace support?
HMAC-SHA1 and = HMAC-SHA256.=A0 This is in contradiction to earlier in this thread where My= Space allegedly didn't support HMAC-SHA1.

Why do we see HMAC= -SHA512 coming from MySpace?=A0 Doesn't that compromise interoperabilit= y with RPs? Isn't this a deviation from the spec?
MySpace uses HMAC-SHA512 for its private associations only, and this is an = internal detail.=A0 It does not use these for shared associations (u= nless the RP specifically asks for them), so it should not adversely affect= interoperability.=A0 Perhaps if some RPs are hard-coded to break if a sign= ature is too long it might break, but IMO this is a poorly written RP if it= even exists.=A0 The spec doesn't forbid use of association types that are not described= in the spec, either.

--
Andrew Arnott
"I [= may] not agree with what you have to say, but I'll defend to the death = your right to say it." - S. G. Tallentyre


2009/4/7 John Bradley = <john.bradl= ey at wingaa.com>
Santrajan,

The=A0symmetric=A0encryption=A0is key SH= A1 or SHA256 is set per RP/OP association.=A0

It w= ould take some real bending of the protocol for the RP to have two associat= ions and choose the one to use based on what the OP might send back.

It is also unlikely that PCI rules are going to allow a= ny OP to store credit cards numbers and make them available via AX. =A0=A0<= /div>
There is going to have to be something other than AX as it is now= for authenticating financial=A0transactions.

We also need to remember this signature is only intende= d to prevent tampering and is not used for=A0encryption. =A0=A0
F= or AX including the attributes in the=A0signed=A0portion of the message is = optional in any event.

Yes the OP may send back attributes that could be modif= ied by the user without the RP knowing.

The AX 1.0= spec allows OP's and RPs to=A0negotiate=A0any sort of signing and/or= =A0encryption=A0they like for attributes. =A0
However there is no standard for that, =A0so at the moment the most OP= s can do is include the AX attributes in the signed part of the response.

We have talked for a while about the need for AX 2.= 0 to address some of the ambiguities and add things like=A0encryption=A0and= structured attributes.

I am hopping work on that can get started soon!

John Bradley

On 7-Apr-09, at 7:23= PM, genera= l-request at openid.net wrote:

Date: Tue, 7 Apr 2009 18:56:52 -07= 00 (PDT)

From: santrajan <santrajan at gmail.com>
Subject: Re: [OpenID] My 2 Cents to the OpenID foundation
To:=A0general at openid= .net
Message-ID: <22941702.post at talk.nabble.com>

Content-Type: text/plain; charset=3Dus-ascii


I th= ink the degree of security required must be proportional to the value ofthe information you are carrying. SHA1 is fine for basic profile data. You=
need SHA256 only for things like credit card no, social security no, bankaccount no etc etc.


Allen Tom-2 wrote:

John Bradley wrote:

Yahoo and I have= an ongoing disagreement over the requirement for=A0
openID 2.0= OPs to support HMAC-SHA256, =A0they believe that HMAC-SHA1 is=A0
sufficient. I think that if an RP ask for a SHA256 association they= =A0
should support it. =A0(Allen feel free to defend yourself:= )
Hi John,

I don't think= any RP has asked us to support HMAC-SHA256, so we haven't=A0
gotten around to implementing it yet= . As far as I can tell, Section 6.2=A0
of the OpenID 2.0 spec does not require OPs to support H= MAC-SHA256.

Thanks
Allen



______________________________________= _________
general mailing list
general at openid.net
http:= //openid.net/mailman/listinfo/general





_______________________________________________
general mailing list
general at openid.net<= /a>
ht= tp://openid.net/mailman/listinfo/general


--0016e64eabf4594023046dfc1e7d-- From signup at nholz.com Mon Jul 6 10:41:49 2009 From: signup at nholz.com (Nicolas Holzapfel) Date: Mon, 6 Jul 2009 18:41:49 +0100 Subject: [OpenID] email address retrieval Message-ID: <12118b110907061041j31d101d5qb7748de2bec71353@mail.gmail.com> --000e0cd2421e52ab5f046e0d0585 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Am I right in thinking that an OpenID-enabled site cannot retrieve a user's email address? But that it can use their email address to send notifications? So in the settings it would say something like "email address: contact via OpenID" but would not be able to actually state the email address? Is this the same for Google Connect and the likes? Also, for those who remember my series of emails concerning whether or not to implement a "remove site-only login details" option (so that the user can choose to only be able to log in with OpenID) you'll be pleased to hear that the anonymous co-designer has accepted this proposal! --000e0cd2421e52ab5f046e0d0585 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Am I right in thinking that an OpenID-enabled site cannot retrieve a user&#= 39;s email address? But that it can use their email address to send notific= ations? So in the settings it would say something like "email address:= contact via OpenID" but would not be able to actually state the email= address?

Is this the same for Google Connect and the likes?

Also, for those who remember my series of emai= ls concerning whether or not to implement a "remove site-only login de= tails" option (so that the user can choose to only be able to log in w= ith OpenID) you'll be pleased to hear that the anonymous co-designer ha= s accepted this proposal!
--000e0cd2421e52ab5f046e0d0585-- From pwilliams at rapattoni.com Mon Jul 6 10:48:07 2009 From: pwilliams at rapattoni.com (Peter Williams) Date: Mon, 6 Jul 2009 10:48:07 -0700 Subject: [OpenID] dotnetopenid news In-Reply-To: <216e54900906171303n5555a1b7x45f9f3ff021c52c9@mail.gmail.com> References: , <216e54900906171303n5555a1b7x45f9f3ff021c52c9@mail.gmail.com> Message-ID: Yes please! I got blocked performing the Google demo as it required credential signup, licensing etc. Ive got a "private" foaf data service that is an OAUTH SP, and want to experiment in code with the openid+oauth hybrid to access the authorization groups and (corresponding) classes it stores within. Much as others are thinking about having an XRI proxy serving SEPs for Target Resources be fronted by an OAUTH SP (in order to act as a "resource STS" for consumer sites) Im experimenting with having the foaf data service play a similar role - with the advantage over XRI that I get the power of semweb inferences when designing my authorization scheme. (Of course, I then lose the excellent authority resolution protocol of XRI and the availability of XRI's SAML assertions - with which to represent my own secure validity model for assertions and namespaces!) ________________________________ From: Andrew Arnott [andrewarnott at gmail.com] Sent: Wednesday, June 17, 2009 1:03 PM To: Peter Williams Cc: general at openid.net Subject: Re: [OpenID] dotnetopenid news We don't have a sample OpenID+OAuth OP+SP sample, although its absolutely can be done with the library with equally minimal effort. Let me know if you're interested in this side of it and I can whip something up. From josh at janrain.com Mon Jul 6 10:57:08 2009 From: josh at janrain.com (Josh Hoyt) Date: Mon, 6 Jul 2009 10:57:08 -0700 Subject: [OpenID] Checking signature on an unsolicited positive assertion In-Reply-To: References: Message-ID: On Wed, Jul 1, 2009 at 4:20 PM, Luke Shepard wrote: > I?d like to accept an unsolicited positive OpenID assertion from a provider. > So, instead of the RP issuing a request to the provider and then getting a > response, the provider would just form the correct URL and send the user to > it. The RP can then verify the signature and continue as though it had made > the original request. > > For performance reasons, it would be nice to use a shared secret, if one > exists. That way the RP wouldn?t have to make an extra HTTP request to the > OP every time. However, section 11.4.2.1 of the spec says that doing so is > forbidden as it opens up replay attacks. If I understand what you're asking, that section does not disallow your use case. If you are using a preestablished shared secret, that section does not apply at all because your use case will never make a check_authentication call. Josh From sysadmin at shadowsinthegarden.com Mon Jul 6 14:23:55 2009 From: sysadmin at shadowsinthegarden.com (SitG Admin) Date: Mon, 6 Jul 2009 14:23:55 -0700 Subject: [OpenID] email address retrieval In-Reply-To: <12118b110907061041j31d101d5qb7748de2bec71353@mail.gmail.com> References: <12118b110907061041j31d101d5qb7748de2bec71353@mail.gmail.com> Message-ID: >Am I right in thinking that an OpenID-enabled site cannot retrieve a >user's email address? But that it can use their email address to >send notifications? You can use Simple Registration (SREG) or Attribute Exchange (AX) to request the user's E-mail address, but whether you *trust* what the OP sends you (remember: OP's can be user-run) is an entirely different matter. Large-scale RP's may be trying to identify OP's that *they* can trust to verify E-mail addresses, so they don't have to handle verification themselves (potentially an extra task for the user, though we've also discussed such solutions as autoresponders), but REQUIRING users to have an E-mail address (and supply it to the RP) annoyed several of us when proposed - leading to declarations that we would just create temporary (disposable) addresses (possibly as an automated process, through our OP). There is much, MUCH more on this to be found in the mailing list archives. If you can, please be more specific about how you hope to use E-mail addresses, and generally what you expect to be different (about the operation of your site, and/or the user's interaction with it) if you have that information versus if you do not. >So in the settings it would say something like "email address: >contact via OpenID" but would not be able to actually state the >email address? Are you thinking that, to contact a user via E-mail, you would have to contact their OP (perhaps through OAuth) and request that the OP send that user a message on your behalf? What if I don't want the *OP* to know my E-mail address, but I'm fine with *you* knowing it? I can use SREG/AX to autofill *some* of my information from the OP, but if that isn't enough, you can then ask me to fill out the rest of it manually, and I can supply that information on my own. Even if that information is *required*, you still shouldn't rely on the OP to either send a user back with all information or send a user back with "Sorry, we'll just have to call this whole deal off."; imagine that you're bringing cash to a club that requires a high entrance fee. Outside, you meet a shady-looking fella who offers to "escort" you past the doorman, but you'd better not even bother going near the door unless you can hand him enough greenbacks to "bribe" the doorman with, 'cause the doorman will throw you BOTH out if that's the case. You feel kinda nervous about showin' this fella your wallet - what if he turned out to be a thief who wanted to rob you? Besides, isn't the size of your wallet a private matter between you and the *doorman*? Why can't you just walk in on your own confidence and risk getting thrown out *yourself* if it turns out you can't afford their fee? That shady-looking fella is the OP that tells users "E-mail addresses are *required* by this RP, so hand it over TO ME and I, in turn, will hand it over to *them." - it's the user's right to establish a trust relationship with *you*, directly, cutting out the OP middleman to keep that OP from gaining too much power and getting greedy. Whether you actually state the E-mail address (in a way that it's visible to the user) is up to you. Or, if you want to make it configurable, up to the user :) -Shade From sakimura at gmail.com Mon Jul 6 17:12:20 2009 From: sakimura at gmail.com (Nat Sakimura) Date: Tue, 7 Jul 2009 09:12:20 +0900 Subject: [OpenID] Delegation leading to new accounts on websites In-Reply-To: References: <4A3EB277.1000206@btinternet.com> <216e54900906211729o110f93c9labefad2d14a90c43@mail.gmail.com> <4A506E75.2080500@gmail.com> Message-ID: --00163630f2dbe8356f046e1279fd Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit I agree. This is in line with my blog post: http://www.sakimura.org/en/modules/wordpress/index.php?p=82 I think. In XRD 1.0 parlance, I suppose it will be link/rel forward pointing to second XRD, and again link/rel pointing back to the original. =nat On Mon, Jul 6, 2009 at 1:46 AM, Peter Williams wrote: > Yes - and in "denying" openid-delegation flows, Google are somewhat > undermining and denying UCI - a founding mission of the movement. They are > apparently taking a slice of openid auth protocol and superimposing SAML2 > semantics -- an IDP-centric control model. > > But I also think that openid architecure has in the XRD exactly what's > needed to find the middle ground - addressing the concerns of the > "overly-cautious OP" with a mega-brand to worry about. I think we would be > further maturing as a community if we could accommodate in openid auth 2.1 > the "control" issues facing such mega-brands. > > 1. As OP, Google could be resolving to a 100% Google-controlled XRD any > discovery request for the HTTP URL they currently place in the > openid.identity response (a persistent, per RP, law#4 URL). That XRD is > Google property, is licensed and copyrighted by Google, and is "theirs". No, > the user may not add an SEP that points to Yahoo's openid endpoint, despite > the nature of underlying XRD architecture. That XRD is Google property, is > under the firm's control, brings Google Governance to the world (do not harm > etc), and hopefully still addresses Google goals for funding their > (world-beating) OP on the most famous home page in the world : google.com. > > (This is a "just-stunning" openid movement accomplishment; and > complementary recognition MUST be given to Google for taking such a risk. It > takes my breath away each time I consider what has really happened in the > security world, here...) > > 2. Independently, the user can go purchase an XRI. Or, weirdos like me > learn to operate a "delegated XRI child authority" server in their data > center - a glorified DNS server administering a child domain. (I received > lots of open-source help on that from the http://openxri.org crew last > week, proving to my satisfaction that I *can* opt retain my independence > from the XDI.org governance apparatus). As a result, each user optionally > has their own XRD - that can now be used in the opend delegation flow of > openid auth, promote UCI, and thus provide portability. > > Now, let's put the 2 together. Let's now make Google-OP happy - exercise > "protective control". And, lets make users happy - they retain portability. > Lets make the XRI folks happy - their linked-identifier vision get applied . > Lets even keep the ever-testy W3C TAG happy - only use XRD's whose ids align > with semweb's own globally distributed identifier architecture. Not that it > matters much, let's even make Peter happy: UCI is retained. > > To "arm" the openid-delegation feature at a Google OP, a > google-governed-user must establish equivalency of his/her own XRD with the > Google-governed XRD. Logged on to Google Accounts locally - an act by which > any Google-user admits and confirms the governance relationship of Google > over the Google XRD - the now Google-governed-user induces Google-OP to add > an EquivID to the Google XRD for that google-user - pointing back at the > user's own XRD. Being a google-governed session, the Google use terms are in > control, and the private-party user must license Google to > store/apply/cite/verify/validate/... that user-owned/copyrighted backpointer > value ... to his/her own XRD. > > As with all openid-delegation, the user must alter his/her own XRD to > complement what just happened at Google-OP. The user of course adds an SEP > that points to Google's OP endpoints. But now, the user (or rather a > tool-wizard in practice...) adds the canonicalid of the Google XRD as a > "canonicalEquivID" field in the SEP entry. > > The result would seem to be that user may now apply his/her own identifier > at RPs, without the RPs storing any Google-governed property. Google-OP only > participates in openid-delegation for those Google-users who have registered > (and previously authenticated to Google-OP during registration) their own > XRD. > > Now, Im sure I have my XRI v2 resolver theory slightly wrong, in the above. > Perhaps the SEP in the user's XRD would better have a XRD "ref" to the > google XRD, vs a canonicalEquivID. XRI is far to hard for my class of brain, > to understand such technical subtleties > > But, regardless of final techniques chosen, hopefully one sees the pattern > Im advocating - reaching for a middle ground by exploiting linkages between > XRDs. Im aiming to find a half way house between the impuse of an OP to want > to project legal-control over a users life at an RP, and the users desire to > be retain independence from any one OP while on that RP site. Such a form of > formal independence would allow the OP/user relationship to subsequently > terminate, but terminate in a manner than has zero impact on the > still-ongoing RP/user relationship. > > ________________________________________ > From: Johnny Bufu [johnny.bufu at gmail.com] > Sent: Sunday, July 05, 2009 2:12 AM > To: Andrew Arnott > Cc: Peter Williams; general at openid.net > Subject: Re: [OpenID] Delegation leading to new accounts on websites > > On 21/06/09 05:29 PM, Andrew Arnott wrote: > > Google doesn't support delegation at all. Some concern about asserting > > an Identifier it has no control over... > > Perhaps they are just being too cautious. > > The OP's assertion is about openid.identity, which is always under their > control. > > The end-users presenting a valid assertion issued by their OP are > claiming they control the openid.claimed_id. The OP's assertion is the > tool that makes the claim verifiable. > > An OP's (valid) assertion alone cannot be used to prove ownership of > another claimed identifier without actually having control over that > claimed identifier (to configure delegation to the OP). > > > Johnny > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > -- Nat Sakimura (=nat) http://www.sakimura.org/en/ --00163630f2dbe8356f046e1279fd Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable I agree. This is in line with my blog post: http://www.sakimura.org/en/modul= es/wordpress/index.php?p=3D82 I think.

In XRD 1.0 parlance, I s= uppose it will be link/rel forward pointing to second XRD, and again link/r= el pointing back to the original.

=3Dnat

On Mon, Jul 6, 2009 at 1:46 AM= , Peter Williams <pwilliams at rapattoni.com> wrote:
Yes - and in "denying" openid-delegation flows, Google are somewh= at undermining and denying UCI - a founding mission of the movement. They a= re apparently taking a slice of openid auth protocol and superimposing SAML= 2 semantics -- an IDP-centric control model.

But I also think that openid architecure has in the XRD exactly what's = needed to find the middle ground - addressing the concerns of the "ove= rly-cautious OP" with a mega-brand =A0to worry about. I think we would= be further maturing as a community if we could accommodate in openid auth = 2.1 the "control" issues facing such mega-brands.

1. As OP, Google could be resolving to a 100% Google-controlled XRD any dis= covery request for the HTTP URL they currently place in the openid.identity= response (a persistent, per RP, law#4 URL). That XRD is Google property, i= s licensed and copyrighted by Google, and is "theirs". No, the us= er may not add an SEP that points to Yahoo's openid endpoint, despite t= he nature of underlying XRD architecture. That XRD is Google property, is u= nder the firm's control, brings Google Governance to the world (do not = harm etc), and hopefully still addresses Google goals for funding their (wo= rld-beating) OP on the most famous home page in the world : google.com.

(This is a =A0"just-stunning" openid movement accomplishment; and= complementary recognition MUST be given to Google for taking such a risk. = It takes my breath away each time I consider what has really happened in th= e security world, here...)

2. Independently, the user can go purchase an XRI. Or, weirdos like me lear= n to operate a "delegated XRI child authority" server in their da= ta center - a glorified DNS server administering a child domain. (I receive= d lots of open-source help on that from the http://openxri.org crew last week, proving to my sati= sfaction that I *can* opt retain my independence from the XDI.org governanc= e apparatus). As a result, each user optionally has their own XRD - that ca= n now be used in the opend delegation flow of openid auth, promote UCI, and= thus provide portability.

Now, let's put the 2 together. Let's now make Google-OP happy - exe= rcise "protective control". And, lets make users happy - they ret= ain portability. Lets make the XRI folks happy - their linked-identifier vi= sion get applied . Lets even keep the ever-testy W3C TAG happy - only use X= RD's whose ids align with semweb's own globally distributed identif= ier architecture. Not that it matters much, let's even make Peter happy= : UCI is retained.

To "arm" the openid-delegation feature at a Google OP, a google-g= overned-user must establish equivalency of his/her own XRD with the Google-= governed XRD. Logged on to Google =A0Accounts locally - an act by which any= Google-user admits and confirms the governance relationship of Google over= the Google XRD - the now Google-governed-user induces Google-OP to add an = EquivID to the Google XRD for that google-user - pointing back at the user&= #39;s own XRD. Being a google-governed session, the Google use terms are in= control, and the private-party user must license Google to store/apply/cit= e/verify/validate/... that user-owned/copyrighted backpointer value ... to = his/her own XRD.

As with all openid-delegation, the user must alter his/her own XRD to compl= ement what just happened at Google-OP. The user of =A0course adds an SEP th= at points to Google's OP endpoints. But now, the user (or rather a tool= -wizard in practice...) adds the canonicalid of the Google XRD as a "c= anonicalEquivID" field in the SEP entry.

The result would seem to be that user may now apply his/her own identifier = at RPs, without the RPs storing any Google-governed property. Google-OP onl= y participates in openid-delegation for those Google-users who have registe= red (and previously authenticated to Google-OP during registration) their o= wn XRD.

Now, Im sure I have my XRI v2 resolver theory slightly wrong, in the above.= Perhaps the SEP in the user's XRD would better have a XRD "ref&qu= ot; to the google XRD, vs a canonicalEquivID. XRI is far to hard for my cla= ss of brain, to understand such technical subtleties

But, regardless of final techniques chosen, hopefully one sees the pattern = Im advocating - reaching for a middle ground by exploiting linkages between= XRDs. Im aiming to find a half way house between the impuse of an OP to wa= nt to project legal-control over a users life at an RP, and the users desir= e to be retain independence from any one OP while on that RP site. Such a f= orm of formal independence would allow the OP/user relationship to subseque= ntly terminate, but terminate in a manner than has zero impact on the still= -ongoing RP/user relationship.

________________________________________
From: Johnny Bufu [johnny.bufu at gma= il.com]
Sent: Sunday, July 05, 2009 2:12 AM
To: Andrew Arnott
Cc: Peter Williams; general at openid.ne= t
Subject: Re: [OpenID] Delegation leading to new accounts on websites

On 21/06/09 05:29 PM, Andrew Arnott wrote:
> Google doesn't support delegation at all. =A0Some concern about as= serting
> an Identifier it has no control over...

Perhaps they are just being too cautious.

The OP's assertion is about openid.identity, which is always under thei= r
control.

The end-users presenting a valid assertion issued by their OP are
claiming they control the openid.claimed_id. The OP's assertion is the<= br> tool that makes the claim verifiable.

An OP's (valid) assertion alone cannot be used to prove ownership of another claimed identifier without actually having control over that
claimed identifier (to configure delegation to the OP).


Johnny
_______________________________________________
general mailing list
general at openid.net
ht= tp://openid.net/mailman/listinfo/general



--
Nat Sakimur= a (=3Dnat)
http://www.sakimura.o= rg/en/
--00163630f2dbe8356f046e1279fd-- From nicolas.holzapfel at googlemail.com Tue Jul 7 14:45:18 2009 From: nicolas.holzapfel at googlemail.com (Nicolas Holzapfel) Date: Tue, 7 Jul 2009 22:45:18 +0100 Subject: [OpenID] email address retrieval In-Reply-To: References: <12118b110907061041j31d101d5qb7748de2bec71353@mail.gmail.com> Message-ID: <12118b110907071445n51363b06sbe28805eaa468973@mail.gmail.com> --000e0cd2a028eb6291046e248981 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit > There is much, MUCH more on this to be found in the mailing list archives. > If you can, please be more specific about how you hope to use E-mail > addresses, and generally what you expect to be different (about the > operation of your site, and/or the user's interaction with it) if you have > that information versus if you do not. > The site I'm working on would use the user's email address for two purposes: 1) To send various notification emails (for example when the user receives a reply to a message) 2) Users can have administrative powers over certain groups. If a user adds or removes another user from a group he/she is administrating, then the added/removed user receives an email with the administrator's email address as a reply-to address. So the email address certainly isn't essential for using the site, but is helpful. If it's not possible I need to know so I can make changes to the design documentation accommodating users who we cannot send email notifications to (since certain options won't be availble). > > > So in the settings it would say something like "email address: contact via >> OpenID" but would not be able to actually state the email address? >> > > Are you thinking that, to contact a user via E-mail, you would have to > contact their OP (perhaps through OAuth) and request that the OP send that > user a message on your behalf? > Yes that was what I was uncertain about. I checked the Facebook Connect sample application and that is how it *appears* to work. Do certain OPs withold email addresses and certain OPs make them available? > > What if I don't want the *OP* to know my E-mail address, but I'm fine with > *you* knowing it? The user is free to set up an email address and password with my site and not use an OP for logging in. --000e0cd2a028eb6291046e248981 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
There is much, MUCH more on this to be found in the mailing list archives. = If you can, please be more specific about how you hope to use E-mail addres= ses, and generally what you expect to be different (about the operation of = your site, and/or the user's interaction with it) if you have that info= rmation versus if you do not.

The site I'm working on would use the user&= #39;s email address for two purposes:
1) To send various notification emails (for example when the user receives = a reply to a message)
2) Users can have administrative powers over certain groups. If a user adds or removes another user from a group he/she is administrating, then the added/removed user receives an email with the administrator's email address as a reply-to address.

So the email address certainly = isn't essential for using the site, but is helpful. If it's not pos= sible I need to know so I can make changes to the design documentation acco= mmodating users who we cannot send email notifications to (since certain op= tions won't be availble).
=A0


So in the settings it would say something like "email address: contact= via OpenID" but would not be able to actually state the email address= ?

Are you thinking that, to contact a user via E-mail, you would have to cont= act their OP (perhaps through OAuth) and request that the OP send that user= a message on your behalf?

Yes that was what I was uncertain about. I checked th= e Facebook Connect sample application and that is how it appears to work. Do ce= rtain OPs withold email addresses and certain OPs make them available?
=A0

What if I don't want the *OP* to know my E-mail address, but I'm fi= ne with *you* knowing it?

The user is free to set up a= n email address and password with my site and not use an OP for logging in.=
--000e0cd2a028eb6291046e248981-- From john.bradley at wingaa.com Tue Jul 7 14:56:36 2009 From: john.bradley at wingaa.com (John Bradley) Date: Tue, 7 Jul 2009 17:56:36 -0400 Subject: [OpenID] Delegation leading to new accounts on websites In-Reply-To: References: Message-ID: <2496E279-A373-4719-AD0A-CDC28F025FC2@wingaa.com> Johnny, It is true that the OP is validating the openid.identity but in openID 2.0 the RP can no longer trust using that as a identity. With delegation the openid.identity is possibly a arbitrary URI that the OP will treat as a local identifier and verify but has no authority over. If the openid.claimed_id is different from the openid.identity the RP performs discovery on the claimed_id to verify it. So while the OP may be verifying the openid.identity no RP should assume that proves any control over that URI in openID 2.0. The openid.claimed_id is the only identity that the RP should use. The ownership is proved via discovery independent of the OPs authority over the URI. In some higher security applications where the RP is relying on the OP being audited against some profile ie attribute verification. I can see the problem a RP may have accepting a delegated openID as conforming to some profile even if the OP conforms to the profile. I think an OP needs to be cautious about what it asserts for a claimed_id it is not authoritative for. That is not to say that OPs shouldn't support delegation. They just need to be cautious about there assertions especially where PAPE or identity proofing is concerned. John B. > From: Johnny Bufu [johnny.bufu at gmail.com] > Sent: Sunday, July 05, 2009 2:12 AM > To: Andrew Arnott > Cc: Peter Williams; general at openid.net > Subject: Re: [OpenID] Delegation leading to new accounts on websites > > On 21/06/09 05:29 PM, Andrew Arnott wrote: >> Google doesn't support delegation at all. Some concern about >> asserting >> an Identifier it has no control over... > > Perhaps they are just being too cautious. > > The OP's assertion is about openid.identity, which is always under > their > control. > > The end-users presenting a valid assertion issued by their OP are > claiming they control the openid.claimed_id. The OP's assertion is the > tool that makes the claim verifiable. > > An OP's (valid) assertion alone cannot be used to prove ownership of > another claimed identifier without actually having control over that > claimed identifier (to configure delegation to the OP). > > > Johnny > _________ From andrewarnott at gmail.com Thu Jul 9 09:59:55 2009 From: andrewarnott at gmail.com (Andrew Arnott) Date: Thu, 9 Jul 2009 09:59:55 -0700 Subject: [OpenID] Google's proprietary discovery extension? In-Reply-To: <216e54900907090958p6173707gd66e08bab74c888d@mail.gmail.com> References: <216e54900907090958p6173707gd66e08bab74c888d@mail.gmail.com> Message-ID: <216e54900907090959k465abe0enb4afdee36a65fa87@mail.gmail.com> --000e0cd68fd82a0517046e48cae3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Oops.... I sent my email to the wrong list. See below. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Thu, Jul 9, 2009 at 9:58 AM, Andrew Arnott wrote: > From > http://www.readwriteweb.com/archives/google_to_announce_major_identity_initiative_for_1.php > > OpenID relying parties will need to be redirected from the domain provided > at user login over to Google's OpenID service. In order for this redirect to > happen, all relying parties will need to start looking for a new OpenID > extension that Google has developed and implemented in conjunction with one > relying party technology, JanRain's RPX . > > Is this just FUD about Google? I haven't heard anything about this except > from this one article. And Google's own OpenID for Google Appspage says nothing about a special extension. > > > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll defend to the death > your right to say it." - S. G. Tallentyre > --000e0cd68fd82a0517046e48cae3 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Oops.... I sent my email to the wrong list.=A0 See below.

--
Andrew Arnott
"I [may] not agree with what you have to sa= y, but I'll defend to the death your right to say it." - S. G. Tal= lentyre


On Thu, Jul 9, 2009 at 9:58 AM, Andrew A= rnott <andre= warnott at gmail.com> wrote:
--000e0cd68fd82a0517046e48cae3-- From bogus@does.not.exist.com Wed Jul 1 14:53:52 2009 From: bogus@does.not.exist.com () Date: Wed, 01 Jul 2009 21:53:52 -0000 Subject: No subject Message-ID: .com/archives/google_to_announce_major_identity_initiative_for_1.php
OpenID relying parties will need to be redirected from the domain provided = at=20 user login over to Google's OpenID service. In order for this redirect = to=20 happen, all relying parties will need to start looking for a new OpenID=20 extension that Google has developed and implemented in conjunction with one= =20 relying party technology, JanRain's RPX.

Is this just FUD about Google?=A0 I ha= ven't heard anything about this except from this one article. And Googl= e's own OpenID for Google Apps page says nothing a= bout a special extension.


--
Andrew Arnott
"I [may] not agree with w= hat you have to say, but I'll defend to the death your right to say it.= " - S. G. Tallentyre

--000e0cd68fd82a0517046e48cae3-- From will at willnorris.com Thu Jul 9 12:15:25 2009 From: will at willnorris.com (Will Norris) Date: Thu, 9 Jul 2009 12:15:25 -0700 Subject: [OpenID] Google's proprietary discovery extension? In-Reply-To: <216e54900907090959k465abe0enb4afdee36a65fa87@mail.gmail.com> References: <216e54900907090958p6173707gd66e08bab74c888d@mail.gmail.com> <216e54900907090959k465abe0enb4afdee36a65fa87@mail.gmail.com> Message-ID: no, not FUD... you can go read the post from Eric Sachs on the board at openid.net mailing list. Of course, it doesn't sound like it was exactly intended to be public either. -will On Jul 9, 2009, at 9:59 AM, Andrew Arnott wrote: > Oops.... I sent my email to the wrong list. See below. > > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll defend to the > death > your right to say it." - S. G. Tallentyre > > > On Thu, Jul 9, 2009 at 9:58 AM, Andrew Arnott > wrote: > >> From >> http://www.readwriteweb.com/archives/google_to_announce_major_identity_initiative_for_1.php >> >> OpenID relying parties will need to be redirected from the domain >> provided >> at user login over to Google's OpenID service. In order for this >> redirect to >> happen, all relying parties will need to start looking for a new >> OpenID >> extension that Google has developed and implemented in conjunction >> with one >> relying party technology, JanRain's RPX . >> >> Is this just FUD about Google? I haven't heard anything about this >> except >> from this one article. And Google's own OpenID for Google Apps> >page says nothing about a special extension. >> >> >> -- >> Andrew Arnott >> "I [may] not agree with what you have to say, but I'll defend to >> the death >> your right to say it." - S. G. Tallentyre >> > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general From johnny.bufu at gmail.com Tue Jul 7 16:03:03 2009 From: johnny.bufu at gmail.com (Johnny Bufu) Date: Tue, 7 Jul 2009 16:03:03 -0700 Subject: [OpenID] Delegation leading to new accounts on websites In-Reply-To: <2496E279-A373-4719-AD0A-CDC28F025FC2@wingaa.com> References: <2496E279-A373-4719-AD0A-CDC28F025FC2@wingaa.com> Message-ID: <20090707230302.GD19965@rationalarts.com> On Tue, Jul 07, 2009 at 05:56:36PM -0400, John Bradley wrote: > It is true that the OP is validating the openid.identity > but in openID 2.0 the RP can no longer trust using that as a identity. The RP is not required to trust the openid.identity; if it chooses to do so it would be out of scope of the protocol. > With delegation the openid.identity is possibly a arbitrary URI that the > OP will treat as a local identifier and verify but has no authority over. Doesn't even have to be a URI even; what matters is that the OP issues it, so they (can) have full control/authority over it if that's a concern for them. > If the openid.claimed_id is different from the openid.identity the RP > performs discovery on the claimed_id to verify it. > > So while the OP may be verifying the openid.identity no RP should assume > that proves any control over that URI in openID 2.0. > > The openid.claimed_id is the only identity that the RP should use. The > ownership is proved via discovery independent of the OPs authority over > the URI. Right, with the same mention that proving control over the delegated identifier / local_id is not in the scope of the protocol. There's no authoritative party defined for it, discovery is never performed on the delegated identifier. The relationship between the delegated identifiers and the OP is unidirectional: OPs need to keep track and recognize the local_id's they have issued (just like any other user/account identifiers), but the local_id is not required to be discoverable and point back to the OP (and no reason for the RP, as far as the protocol is concerned, to expect this). > In some higher security applications where the RP is relying on the OP > being audited against some profile ie attribute verification. > I can see the problem a RP may have accepting a delegated openID as > conforming to some profile even if the OP conforms to the profile. > > I think an OP needs to be cautious about what it asserts for a > claimed_id it is not authoritative for. I don't see an issue here either, since the delegated openid.identity is issued by the OP. Johnny From john.bradley at wingaa.com Tue Jul 7 16:20:49 2009 From: john.bradley at wingaa.com (John Bradley) Date: Tue, 7 Jul 2009 19:20:49 -0400 Subject: [OpenID] Delegation leading to new accounts on websites In-Reply-To: <20090707230302.GD19965@rationalarts.com> References: <2496E279-A373-4719-AD0A-CDC28F025FC2@wingaa.com> <20090707230302.GD19965@rationalarts.com> Message-ID: <115AC3AA-A3FD-4C12-91CC-70B91813A3E2@wingaa.com> Yes the delegated openid.identity is issued by the OP but in the case of delegation the openid.claimed_id is not. If as an example we have a psydonomous id type that a RP can request via PAPE or some other extension and someone has delegated to that OP say Google, then Google has no control over the claimed_id and the resulting assertion may violate the non-correlation privacy policy. If for example the OP is assessing some profile that mandates a particular password strength etc. The OP has no knowledge of how the XRD doing the delegating is secured. I am saying that with delegation some of the security is outside of the control of the OP and hence the OP can't be authoritative for it and may not be able to make the same PAPE or other assertions regarding it. There might be a legitimate reason for an OP not to support delegation under some limited circumstances. However most of the time it shouldn't be a problem as long as RPs are properly validating the returned assertions and not believing the openid.identity is something it is not. John B. On 7-Jul-09, at 7:03 PM, Johnny Bufu wrote: > On Tue, Jul 07, 2009 at 05:56:36PM -0400, John Bradley wrote: >> It is true that the OP is validating the openid.identity >> but in openID 2.0 the RP can no longer trust using that as a >> identity. > > The RP is not required to trust the openid.identity; if it chooses > to do > so it would be out of scope of the protocol. > >> With delegation the openid.identity is possibly a arbitrary URI >> that the >> OP will treat as a local identifier and verify but has no authority >> over. > > Doesn't even have to be a URI even; what matters is that the OP issues > it, so they (can) have full control/authority over it if that's a > concern for them. > >> If the openid.claimed_id is different from the openid.identity the RP >> performs discovery on the claimed_id to verify it. >> >> So while the OP may be verifying the openid.identity no RP should >> assume >> that proves any control over that URI in openID 2.0. >> >> The openid.claimed_id is the only identity that the RP should use. >> The >> ownership is proved via discovery independent of the OPs authority >> over >> the URI. > > Right, with the same mention that proving control over the delegated > identifier / local_id is not in the scope of the protocol. There's no > authoritative party defined for it, discovery is never performed on > the > delegated identifier. > > The relationship between the delegated identifiers and the OP is > unidirectional: OPs need to keep track and recognize the local_id's > they > have issued (just like any other user/account identifiers), but the > local_id is not required to be discoverable and point back to the OP > (and no reason for the RP, as far as the protocol is concerned, to > expect this). > >> In some higher security applications where the RP is relying on the >> OP >> being audited against some profile ie attribute verification. >> I can see the problem a RP may have accepting a delegated openID as >> conforming to some profile even if the OP conforms to the profile. >> >> I think an OP needs to be cautious about what it asserts for a >> claimed_id it is not authoritative for. > > I don't see an issue here either, since the delegated > openid.identity is > issued by the OP. > > > Johnny From sysadmin at shadowsinthegarden.com Tue Jul 7 18:53:02 2009 From: sysadmin at shadowsinthegarden.com (SitG Admin) Date: Tue, 7 Jul 2009 18:53:02 -0700 Subject: [OpenID] email address retrieval In-Reply-To: <12118b110907071445n51363b06sbe28805eaa468973@mail.gmail.com> References: <12118b110907061041j31d101d5qb7748de2bec71353@mail.gmail.com> <12118b110907071445n51363b06sbe28805eaa468973@mail.gmail.com> Message-ID: --============_-965104509==_ma============ Content-Type: text/plain; charset="us-ascii" ; format="flowed" >>What if I don't want the *OP* to know my E-mail address, but I'm >>fine with *you* knowing it? > >The user is free to set up an email address and password with my >site and not use an OP for logging in. I'm confused. It sounded at first like you just needed that information for notification purposes, but now it looks like you also (sometimes) use it for login purposes. I'm going to recap a couple of OpenID's useful qualities: 1) Autofill of non-required (optional) personal/profile information: SREG/AX can save the user from having to type all that in. 2) Secure single-sign-on: user can have the same password for ALL their different websites, *without* risking that any of those websites (or operators), if compromised (or corrupt), can gain access to ALL their accounts. So, then, my options with your site are to either share my address with my OP, or to just not use OpenID at all? That, frankly, sucks ;) >Yes that was what I was uncertain about. I checked the Facebook >Connect sample >application and that is how it appears to work. Do certain OPs >withold email addresses and certain OPs make them available? It's possible. The question for your site, I think, should be whether you are going to tell the user "We are sorry, but your OP (does not know / would not reveal) your E-mail address, so therefore we are not even going to give you a place to enter that information." I suggest planning for use-cases where the user wants to use OpenID *and* give you information that their OP is not privilege to. -Shade --============_-965104509==_ma============ Content-Type: text/html; charset="us-ascii" Re: [OpenID] email address retrieval
>>What if I don't want the *OP* to know my E-mail address, but I'm fine with *you* knowing it?
>
>The user is free to set up an email address and password with my site and not use an OP for logging in.

I'm confused. It sounded at first like you just needed that information for notification purposes, but now it looks like you also (sometimes) use it for login purposes. I'm going to recap a couple of OpenID's useful qualities:

1) Autofill of non-required (optional) personal/profile information: SREG/AX can save the user from having to type all that in.
2) Secure single-sign-on: user can have the same password for ALL their different websites, *without* risking that any of those websites (or operators), if compromised (or corrupt), can gain access to ALL their accounts.

So, then, my options with your site are to either share my address with my OP, or to just not use OpenID at all? That, frankly, sucks ;)

>Yes that was what I was uncertain about. I checked the Facebook Connect sample application and that is how it appears to work. Do certain OPs withold email addresses and certain OPs make them available?

It's possible. The question for your site, I think, should be whether you are going to tell the user "We are sorry, but your OP (does not know / would not reveal) your E-mail address, so therefore we are not even going to give you a place to enter that information."

I suggest planning for use-cases where the user wants to use OpenID *and* give you information that their OP is not privilege to.

-Shade
--============_-965104509==_ma============-- From john.bradley at wingaa.com Thu Jul 9 14:06:08 2009 From: john.bradley at wingaa.com (John Bradley) Date: Thu, 9 Jul 2009 17:06:08 -0400 Subject: [OpenID] Delegation leading to new accounts on websites In-Reply-To: <29fb00360907091320n69cacd6cp9acfe7fdfb44a7cc@mail.gmail.com> References: <2496E279-A373-4719-AD0A-CDC28F025FC2@wingaa.com> <20090707230302.GD19965@rationalarts.com> <29fb00360907091320n69cacd6cp9acfe7fdfb44a7cc@mail.gmail.com> Message-ID: <80199C8D-261A-432E-AEC1-BC8F714A90AB@wingaa.com> Yes the terminology section of the spec infers that the OP-Local Identifier is an alternate Identifier for the user at the OP. Identifiers are ether XRI or http/https URL. That rules out URN or other creative things the OP may try though that may not have been the intent of the editors. However the point stands that the OP-Local Identifier is an identifier and not a locator. Discovery is not performed on it to determine if the OP is authoritative for it in any global way. RP's should never trust a openid.identity in openID 2.0 flows! However they must verify that the openid.identity matches the localID in the XRDS if delegation is used. Otherwise directed identity by the OP will allow multiple openid.identity to log in as that delegated claimed_id. John B. On 9-Jul-09, at 4:20 PM, Breno de Medeiros wrote: > It does need to be an URI (at least for OpenID). See the spec > definition of identifiers. > > On Tue, Jul 7, 2009 at 4:03 PM, Johnny Bufu > wrote: > Doesn't even have to be a URI even; what matters is that the OP issues > it, so they (can) have full control/authority over it if that's a > concern for them. > > > > -- > --Breno > > +1 (650) 214-1007 desk > +1 (408) 212-0135 (Grand Central) > MTV-41-3 : 383-A > PST (GMT-8) / PDT(GMT-7) From paj at pajhome.org.uk Tue Jul 7 23:34:14 2009 From: paj at pajhome.org.uk (Paul Johnston) Date: Wed, 8 Jul 2009 13:34:14 +0700 Subject: [OpenID] What is my Google OpenID URL? Message-ID: Hi, I'm sorry for asking such an obvious question, but after considerable time spent searching for this I am unable to figure this out. My google account name is paul.paj. I would like to login to bitbucket.org using OpenID. How do I do it? Paul From nicolas.holzapfel at googlemail.com Wed Jul 8 03:35:43 2009 From: nicolas.holzapfel at googlemail.com (Nicolas Holzapfel) Date: Wed, 8 Jul 2009 11:35:43 +0100 Subject: [OpenID] email address retrieval In-Reply-To: References: <12118b110907061041j31d101d5qb7748de2bec71353@mail.gmail.com> <12118b110907071445n51363b06sbe28805eaa468973@mail.gmail.com> Message-ID: <12118b110907080335g7b3ee47cua59cd59048d1f5d8@mail.gmail.com> --000e0cd304be2a3e20046e2f4d94 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit 2009/7/8 SitG Admin > >>What if I don't want the *OP* to know my E-mail address, but I'm fine > with *you* knowing it? > > > >The user is free to set up an email address and password with my site and > not use an OP for logging in. > > I'm confused. It sounded at first like you just needed that information for > notification purposes, but now it looks like you also (sometimes) use it for > login purposes. > To clarify: an email address is not needed for registered purposes if the using an OP for logging in. > > So, then, my options with your site are to either share my address with my > OP, or to just not use OpenID at all? That, frankly, sucks ;) > > > >Yes that was what I was uncertain about. I checked the Facebook Connect sample > application and that is > how it* appears* to work. Do certain OPs withold email addresses and > certain OPs make them available? > > It's possible. The question for your site, I think, should be whether you > are going to tell the user "We are sorry, but your OP (does not know / would > not reveal) your E-mail address, so therefore we are not even going to give > you a place to enter that information." > > I suggest planning for use-cases where the user wants to use OpenID *and* > give you information that their OP is not privilege to. > Yep, you're right. I hadn't thought things through properly. Thanks for the feedback. --000e0cd304be2a3e20046e2f4d94 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable 2009/7/8 SitG Admin <sysadmin at shadowsinthegarden.com>=

>>What if I don't want the *OP* to know my E-mail address, but I'm fine with *you* knowing it?
>
>The user is free to set up an email address and password with my site and not use an OP for logging in.

I'm confused. It sounded at first like you just needed that information for notification purposes, but now it looks like you also (sometimes) use it for login purposes.
<= br>To clarify: an email address is not needed for registered purposes if th= e using an OP for logging in.
=A0

So, then, my options with your site are to either share my address with my OP, or to just not use OpenID at all? That, frankly, sucks ;)


>Yes that was what I was uncertain about. I checked the Facebook Connect sample application and that is how it appears to work. Do certain OPs withold email addresses and certain OPs make them available?

It's possible. The question for your site, I think, should b= e whether you are going to tell the user "We are sorry, but your OP (does not know / would not reveal) your E-mail address, so therefore we are not even going to give you a place to enter that information."

I suggest planning for use-cases where the user wants to use OpenID *and* give you information that their OP is not privilege to.

Yep, you're right. I hadn't thought th= ings through properly. Thanks for the feedback. --000e0cd304be2a3e20046e2f4d94-- From esachs at google.com Thu Jul 9 18:38:01 2009 From: esachs at google.com (Eric Sachs) Date: Thu, 9 Jul 2009 18:38:01 -0700 Subject: [OpenID] What is my Google OpenID URL? In-Reply-To: References: Message-ID: --0016368324ead62a29046e500550 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit If you create a blog on Google's blogger service, then you can type the name of that blog into OpenID login boxes. If you are willing to be really geeky, type in https://www.google.com/accounts/o8/id. That points to the generic Google identity provider, and you will be redirected back with an opaque identifier. But we don't actually expect anyone to know to do that which is why a lot of OpenID relying parties are supporting other user interfaces with buttons for Google. For example, see http://uservoice.com/session/new Similarly a lot of blogs allow you to comment and identify you with an OpenID URL, and while you can try one of the tricks above, many of the blog commenting interfaces also include buttons (or the NASCAR style UI as the community likes to call it) to help users navigate their way through. On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston wrote: > Hi, > > I'm sorry for asking such an obvious question, but after considerable > time spent searching for this I am unable to figure this out. > > My google account name is paul.paj. I would like to login to > bitbucket.org using OpenID. How do I do it? > > Paul > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > --0016368324ead62a29046e500550 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
If you create a blog on Google's blogger service, then you can typ= e the name of that blog into OpenID login boxes.

If you= are willing to be really geeky, type in https://www.google.com/accounts/o8/id. =A0That points t= o the generic Google identity provider, and you will be redirected back wit= h an opaque identifier. =A0But we don't actually expect anyone to know = to do that which is why a lot of OpenID relying parties are supporting othe= r user interfaces with buttons for Google. =A0For example, see=A0http://uservoice.com/session/new
Similarly a lot of blogs allow you to comment and identify y= ou with an OpenID URL, and while you can try one of the tricks above, many = of the blog commenting interfaces also include buttons (or the NASCAR style= UI as the community likes to call it) to help users navigate their way thr= ough.

On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnst= on <paj at pajhome.= org.uk> wrote:
Hi,

I'm sorry for asking such an obvious question, but after considerable time spent searching for this I am unable to figure this out.

My google account name is paul.paj. I would like to login to
bitbucket.org using = OpenID. How do I do it?

Paul
_______________________________________________
general mailing list
general at openid.net
ht= tp://openid.net/mailman/listinfo/general

--0016368324ead62a29046e500550-- From andrewarnott at gmail.com Thu Jul 9 19:16:39 2009 From: andrewarnott at gmail.com (Andrew Arnott) Date: Thu, 9 Jul 2009 19:16:39 -0700 Subject: [OpenID] What is my Google OpenID URL? In-Reply-To: References: Message-ID: <216e54900907091916y4ac52a70u9a2948d3873f408c@mail.gmail.com> --000e0cd6ad1a2ef4f9046e5091b5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Note that using your Blogger blog URL is *not* equivalent to using https://www.google.com/accounts/o8/id. Besides the user interface of the login experience being completely different, Blogger's Provider is only an OpenID 1.1 provider, whereas Google's https://www.google.com/accounts/o8/id OpenID Provider is a more secure OpenID 2.0 provider. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Thu, Jul 9, 2009 at 6:38 PM, Eric Sachs wrote: > If you create a blog on Google's blogger service, then you can type the > name of that blog into OpenID login boxes. > > If you are willing to be really geeky, type in > https://www.google.com/accounts/o8/id. That points to the generic Google > identity provider, and you will be redirected back with an opaque > identifier. But we don't actually expect anyone to know to do that which is > why a lot of OpenID relying parties are supporting other user interfaces > with buttons for Google. For example, see > http://uservoice.com/session/new > Similarly a lot of blogs allow you to comment and identify you with an > OpenID URL, and while you can try one of the tricks above, many of the blog > commenting interfaces also include buttons (or the NASCAR style UI as the > community likes to call it) to help users navigate their way through. > > On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston wrote: > >> Hi, >> >> I'm sorry for asking such an obvious question, but after considerable >> time spent searching for this I am unable to figure this out. >> >> My google account name is paul.paj. I would like to login to >> bitbucket.org using OpenID. How do I do it? >> >> Paul >> _______________________________________________ >> general mailing list >> general at openid.net >> http://openid.net/mailman/listinfo/general >> > > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > > --000e0cd6ad1a2ef4f9046e5091b5 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Note that using your Blogger blog URL is not=A0equivalent to using= =A0http= s://www.google.com/accounts/o8/id. =A0Besides the user interface of the= login experience being completely different, Blogger's Provider is onl= y an OpenID 1.1 provider, whereas Google's=A0https://www.google.com/accounts/o= 8/id=A0OpenID Provider is a more secure OpenID 2.0 provider.

--
Andrew Arnott
"I [may] not agree with what = you have to say, but I'll defend to the death your right to say it.&quo= t; - S. G. Tallentyre


On Thu, Jul 9, 2009 at 6:38 PM, Eric Sac= hs <esachs at google= .com> wrote:
If you create a blog on Google's blogger service, then you can typ= e the name of that blog into OpenID login boxes.

If you= are willing to be really geeky, type in https://www.google.com/accounts/o8/id= . =A0That points to the generic Google identity provider, and you will be r= edirected back with an opaque identifier. =A0But we don't actually expe= ct anyone to know to do that which is why a lot of OpenID relying parties a= re supporting other user interfaces with buttons for Google. =A0For example= , see=A0http= ://uservoice.com/session/new

Similarly a lot of blogs allow you to comment and identify y= ou with an OpenID URL, and while you can try one of the tricks above, many = of the blog commenting interfaces also include buttons (or the NASCAR style= UI as the community likes to call it) to help users navigate their way thr= ough.

On Tue, Jul 7, 2009 at 11:= 34 PM, Paul Johnston <paj at pajhome.org.uk> wrote:
<= div>
Hi,

I'm sorry for asking such an obvious question, but after considerable time spent searching for this I am unable to figure this out.

My google account name is paul.paj. I would like to login to
bitbucket.org using = OpenID. How do I do it?

Paul
_______________________________________________
general mailing list
general at openid.net<= /a>
ht= tp://openid.net/mailman/listinfo/general


_______________________________________________
general mailing list
general at openid.net
ht= tp://openid.net/mailman/listinfo/general


--000e0cd6ad1a2ef4f9046e5091b5-- From csit2009.cfp at gmail.com Wed Jul 8 20:09:13 2009 From: csit2009.cfp at gmail.com (=?Big5?B?pKSlobjqpHU=?=) Date: Thu, 9 Jul 2009 11:09:13 +0800 Subject: [OpenID] [CFP] 11th Cross-Strait Information Technology Conference (CSIT 2009) Message-ID: <73213e120907082009r5957f370j9f37e9a7d3035b98@mail.gmail.com> --00163645853e31fab5046e3d2e54 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Dear Colleagues, Please help distribute the CFP and consider submitting one or more papers to the 11th Cross-Strait Information Technology Conference (CSIT 2009), which will be held on December 6 -10, 2009, in National Central University, Taiwan. Thank you very much for your help. Best wishes, CSIT 2009 Program Committee ================ CALL FOR PAPERS ========================= The 11th Cross-Strait Information Technology Conference (CSIT 2009) National Central University, Jhongli, Taiwan December 6 ~ 10, 2009 http://acnlab.csie.ncu.edu.tw/CSIT2009 ======================================================== Purpose and Scope CSIT is a conference held annually in turn in Mainland China and in Taiwan. CSIT is dedicated to research in the fields of Information Technology, particularly Computer Science, Computer Engineering, Electrical Engineering, and Communications. To adhere to the theme of earlier CSIT conferences, the 11th CSIT is intended to provide a global forum for scholars and researchers to present and to discuss state-of-the-art research results. Papers of original and unpublished new ideas are solicited to submit to CSIT in order to promote the research and development of Information Technology on both sides of the Strait. Topics of interest include, but are not limited to: -Bioinformatics -Communications -Computer Networks -Database and Data Mining -E-Learning -Grid Computing and Cloud Computing -Image Processing -Medical Informatics and Medical Engineering -Microwave/Millimeter Wave Devices and Circuits -Multimedia -Network Security -P2P Networks -RF/Communication ICs -Signal Processing -Software Engineering -Vehicular Ad Hoc Networks -Wireless, Sensor, and Mobile Ad Hoc Networks Paper Submission 1. Authors are invited to submit original and unpublished research manuscripts. Submitted manuscripts must be written in English, Traditional Chinese or Simplified Chinese. All submitted manuscripts will be reviewed by two or three publication committee members. Selected papers in English will be considered for possible publication in a special issue of Journal of Information Science and Engineering, which is SCI indexed (pending). 2. Submitted manuscripts should not be more than eight single-spaced and two-column A4-size pages inclusive of figures, tables, and references, and should comply with IEEE conference formats. To submit a paper for CSIT 2009, please visit the official CSIT 2009 web site at http://acnlab.csie.ncu.edu.tw/CSIT2009. Important Dates Submission Deadline: September 1, 2009 Notification of Acceptance: October 1, 2009 --00163645853e31fab5046e3d2e54 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Dear Colleagues,

Please help distribute the CFP and consider submitting one or more papers to the 11th Cross-Strait Information Technology Conference (CSIT 2009), which will be held on December 6 -10, 2009, in National Central University, Taiwan.
Thank you very much for your help.

Best wishes,
CSIT 2009 Pro= gram Committee

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D CALL= FOR PAPERS =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D
The 11th C= ross-Strait Information Technology Conference (CSIT 2009)
National Central University, Jhongli, Taiwan
December 6 ~ 10, 2009
http://a= cnlab.csie.ncu.edu.tw/CSIT2009
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D

Purpose and Scope
CSIT is a conference held annually in turn in Mainland China and in Taiwan. CSIT is dedicated to research in the fields of Information Technology, particularly Computer Science, Computer Engineering, Electrical Engineering, and Communications. To adhere to the theme of earlier CSIT conferences, the 11th CSIT is intended to provide a global forum for scholars and researchers to present and to discuss state-of-the-art research results. Papers of original and unpublished new ideas are solicited to submit to CSIT in order to promote the research and development of Information Technology on both sides of the Strait.

Topics of interest include, but are not limited to:
-Bioinformatics<= br>-Communications
-Computer Networks
-Database and Data Mining
-E= -Learning
-Grid Computing and Cloud Computing
-Image Processing
-Medical Informatics and Medical Engineering
-Microwave/Millimeter Wave = Devices and Circuits
-Multimedia
-Network Security
-P2P Networks-RF/Communication ICs
-Signal Processing
-Software Engineering
-Vehicular Ad Hoc Networks
-Wireless, Sensor, and Mobile Ad Hoc Networks=

Paper Submission
1.=A0=A0=A0=A0 Authors are invited to submit original and unpublished research manuscripts. Submitted manuscripts must be written in English, Traditional Chinese or Simplified Chinese. All submitted manuscripts will be reviewed by two or three publication committee members. Selected papers in English will be considered for possible publication in a special issue of Journal of Information Science and Engineering, which is SCI indexed (pending).
2.=A0=A0=A0=A0 Submitted manuscripts should not be more than eight single-spaced and two-column A4-size pages inclusive of figures, tables, and references, and should comply with IEEE conference formats. To submit a paper for CSIT 2009, please visit the official CSIT 2009 web site at http://acnlab.csie.ncu.edu.tw/CSIT2009.

Important Dates
Submission Deadline: September 1, 2009
Notificati= on of Acceptance: October 1, 2009 --00163645853e31fab5046e3d2e54-- From esachs at google.com Thu Jul 9 10:14:35 2009 From: esachs at google.com (Eric Sachs) Date: Thu, 9 Jul 2009 10:14:35 -0700 Subject: [OpenID] Google's proprietary discovery extension? In-Reply-To: <216e54900907090959k465abe0enb4afdee36a65fa87@mail.gmail.com> References: <216e54900907090958p6173707gd66e08bab74c888d@mail.gmail.com> <216e54900907090959k465abe0enb4afdee36a65fa87@mail.gmail.com> Message-ID: --0016364ef4d6786b04046e48fd1f Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit >> I haven't heard anything about this except from this one article. In terms of more background on the evolving discovery standards, the best information is actually on a blog run by Eran Hammer-Lahav at Yahoo who has led a lot of the work in this space. Here is a hyperlink which will show you all the blog posts he has done about "discovery" and he has done a good job of trying to provide background. http://www.hueniverse.com/hueniverse/discovery/ Note though that this work is not specific to OpenID, but instead is to try to provide a generic discovery mechanism that can be used my multiple protocols. If you want to join some of the discussions, here are links to a few threads: http://lists.oasis-open.org/archives/xri/200905/msg00025.html http://markmail.org/message/rup4ikec43bk4wkg http://markmail.org/message/5ckiqdzjguipa3qf We do still want more community discussions about discovery, and its application to OpenID. While these standards are being refined, we are providing a proof-of-concept implementation of a next-generation OpenID discovery protocol. While some of the details of this proof-of-concept-implementation are different from what the eventual standards are likely to look like (e.g., we're using XRDS instead of XRD for discovery documents, and are using temporary namespaces), we believe all the necessary pieces are there. For nitty gritty details, see http://sites.google.com/site/oauthgoog/fedlogininterp/openiddiscovery On Thu, Jul 9, 2009 at 9:59 AM, Andrew Arnott wrote: > Oops.... I sent my email to the wrong list. See below. > > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll defend to the death > your right to say it." - S. G. Tallentyre > > > On Thu, Jul 9, 2009 at 9:58 AM, Andrew Arnott wrote: > >> From >> http://www.readwriteweb.com/archives/google_to_announce_major_identity_initiative_for_1.php >> >> OpenID relying parties will need to be redirected from the domain provided >> at user login over to Google's OpenID service. In order for this redirect to >> happen, all relying parties will need to start looking for a new OpenID >> extension that Google has developed and implemented in conjunction with one >> relying party technology, JanRain's RPX . >> >> Is this just FUD about Google? I haven't heard anything about this except >> from this one article. And Google's own OpenID for Google Appspage says nothing about a special extension. >> >> >> -- >> Andrew Arnott >> "I [may] not agree with what you have to say, but I'll defend to the death >> your right to say it." - S. G. Tallentyre >> > > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > > --0016364ef4d6786b04046e48fd1f Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable >>=A0I haven't heard any= thing about this except from this one article.

In terms of more background on the evolving discovery sta= ndards, the best information is actually on a blog run by Eran Hammer-Lahav= at Yahoo who has led a lot of the work in this space. =A0Here is a hyperli= nk which will show you all the blog posts he has done about "discovery= " and he has done a good job of trying to provide background.
http://w= ww.hueniverse.com/hueniverse/discovery/
Note though that this work is not specific to OpenID, but instead is t= o try to provide a generic discovery mechanism that can be used my multiple= protocols.

If you want to join some of the discus= sions, here are links to a few threads:
http://markmail.org/message/rup4ikec43bk4wkg<= /a>
http://markmail.org/message/5ckiqdzjguipa3qf<= /a>
We do still want more community discussions about discovery, and its a= pplication to OpenID. =A0While these standards are being refined, we = are providing a proof-of-concept implementation of a next-generation OpenID= discovery protocol. While some of the details of this proof-of-concept-imp= lementation are different from what the eventual standards are likely to lo= ok like (e.g., we're using XRDS instead of XRD for discovery documents,= and are using temporary namespaces), we believe all the necessary pieces a= re there. =A0For nitty gritty details, see=A0http://sites.goog= le.com/site/oauthgoog/fedlogininterp/openiddiscovery



On Thu, Jul 9,= 2009 at 9:59 AM, Andrew Arnott <andrewarnott at gmail.com> wrote:
Oops.... I sent my email to the wrong list.= =A0 See below.

--
Andrew Arnott
"I [may] no= t agree with what you have to say, but I'll defend to the death your ri= ght to say it." - S. G. Tallentyre


On Thu, Jul 9, 2009 at 9:58 AM, Andrew A= rnott <andrewarnott at gmail.com> wrote:
--0016364ef4d6786b04046e48fd1f-- From bogus@does.not.exist.com Thu Jul 9 13:17:08 2009 From: bogus@does.not.exist.com () Date: Thu, 09 Jul 2009 20:17:08 -0000 Subject: No subject Message-ID: .com/archives/google_to_announce_major_identity_initiative_for_1.php
OpenID relying parties will need to be redirected from the domain provided = at=20 user login over to Google's OpenID service. In order for this redirect = to=20 happen, all relying parties will need to start looking for a new OpenID=20 extension that Google has developed and implemented in conjunction with one= =20 relying party technology, JanRain's RPX.

Is this just FUD about Google?=A0 I ha= ven't heard anything about this except from this one article. And Googl= e's own OpenID for Google Apps page says nothing a= bout a special extension.


--
Andrew Arnott
"I [may] not agree with w= hat you have to say, but I'll defend to the death your right to say it.= " - S. G. Tallentyre


_______________________________________________
general mailing list
general at openid.net<= /a>
ht= tp://openid.net/mailman/listinfo/general


--0016364ef4d6786b04046e48fd1f-- From breno at google.com Thu Jul 9 13:20:07 2009 From: breno at google.com (Breno de Medeiros) Date: Thu, 9 Jul 2009 13:20:07 -0700 Subject: [OpenID] Delegation leading to new accounts on websites In-Reply-To: <20090707230302.GD19965@rationalarts.com> References: <2496E279-A373-4719-AD0A-CDC28F025FC2@wingaa.com> <20090707230302.GD19965@rationalarts.com> Message-ID: <29fb00360907091320n69cacd6cp9acfe7fdfb44a7cc@mail.gmail.com> --001485f7c414f38835046e4b949e Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit It does need to be an URI (at least for OpenID). See the spec definition of identifiers. On Tue, Jul 7, 2009 at 4:03 PM, Johnny Bufu wrote: > Doesn't even have to be a URI even; what matters is that the OP issues > it, so they (can) have full control/authority over it if that's a > concern for them. > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) --001485f7c414f38835046e4b949e Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable It does need to be an URI (at least for OpenID). See the spec definition of= identifiers.

On Tue, Jul 7, 2009 at 4:03= PM, Johnny Bufu <johnny.bufu at gmail.com> wrote:
Doesn't= even have to be a URI even; what matters is that the OP issues
it, so they (can) have full control/authority over it if that's a
concern for them.



--
= --Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)<= br>MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
--001485f7c414f38835046e4b949e-- From chris.messina at gmail.com Thu Jul 9 15:41:46 2009 From: chris.messina at gmail.com (Chris Messina) Date: Thu, 9 Jul 2009 15:41:46 -0700 Subject: [OpenID] What is my Google OpenID URL? In-Reply-To: References: Message-ID: <1bc4603e0907091541p2b4adebdiebbd879c92543340@mail.gmail.com> --0016e64601d0844203046e4d8fff Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Try http://bit.ly/gopenid, short for https://www.google.com/accounts/o8/id Chris On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston wrote: > Hi, > > I'm sorry for asking such an obvious question, but after considerable > time spent searching for this I am unable to figure this out. > > My google account name is paul.paj. I would like to login to > bitbucket.org using OpenID. How do I do it? > > Paul > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > -- Chris Messina Open Web Advocate Personal site: http://factoryjoe.com Twitter: http://twitter.com/chrismessina Diso Project: http://diso-project.org OpenID Foundation: http://openid.net This email is: [ ] bloggable [X] ask first [ ] private --0016e64601d0844203046e4d8fff Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Try http://bit.ly/gopenid, short for= =A0https://www.google.com= /accounts/o8/id

Chris

On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston <paj at pajhome.org.uk> wrote= :
Hi,

I'm sorry for asking such an obvious question, but after considerable time spent searching for this I am unable to figure this out.

My google account name is paul.paj. I would like to login to
bitbucket.org using = OpenID. How do I do it?

Paul
_______________________________________________
general mailing list
general at openid.net
ht= tp://openid.net/mailman/listinfo/general



--
Chris Messina
Open W= eb Advocate

Personal site: http://= factoryjoe.com
Twitter: = http://twitter.com/chrismessina

Diso Project: http://diso-project.o= rg
OpenID Foundation: http://openid.ne= t

This email is: =A0 [ ] bloggable =A0 =A0[X] ask first =A0 [ ] = private
--0016e64601d0844203046e4d8fff-- From breno at google.com Thu Jul 9 15:42:45 2009 From: breno at google.com (Breno de Medeiros) Date: Thu, 9 Jul 2009 15:42:45 -0700 Subject: [OpenID] What is my Google OpenID URL? In-Reply-To: References: Message-ID: <29fb00360907091542v40d49848ycddc8bd4edb13cfc@mail.gmail.com> --001485f62974083359046e4d933c Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Enter this https://www.google.com/accounts/o8/id in the URL field. On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston wrote: > Hi, > > I'm sorry for asking such an obvious question, but after considerable > time spent searching for this I am unable to figure this out. > > My google account name is paul.paj. I would like to login to > bitbucket.org using OpenID. How do I do it? > > Paul > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) --001485f62974083359046e4d933c Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Enter this https://www.go= ogle.com/accounts/o8/id in the URL field.

On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston <<= a href=3D"mailto:paj at pajhome.org.uk">paj at pajhome.org.uk> wrot= e:
Hi,

I'm sorry for asking such an obvious question, but after considerable time spent searching for this I am unable to figure this out.

My google account name is paul.paj. I would like to login to
bitbucket.org using = OpenID. How do I do it?

Paul
_______________________________________________
general mailing list
general at openid.net
ht= tp://openid.net/mailman/listinfo/general



--
--Breno

+1 (650)= 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7)
--001485f62974083359046e4d933c-- From mart at degeneration.co.uk Thu Jul 9 16:29:46 2009 From: mart at degeneration.co.uk (Martin Atkins) Date: Thu, 09 Jul 2009 16:29:46 -0700 Subject: [OpenID] What is my Google OpenID URL? In-Reply-To: References: Message-ID: <4A567D6A.4050103@degeneration.co.uk> Paul Johnston wrote: > Hi, > > I'm sorry for asking such an obvious question, but after considerable > time spent searching for this I am unable to figure this out. > > My google account name is paul.paj. I would like to login to > bitbucket.org using OpenID. How do I do it? > Google expects you to use the "Directed Identity" feature to sign in with your Google account. Enter into the box the following string: https://www.google.com/accounts/o8/id ...and you should end up logged in as a URL at google.com with a humongous string of hexadecimal gibberish on the end of it. That URL is your Google OpenID URL. This will only work if bitbucket.org supports OpenID 2.0. From pwilliams at rapattoni.com Thu Jul 9 20:24:01 2009 From: pwilliams at rapattoni.com (Peter Williams) Date: Thu, 9 Jul 2009 20:24:01 -0700 Subject: [OpenID] What is my Google OpenID URL? In-Reply-To: <216e54900907091916y4ac52a70u9a2948d3873f408c@mail.gmail.com> References: , <216e54900907091916y4ac52a70u9a2948d3873f408c@mail.gmail.com> Message-ID: come on google, it takes you 10s to have a redirector URL (op.google.com, perhaps?) redirect to the https://www.google.com/accounts/o8/id. Conforming RPs are require to follow the redirect, before detecting that the XRD at that address is an law#4-capable OP, vs a user. http://tinyurl.com/googop now produces - - - http://specs.openid.net/auth/2.0/server http://openid.net/srv/ax/1.0 http://specs.openid.net/extensions/ui/1.0/mode/popup http://specs.openid.net/extensions/ui/1.0/icon http://specs.openid.net/extensions/pape/1.0 https://www.google.com/accounts/o8/ud im sure google can do better than tinyurl.com! How about op.google.com?! ________________________________ From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of Andrew Arnott [andrewarnott at gmail.com] Sent: Thursday, July 09, 2009 7:16 PM To: Eric Sachs Cc: general at openid.net; Paul Johnston Subject: Re: [OpenID] What is my Google OpenID URL? Note that using your Blogger blog URL is not equivalent to using https://www.google.com/accounts/o8/id. Besides the user interface of the login experience being completely different, Blogger's Provider is only an OpenID 1.1 provider, whereas Google's https://www.google.com/accounts/o8/id OpenID Provider is a more secure OpenID 2.0 provider. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Thu, Jul 9, 2009 at 6:38 PM, Eric Sachs > wrote: If you create a blog on Google's blogger service, then you can type the name of that blog into OpenID login boxes. If you are willing to be really geeky, type in https://www.google.com/accounts/o8/id. That points to the generic Google identity provider, and you will be redirected back with an opaque identifier. But we don't actually expect anyone to know to do that which is why a lot of OpenID relying parties are supporting other user interfaces with buttons for Google. For example, see http://uservoice.com/session/new Similarly a lot of blogs allow you to comment and identify you with an OpenID URL, and while you can try one of the tricks above, many of the blog commenting interfaces also include buttons (or the NASCAR style UI as the community likes to call it) to help users navigate their way through. On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston > wrote: Hi, I'm sorry for asking such an obvious question, but after considerable time spent searching for this I am unable to figure this out. My google account name is paul.paj. I would like to login to bitbucket.org using OpenID. How do I do it? Paul _______________________________________________ general mailing list general at openid.net http://openid.net/mailman/listinfo/general _______________________________________________ general mailing list general at openid.net http://openid.net/mailman/listinfo/general From andrewarnott at gmail.com Thu Jul 9 20:29:50 2009 From: andrewarnott at gmail.com (Andrew Arnott) Date: Thu, 9 Jul 2009 20:29:50 -0700 Subject: [OpenID] What is my Google OpenID URL? In-Reply-To: References: <216e54900907091916y4ac52a70u9a2948d3873f408c@mail.gmail.com> Message-ID: <216e54900907092029m765e0b67ked832fcf56e4cddb@mail.gmail.com> --0015174c1170eaf79f046e519682 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Wow. I'm going to have to use that tinyurl everywhere now. :-p -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Thu, Jul 9, 2009 at 8:24 PM, Peter Williams wrote: > come on google, it takes you 10s to have a redirector URL (op.google.com, > perhaps?) redirect to the https://www.google.com/accounts/o8/id. > Conforming RPs are require to follow the redirect, before detecting that the > XRD at that address is an law#4-capable OP, vs a user. > > > http://tinyurl.com/googop now produces > > - xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> > - > - priority="0"> > http://specs.openid.net/auth/2.0/server > http://openid.net/srv/ax/1.0 > http://specs.openid.net/extensions/ui/1.0/mode/popup > http://specs.openid.net/extensions/ui/1.0/icon > http://specs.openid.net/extensions/pape/1.0 > https://www.google.com/accounts/o8/ud > > > > im sure google can do better than tinyurl.com! > > How about op.google.com?! > > ________________________________ > From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of > Andrew Arnott [andrewarnott at gmail.com] > Sent: Thursday, July 09, 2009 7:16 PM > To: Eric Sachs > Cc: general at openid.net; Paul Johnston > Subject: Re: [OpenID] What is my Google OpenID URL? > > Note that using your Blogger blog URL is not equivalent to using > https://www.google.com/accounts/o8/id. Besides the user interface of the > login experience being completely different, Blogger's Provider is only an > OpenID 1.1 provider, whereas Google's > https://www.google.com/accounts/o8/id OpenID Provider is a more secure > OpenID 2.0 provider. > > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll defend to the death > your right to say it." - S. G. Tallentyre > > > On Thu, Jul 9, 2009 at 6:38 PM, Eric Sachs esachs at google.com>> wrote: > If you create a blog on Google's blogger service, then you can type the > name of that blog into OpenID login boxes. > > If you are willing to be really geeky, type in > https://www.google.com/accounts/o8/id. That points to the generic Google > identity provider, and you will be redirected back with an opaque > identifier. But we don't actually expect anyone to know to do that which is > why a lot of OpenID relying parties are supporting other user interfaces > with buttons for Google. For example, see > http://uservoice.com/session/new > > Similarly a lot of blogs allow you to comment and identify you with an > OpenID URL, and while you can try one of the tricks above, many of the blog > commenting interfaces also include buttons (or the NASCAR style UI as the > community likes to call it) to help users navigate their way through. > > On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston paj at pajhome.org.uk>> wrote: > Hi, > > I'm sorry for asking such an obvious question, but after considerable > time spent searching for this I am unable to figure this out. > > My google account name is paul.paj. I would like to login to > bitbucket.org using OpenID. How do I do it? > > Paul > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > > > --0015174c1170eaf79f046e519682 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Wow. =A0I'm going to have to use that tinyurl everywhere now. :-p
<= br clear=3D"all">--
Andrew Arnott
"I [may] not agree with what y= ou have to say, but I'll defend to the death your right to say it."= ; - S. G. Tallentyre


On Thu, Jul 9, 2009 at 8:24 PM, Peter Wi= lliams <pwi= lliams at rapattoni.com> wrote:
come =A0on google, it takes you 10s to have a redirector URL (op.google.com, perhaps?) redirect= to the https://www.google.com/accounts/o8/id. Conforming RPs are require to f= ollow the redirect, before detecting that the XRD at that address is an law= #4-capable OP, vs a user.


http://tinyurl.com/= googop now produces
<?xml version=3D"1.0" encoding=3D"UTF-8" ?>
-<file:///C:/Documents%20and%20Settings/peter/Desktop/id.xml#> <xr= ds:XRDS xmlns:xrds=3D"xri://$xrds" xmlns=3D"xri://$xrd*($v*2= .0)">
-<file:///C:/Documents%20and%20Settings/peter/Desktop/id.xml#> <XR= D>
-<file:///C:/Documents%20and%20Settings/peter/Desktop/id.xml#> <Se= rvice priority=3D"0">
=A0<Type>http://specs.openid.net/auth/2.0/server</Type>
=A0<Type>= http://openid.net/srv/ax/1.0</Type>
=A0<Type>http://specs.openid.net/extensions/ui/1.0/mode/popu= p</Type>
=A0<Type>http://specs.openid.net/extensions/ui/1.0/icon</Ty= pe>
=A0<Type>http://specs.openid.net/extensions/pape/1.0</Type>=
=A0<URI>https://www.google.com/accounts/o8/ud</URI>
=A0</Service>
=A0</XRD>

im sure google can do better than tinyurl.com!

How about op.google.com<= /a>?!

________________________________
From: general-bounces at openid.= net [general-bounces at open= id.net] On Behalf Of Andrew Arnott [andrewarnott at gmail.com]
Sent: Thursday, July 09, 2009 7:16 PM
To: Eric Sachs
Cc: general at openid.net; Paul John= ston
Subject: Re: [OpenID] What is my Google OpenID URL?

Note that using your Blogger blog URL is not equivalent to using https://www.googl= e.com/accounts/o8/id. =A0Besides the user interface of the login experi= ence being completely different, Blogger's Provider is only an OpenID 1= .1 provider, whereas Google's https://www.google.com/accounts/o8/id OpenID= Provider is a more secure OpenID 2.0 provider.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to t= he death your right to say it." - S. G. Tallentyre


On Thu, Jul 9, 2009 at 6:38 PM, Eric Sachs <esachs at google.com<mailto:esachs at google.com>> wrote:
If you create a blog on Google's blogger service, then you can type the= name of that blog into OpenID login boxes.

If you are willing to be really geeky, type in https://www.google.com/accounts/o8/= id. =A0That points to the generic Google identity provider, and you wil= l be redirected back with an opaque identifier. =A0But we don't actuall= y expect anyone to know to do that which is why a lot of OpenID relying par= ties are supporting other user interfaces with buttons for Google. =A0For e= xample, see = http://uservoice.com/session/new

Similarly a lot of blogs allow you to comment and identify you with an Open= ID URL, and while you can try one of the tricks above, many of the blog com= menting interfaces also include buttons (or the NASCAR style UI as the comm= unity likes to call it) to help users navigate their way through.

On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston <= paj at pajhome.org.uk<mailto:paj at pajhome.org.uk>> wrote:
Hi,

I'm sorry for asking such an obvious question, but after considerable time spent searching for this I am unable to figure this out.

My google account name is paul.paj. I would like to login to
bitbucket.org&= lt;http://bitbucket.org<= /a>> using OpenID. How do I do it?

Paul
_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general


_______________________________________________
general mailing list
general at openid.net<mailt= o:general at openid.net>

--0015174c1170eaf79f046e519682-- From paj at pajhome.org.uk Fri Jul 10 04:14:37 2009 From: paj at pajhome.org.uk (Paul Johnston) Date: Fri, 10 Jul 2009 18:14:37 +0700 Subject: [OpenID] What is my Google OpenID URL? In-Reply-To: <29fb00360907091542v40d49848ycddc8bd4edb13cfc@mail.gmail.com> References: <29fb00360907091542v40d49848ycddc8bd4edb13cfc@mail.gmail.com> Message-ID: Hi, Thanks for the help, I have now successfully used OpenID for the first time. This should be quite a help for me actually, I'm using cyber cafes a lot at the moment, and logging in separately is a pain. Is there any reason this URL is not on openid.net? I could have got going straight away if it was. One usability issue to be aware of - while using this from a cyber cafe in Vietnam, the page that Google presented to confirm/deny bitbucket.org was in Vietnamese, with no obvious way to change language. Not sure what to do about this, but an issue to be aware of. Regards, Paul From esachs at google.com Fri Jul 10 07:16:35 2009 From: esachs at google.com (Eric Sachs) Date: Fri, 10 Jul 2009 07:16:35 -0700 Subject: [OpenID] What is my Google OpenID URL? In-Reply-To: References: <29fb00360907091542v40d49848ycddc8bd4edb13cfc@mail.gmail.com> Message-ID: --0016363b845cb412cb046e5a9eec Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit >> One usability issue to be aware of - while using this from a cyber cafe in Vietnam, the page that Google presented to confirm/deny bitbucket.org was in Vietnamese, with no obvious way to change language Good point, I don't think has been reported before, so we'll look into it. On Fri, Jul 10, 2009 at 4:14 AM, Paul Johnston wrote: > Hi, > > Thanks for the help, I have now successfully used OpenID for the first > time. This should be quite a help for me actually, I'm using cyber > cafes a lot at the moment, and logging in separately is a pain. > > Is there any reason this URL is not on openid.net? I could have got > going straight away if it was. > > One usability issue to be aware of - while using this from a cyber > cafe in Vietnam, the page that Google presented to confirm/deny > bitbucket.org was in Vietnamese, with no obvious way to change > language. Not sure what to do about this, but an issue to be aware of. > > Regards, > > Paul > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > --0016363b845cb412cb046e5a9eec Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable >>=A0One usability issue to be aware of - while using this from a cyber= =A0cafe in Vietnam, the page that Google presented to confirm/deny=A0bitbucket.org=A0was in Vietnamese, with no obvious way to change=A0= language

<= /span>
Good point, I don't think has been reported before, so we&#= 39;ll look into it.

On Fri, Jul 10, 2009 at 4:14 AM, Paul= Johnston <paj at p= ajhome.org.uk> wrote:
Hi,

Thanks for the help, I have now successfully used OpenID for the first
time. This should be quite a help for me actually, I'm using cyber
cafes a lot at the moment, and logging in separately is a pain.

Is there any reason this URL is not on openid.net? I could have got
going straight away if it was.

One usability issue to be aware of - while using this from a cyber
cafe in Vietnam, the page that Google presented to confirm/deny
bitbucket.org was in= Vietnamese, with no obvious way to change
language. Not sure what to do about this, but an issue to be aware of.

Regards,

Paul
_______________________________________________
general mailing list
general at openid.net
ht= tp://openid.net/mailman/listinfo/general

--0016363b845cb412cb046e5a9eec-- From timan at rebelic.nl Fri Jul 10 07:40:02 2009 From: timan at rebelic.nl (Timan Rebel / Rebelic) Date: Fri, 10 Jul 2009 16:40:02 +0200 Subject: [OpenID] Why use SREG instead of AX? Message-ID: --001636c5abdfbc41d6046e5af3c7 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit I know what AX and SREG do and that SREG is more limited than AX is. But what I can't figure out is why you would use SREG, when AX is superior? Besides the fact that SREG is used by more Identity Providers... I've been Googling on this for two days, but can't figure it out... Can someone help me out? with kind regards, Timan Rebel --001636c5abdfbc41d6046e5af3c7 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I know what AX and SREG do and that SREG is more limited than AX= is. But what I can't figure out is why you would use SREG, when AX is = superior? Besides the fact that SREG is used by more Identity Providers... = I've been Googling on this for two days, but can't figure it out...=

Can someone help me out?

with kind = regards,

Timan Rebel
 --001636c5abdfbc41d6046e5af3c7-- From andrewarnott at gmail.com Fri Jul 10 07:42:41 2009 From: andrewarnott at gmail.com (Andrew Arnott) Date: Fri, 10 Jul 2009 07:42:41 -0700 Subject: [OpenID] Why use SREG instead of AX? In-Reply-To: References: Message-ID: <216e54900907100742y242e4498g942d92d7e5b82a31@mail.gmail.com> --000e0cd68fd8352814046e5afdbd Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit There is actually one feature sreg has that AX doesn't: privacy policy URL of the RP. Yes, AX is "superior" in most respects, but as a result it is vastly more complex to support and use. Since most Providers are barely willing to disclose a user's email a few more basic bits that sreg covers, there's been no compelling reason to switch to AX yet. Especially since no one at all supports the "push" half of the extension. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Fri, Jul 10, 2009 at 7:40 AM, Timan Rebel / Rebelic wrote: > I know what AX and SREG do and that SREG is more limited than AX is. But > what I can't figure out is why you would use SREG, when AX is superior? > Besides the fact that SREG is used by more Identity Providers... I've been > Googling on this for two days, but can't figure it out... > Can someone help me out? > > with kind regards, > > Timan Rebel > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > > --000e0cd68fd8352814046e5afdbd Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable There is actually one feature sreg has that AX doesn't: privacy policy = URL of the RP. =A0

Yes, AX is "superior" in mo= st respects, but as a result it is vastly more complex to support and use. = =A0Since most Providers are barely willing to disclose a user's email a= few more basic bits that sreg covers, there's been no compelling reaso= n to switch to AX yet. =A0Especially since no one at all supports the "= ;push" half of the extension.

--
Andrew Arnott
"I [may] not agree with = what you have to say, but I'll defend to the death your right to say it= ." - S. G. Tallentyre


On Fri, Jul 10, 2009 at 7:40 AM, Timan R= ebel / Rebelic <ti= man at rebelic.nl> wrote:
I know what AX and SREG do and that SREG is more limited than AX= is. But what I can't figure out is why you would use SREG, when AX is = superior? Besides the fact that SREG is used by more Identity Providers... = I've been Googling on this for two days, but can't figure it out...=

Can someone help me out?

with kind = regards,

Timan Rebel
=
_______________________________________________
general mailing list
general at openid.net
ht= tp://openid.net/mailman/listinfo/general


--000e0cd68fd8352814046e5afdbd-- From sappenin at gmail.com Fri Jul 10 07:50:57 2009 From: sappenin at gmail.com (David Fuelling) Date: Fri, 10 Jul 2009 14:50:57 +0000 Subject: [OpenID] Why use SREG instead of AX? In-Reply-To: <216e54900907100742y242e4498g942d92d7e5b82a31@mail.gmail.com> References: <216e54900907100742y242e4498g942d92d7e5b82a31@mail.gmail.com> Message-ID: <51dae84d0907100750x6713d62du12a1ed6293519980@mail.gmail.com> --0016e6480d78a08214046e5b19ae Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit On Fri, Jul 10, 2009 at 2:42 PM, Andrew Arnott wrote: > There is actually one feature sreg has that AX doesn't: privacy policy URL > of the RP. > Why can't AX support a privacy policy URL? Is it a matter of not having a commonly agreed upon attribute type-name? --0016e6480d78a08214046e5b19ae Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
On Fri, Jul 10, 2009 at 2:42 PM, Andrew Arnott <= span dir=3D"ltr"><andrewarnott= @gmail.com> wrote:
There is actually one feature sreg has that AX doesn't: privacy policy = URL of the RP. =A0


Why can't AX su= pport a privacy policy URL?=A0 Is it a matter of not having a commonly agre= ed upon attribute type-name?
--0016e6480d78a08214046e5b19ae-- From andrewarnott at gmail.com Fri Jul 10 07:53:21 2009 From: andrewarnott at gmail.com (Andrew Arnott) Date: Fri, 10 Jul 2009 07:53:21 -0700 Subject: [OpenID] Why use SREG instead of AX? In-Reply-To: <51dae84d0907100750x6713d62du12a1ed6293519980@mail.gmail.com> References: <216e54900907100742y242e4498g942d92d7e5b82a31@mail.gmail.com> <51dae84d0907100750x6713d62du12a1ed6293519980@mail.gmail.com> Message-ID: <216e54900907100753y6bee87edw7bac7828b62a8b85@mail.gmail.com> --000e0cd63a0a5a76f5046e5b23ef Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit That's one possibility. Another is to have the RP advertise its privacy policy in its own XRDS file. While the OP is already discovering the RP it can look it up. The advantage to this method is that now OPs can send unsolicited assertions to RPs and still know the privacy policy URL. There's been a strong push lately to get the AX extension going with some kind of privacy policy URL. Some big people are behind it so I imagine it will be fixed soon. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Fri, Jul 10, 2009 at 7:50 AM, David Fuelling wrote: > On Fri, Jul 10, 2009 at 2:42 PM, Andrew Arnott wrote: > >> There is actually one feature sreg has that AX doesn't: privacy policy URL >> of the RP. >> > > Why can't AX support a privacy policy URL? Is it a matter of not having a > commonly agreed upon attribute type-name? > --000e0cd63a0a5a76f5046e5b23ef Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable That's one possibility. =A0Another is to have the RP advertise its priv= acy policy in its own XRDS file. =A0While the OP is already discovering the= RP it can look it up. =A0The advantage to this method is that now OPs can = send unsolicited assertions to RPs and still know the privacy policy URL.
There's been a strong push lately to get the AX extensio= n going with some kind of privacy policy URL. =A0Some big people are behind= it so I imagine it will be fixed soon.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to t= he death your right to say it." - S. G. Tallentyre


On Fri, Jul 10, 2009 at 7:50 AM, David F= uelling <sappeni= n at gmail.com> wrote:
On Fri, Jul 10, 2009 at 2:42 P= M, Andrew Arnott <andrewarnott at gmail.com> wrote:
There is actually one feature sreg has that AX doesn't: privacy policy = URL of the RP. =A0


Why can't= AX support a privacy policy URL?=A0 Is it a matter of not having a commonl= y agreed upon attribute type-name?

--000e0cd63a0a5a76f5046e5b23ef-- From gffletch at aol.com Fri Jul 10 08:07:27 2009 From: gffletch at aol.com (George Fletcher) Date: Fri, 10 Jul 2009 11:07:27 -0400 Subject: [OpenID] Why use SREG instead of AX? In-Reply-To: <216e54900907100753y6bee87edw7bac7828b62a8b85@mail.gmail.com> References: <216e54900907100742y242e4498g942d92d7e5b82a31@mail.gmail.com> <51dae84d0907100750x6713d62du12a1ed6293519980@mail.gmail.com> <216e54900907100753y6bee87edw7bac7828b62a8b85@mail.gmail.com> Message-ID: <4A57592F.4070704@aol.com> One other issue is that AX supports multiple schema and there is currently no way for the OP to advertise which schema it's using. So an RP has to build it's own mapping table to know what to send to the OP when using AX. Thanks, George Andrew Arnott wrote: > That's one possibility. Another is to have the RP advertise its > privacy policy in its own XRDS file. While the OP is already > discovering the RP it can look it up. The advantage to this method is > that now OPs can send unsolicited assertions to RPs and still know the > privacy policy URL. > > There's been a strong push lately to get the AX extension going with > some kind of privacy policy URL. Some big people are behind it so I > imagine it will be fixed soon. > > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll defend to the > death your right to say it." - S. G. Tallentyre > > > On Fri, Jul 10, 2009 at 7:50 AM, David Fuelling > wrote: > > On Fri, Jul 10, 2009 at 2:42 PM, Andrew Arnott > > wrote: > > There is actually one feature sreg has that AX doesn't: > privacy policy URL of the RP. > > > Why can't AX support a privacy policy URL? Is it a matter of not > having a commonly agreed upon attribute type-name? > > > ------------------------------------------------------------------------ > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > From sysadmin at shadowsinthegarden.com Fri Jul 10 08:28:55 2009 From: sysadmin at shadowsinthegarden.com (SitG Admin) Date: Fri, 10 Jul 2009 08:28:55 -0700 Subject: [OpenID] Why use SREG instead of AX? In-Reply-To: <4A57592F.4070704@aol.com> References: <216e54900907100742y242e4498g942d92d7e5b82a31@mail.gmail.com> <51dae84d0907100750x6713d62du12a1ed6293519980@mail.gmail.com> <216e54900907100753y6bee87edw7bac7828b62a8b85@mail.gmail.com> <4A57592F.4070704@aol.com> Message-ID: >One other issue is that AX supports multiple schema and there is >currently no way for the OP to advertise which schema it's using. So >an RP has to build it's own mapping table to know what to send to >the OP when using AX. Common key/API with "schema translation table" AX link? -Shade From gffletch at aol.com Fri Jul 10 08:48:00 2009 From: gffletch at aol.com (George Fletcher) Date: Fri, 10 Jul 2009 11:48:00 -0400 Subject: [OpenID] Why use SREG instead of AX? In-Reply-To: References: <216e54900907100742y242e4498g942d92d7e5b82a31@mail.gmail.com> <51dae84d0907100750x6713d62du12a1ed6293519980@mail.gmail.com> <216e54900907100753y6bee87edw7bac7828b62a8b85@mail.gmail.com> <4A57592F.4070704@aol.com> Message-ID: <4A5762B0.80002@aol.com> Sure, or just define it in the XRDS for the OP. But those aren't currently defined. Thanks, George SitG Admin wrote: >> One other issue is that AX supports multiple schema and there is >> currently no way for the OP to advertise which schema it's using. So >> an RP has to build it's own mapping table to know what to send to the >> OP when using AX. > > Common key/API with "schema translation table" AX link? > > -Shade > From andrewarnott at gmail.com Fri Jul 10 09:20:54 2009 From: andrewarnott at gmail.com (Andrew Arnott) Date: Fri, 10 Jul 2009 09:20:54 -0700 Subject: [OpenID] Why use SREG instead of AX? In-Reply-To: <4A5762B0.80002@aol.com> References: <216e54900907100742y242e4498g942d92d7e5b82a31@mail.gmail.com> <51dae84d0907100750x6713d62du12a1ed6293519980@mail.gmail.com> <216e54900907100753y6bee87edw7bac7828b62a8b85@mail.gmail.com> <4A57592F.4070704@aol.com> <4A5762B0.80002@aol.com> Message-ID: <216e54900907100920n3d101e9l27551f9eb9316249@mail.gmail.com> --0015174ff2387516dd046e5c5c73 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit George, Are you sure they're not defined? AX has attribute Type URIs. I've been an advocate that OPs publish all their supported AX attribute Type URIs in their XRDS document so that RPs know what they might expect from the OP, as well as discern which format of type URI that OP supports. Some OPs do just this, and DotNetOpenAuth (the RP part) automatically detects this from the OP's XRDS and sends either sreg or one of the three known AX type URI formats out there based on what it sees in the XRDS. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Fri, Jul 10, 2009 at 8:48 AM, George Fletcher wrote: > Sure, or just define it in the XRDS for the OP. But those aren't currently > defined. > > Thanks, > George > > > SitG Admin wrote: > >> One other issue is that AX supports multiple schema and there is currently >>> no way for the OP to advertise which schema it's using. So an RP has to >>> build it's own mapping table to know what to send to the OP when using AX. >>> >> >> Common key/API with "schema translation table" AX link? >> >> -Shade >> >> _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > --0015174ff2387516dd046e5c5c73 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable George,

Are you sure they're not defined? =A0AX has = attribute Type URIs. =A0I've been an advocate that OPs publish all thei= r supported AX attribute Type URIs in their XRDS document so that RPs know = what they might expect from the OP, as well as discern which format of type= URI that OP supports. =A0Some OPs do just this, and DotNetOpenAuth (the RP= part) automatically detects this from the OP's XRDS and sends either s= reg or one of the three known AX type URI formats out there based on what i= t sees in the XRDS.

--
Andrew Arnott
"I [may] not agree with wha= t you have to say, but I'll defend to the death your right to say it.&q= uot; - S. G. Tallentyre


On Fri, Jul 10, 2009 at 8:48 AM, George = Fletcher <gffletch= @aol.com> wrote:
Sure, or just define it in the XRDS for the OP. But those aren't curren= tly defined.

Thanks,
George


SitG Admin wrote:
One other issue is that AX supports multiple schema and there is currently = no way for the OP to advertise which schema it's using. So an RP has to= build it's own mapping table to know what to send to the OP when using= AX.

Common key/API with "schema translation table" AX link?

-Shade

_______________________________________________
general mailing list
general at openid.net<= /a>
ht= tp://openid.net/mailman/listinfo/general

--0015174ff2387516dd046e5c5c73-- From atom at yahoo-inc.com Fri Jul 10 09:27:27 2009 From: atom at yahoo-inc.com (Allen Tom) Date: Fri, 10 Jul 2009 09:27:27 -0700 Subject: [OpenID] Why use SREG instead of AX? In-Reply-To: <51dae84d0907100750x6713d62du12a1ed6293519980@mail.gmail.com> References: <216e54900907100742y242e4498g942d92d7e5b82a31@mail.gmail.com> <51dae84d0907100750x6713d62du12a1ed6293519980@mail.gmail.com> Message-ID: <4A576BEF.80908@yahoo-inc.com> This is a multi-part message in MIME format. --------------010406010200080203070200 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit We'd have to revise the AX spec to support he privacy policy url. The Yahoo OP is currently testing the SREG extension, and our lawyers really like how we're able to link to the RP's privacy policy. It was very unfortunate that this feature was omitted in AX. Moving forward, it probably makes more sense to make the RP's privacy policy discoverable, rather than putting into AX. In either case, either the AX or Discovery spec has to be updated, and there's a pretty big overhead to spinning up a new working group to do this. A very expedient "hack" would be to put it into the UI Extension, since the UI Extension is currently a work in progress, but there's not all that much consensus to do this. Allen David Fuelling wrote: > On Fri, Jul 10, 2009 at 2:42 PM, Andrew Arnott > wrote: > > There is actually one feature sreg has that AX doesn't: privacy > policy URL of the RP. > > > Why can't AX support a privacy policy URL? Is it a matter of not > having a commonly agreed upon attribute type-name? > ------------------------------------------------------------------------ > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > --------------010406010200080203070200 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit We'd have to revise the AX spec to support he privacy policy url. The Yahoo OP is currently testing the SREG extension, and our lawyers really like how we're able to link to the RP's privacy policy. It was very unfortunate that this feature was omitted in AX.

Moving forward, it probably makes more sense to make the RP's privacy policy discoverable, rather than putting into AX.

In either case, either the AX or Discovery spec has to be updated, and there's a pretty big overhead to spinning up a new working group to do this. A very expedient "hack" would be to put it into the UI Extension, since the UI Extension is currently a work in progress, but there's not all that much consensus to do this.

Allen


David Fuelling wrote:
On Fri, Jul 10, 2009 at 2:42 PM, Andrew Arnott <andrewarnott at gmail.com> wrote:
There is actually one feature sreg has that AX doesn't: privacy policy URL of the RP.  


Why can't AX support a privacy policy URL?  Is it a matter of not having a commonly agreed upon attribute type-name?

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

--------------010406010200080203070200-- From gffletch at aol.com Fri Jul 10 09:29:34 2009 From: gffletch at aol.com (George Fletcher) Date: Fri, 10 Jul 2009 12:29:34 -0400 Subject: [OpenID] Why use SREG instead of AX? In-Reply-To: <216e54900907100920n3d101e9l27551f9eb9316249@mail.gmail.com> References: <216e54900907100742y242e4498g942d92d7e5b82a31@mail.gmail.com> <51dae84d0907100750x6713d62du12a1ed6293519980@mail.gmail.com> <216e54900907100753y6bee87edw7bac7828b62a8b85@mail.gmail.com> <4A57592F.4070704@aol.com> <4A5762B0.80002@aol.com> <216e54900907100920n3d101e9l27551f9eb9316249@mail.gmail.com> Message-ID: <4A576C6E.8030506@aol.com> That will work (though I don't remember seeing any at the time we were implementing OpenID 2.0 RP support). If I understand correctly, you are doing some pattern matching against the Type URIs to determine which schema is being used. Also, if the OP supports 10s or 100s of attributes then this gets pretty ugly. I'd prefer a single URI the represents the schema being used. The rest is pretty simple from there. Of course it's possible I misunderstood. Thanks, George Andrew Arnott wrote: > George, > > Are you sure they're not defined? AX has attribute Type URIs. I've > been an advocate that OPs publish all their supported AX attribute > Type URIs in their XRDS document so that RPs know what they might > expect from the OP, as well as discern which format of type URI that > OP supports. Some OPs do just this, and DotNetOpenAuth (the RP part) > automatically detects this from the OP's XRDS and sends either sreg or > one of the three known AX type URI formats out there based on what it > sees in the XRDS. > > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll defend to the > death your right to say it." - S. G. Tallentyre > > > On Fri, Jul 10, 2009 at 8:48 AM, George Fletcher > wrote: > > Sure, or just define it in the XRDS for the OP. But those aren't > currently defined. > > Thanks, > George > > > SitG Admin wrote: > > One other issue is that AX supports multiple schema and > there is currently no way for the OP to advertise which > schema it's using. So an RP has to build it's own mapping > table to know what to send to the OP when using AX. > > > Common key/API with "schema translation table" AX link? > > -Shade > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > > From andrewarnott at gmail.com Fri Jul 10 09:34:40 2009 From: andrewarnott at gmail.com (Andrew Arnott) Date: Fri, 10 Jul 2009 09:34:40 -0700 Subject: [OpenID] Why use SREG instead of AX? In-Reply-To: <4A576C6E.8030506@aol.com> References: <216e54900907100742y242e4498g942d92d7e5b82a31@mail.gmail.com> <51dae84d0907100750x6713d62du12a1ed6293519980@mail.gmail.com> <216e54900907100753y6bee87edw7bac7828b62a8b85@mail.gmail.com> <4A57592F.4070704@aol.com> <4A5762B0.80002@aol.com> <216e54900907100920n3d101e9l27551f9eb9316249@mail.gmail.com> <4A576C6E.8030506@aol.com> Message-ID: <216e54900907100934o4806eb7dy730b3bdfbc8acb9b@mail.gmail.com> --000e0cd47ad0b2d8fa046e5c8d9c Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Presumably the RP has downloaded the OP's entire XRDS document. In that case, the RP just looks through the type URIs advertised until it finds a single AX attribute Type URI that matches any of the known three patterns, then it chooses that pattern to use. I don't think that's ugly, personally, even if there were 100 type URIs to sift through. But I've never seen an OP advertise that many type URIs, so it doesn't seem to be too much of a problem. Rather than standardizing on a new type URI to indicate which pattern to use, which would require some work and agreement, we could expend that same effort just standardizing on a single pattern that everyone should use. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Fri, Jul 10, 2009 at 9:29 AM, George Fletcher wrote: > That will work (though I don't remember seeing any at the time we were > implementing OpenID 2.0 RP support). If I understand correctly, you are > doing some pattern matching against the Type URIs to determine which schema > is being used. Also, if the OP supports 10s or 100s of attributes then this > gets pretty ugly. I'd prefer a single URI the represents the schema being > used. The rest is pretty simple from there. > > Of course it's possible I misunderstood. > > Thanks, > George > > Andrew Arnott wrote: > >> George, >> >> Are you sure they're not defined? AX has attribute Type URIs. I've been >> an advocate that OPs publish all their supported AX attribute Type URIs in >> their XRDS document so that RPs know what they might expect from the OP, as >> well as discern which format of type URI that OP supports. Some OPs do just >> this, and DotNetOpenAuth (the RP part) automatically detects this from the >> OP's XRDS and sends either sreg or one of the three known AX type URI >> formats out there based on what it sees in the XRDS. >> >> -- >> Andrew Arnott >> "I [may] not agree with what you have to say, but I'll defend to the death >> your right to say it." - S. G. Tallentyre >> >> >> On Fri, Jul 10, 2009 at 8:48 AM, George Fletcher > gffletch at aol.com>> wrote: >> >> Sure, or just define it in the XRDS for the OP. But those aren't >> currently defined. >> >> Thanks, >> George >> >> >> SitG Admin wrote: >> >> One other issue is that AX supports multiple schema and >> there is currently no way for the OP to advertise which >> schema it's using. So an RP has to build it's own mapping >> table to know what to send to the OP when using AX. >> >> >> Common key/API with "schema translation table" AX link? >> >> -Shade >> >> _______________________________________________ >> general mailing list >> general at openid.net >> http://openid.net/mailman/listinfo/general >> >> >> > --000e0cd47ad0b2d8fa046e5c8d9c Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Presumably the RP has downloaded the OP's entire XRDS document. =A0In t= hat case, the RP just looks through the type URIs advertised until it finds= a single AX attribute Type URI that matches any of the known three pattern= s, then it chooses that pattern to use. =A0I don't think that's ugl= y, personally, even if there were 100 type URIs to sift through. =A0But I&#= 39;ve never seen an OP advertise that many type URIs, so it doesn't see= m to be too much of a problem.

Rather than standardizing on a new type URI to indicate whic= h pattern to use, which would require some work and agreement, we could exp= end that same effort just standardizing on a single pattern that everyone s= hould use. =A0
--
Andrew Arnott
"I [may] not agree with what you have to say, b= ut I'll defend to the death your right to say it." - S. G. Tallent= yre


On Fri, Jul 10, 2009 at 9:29 AM, George = Fletcher <gffletch= @aol.com> wrote:
That will work (though I don't remember seeing any at the time we were = implementing OpenID 2.0 RP support). If I understand correctly, you are doi= ng some pattern matching against the Type URIs to determine which schema is= being used. Also, if the OP supports 10s or 100s of attributes then this g= ets pretty ugly. I'd prefer a single URI the represents the schema bein= g used. The rest is pretty simple from there.

Of course it's possible I misunderstood.


Thanks,
George

Andrew Arnott wrote:
George,

Are you sure they're not defined? =A0AX has attribute Type URIs. =A0I&#= 39;ve been an advocate that OPs publish all their supported AX attribute Ty= pe URIs in their XRDS document so that RPs know what they might expect from= the OP, as well as discern which format of type URI that OP supports. =A0S= ome OPs do just this, and DotNetOpenAuth (the RP part) automatically detect= s this from the OP's XRDS and sends either sreg or one of the three kno= wn AX type URI formats out there based on what it sees in the XRDS.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to t= he death your right to say it." - S. G. Tallentyre


On Fri, Jul 10, 2009 at 8:48 AM, George Fletcher <gffletch at aol.com <mailto:gffletch at aol.com>> wro= te:

=A0 =A0Sure, or just define it in the XRDS for the OP. But those aren'= t
=A0 =A0currently defined.

=A0 =A0Thanks,
=A0 =A0George


=A0 =A0SitG Admin wrote:

=A0 =A0 =A0 =A0 =A0 =A0One other issue is that AX supports multiple schema= and
=A0 =A0 =A0 =A0 =A0 =A0there is currently no way for the OP to advertise w= hich
=A0 =A0 =A0 =A0 =A0 =A0schema it's using. So an RP has to build it'= ;s own mapping
=A0 =A0 =A0 =A0 =A0 =A0table to know what to send to the OP when using AX.=


=A0 =A0 =A0 =A0Common key/API with "schema translation table" AX= link?

=A0 =A0 =A0 =A0-Shade

=A0 =A0_______________________________________________
=A0 =A0general mailing list
=A0 =A0general at ope= nid.net <mailto:general at openid.net>

=A0 =A0http://openid.net/mailman/listinfo/general




--000e0cd47ad0b2d8fa046e5c8d9c-- From breno at google.com Fri Jul 10 09:39:43 2009 From: breno at google.com (Breno de Medeiros) Date: Fri, 10 Jul 2009 09:39:43 -0700 Subject: [OpenID] Why use SREG instead of AX? In-Reply-To: <216e54900907100934o4806eb7dy730b3bdfbc8acb9b@mail.gmail.com> References: <216e54900907100742y242e4498g942d92d7e5b82a31@mail.gmail.com> <51dae84d0907100750x6713d62du12a1ed6293519980@mail.gmail.com> <216e54900907100753y6bee87edw7bac7828b62a8b85@mail.gmail.com> <4A57592F.4070704@aol.com> <4A5762B0.80002@aol.com> <216e54900907100920n3d101e9l27551f9eb9316249@mail.gmail.com> <4A576C6E.8030506@aol.com> <216e54900907100934o4806eb7dy730b3bdfbc8acb9b@mail.gmail.com> Message-ID: <29fb00360907100939v6469b8ebs162fa6de7dc89265@mail.gmail.com> --0016369205b3972b13046e5c9e37 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Agree with everything that Andrew said On Fri, Jul 10, 2009 at 9:34 AM, Andrew Arnott wrote: > Presumably the RP has downloaded the OP's entire XRDS document. In that > case, the RP just looks through the type URIs advertised until it finds a > single AX attribute Type URI that matches any of the known three patterns, > then it chooses that pattern to use. I don't think that's ugly, personally, > even if there were 100 type URIs to sift through. But I've never seen an OP > advertise that many type URIs, so it doesn't seem to be too much of a > problem. I did not know that some libraries were doing this matching automatically, otherwise we would have added the individual type URIs to Google's XRDS document (I guess there is still time). The spec doesn't call for that explicitly. > > Rather than standardizing on a new type URI to indicate which pattern to > use, which would require some work and agreement, we could expend that same > effort just standardizing on a single pattern that everyone should use. > Please embrace http://wiki.openid.net/ProposalForAURLSchemaRegistry and let's get AX interoperability going. > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll defend to the death > your right to say it." - S. G. Tallentyre > > > On Fri, Jul 10, 2009 at 9:29 AM, George Fletcher wrote: > >> That will work (though I don't remember seeing any at the time we were >> implementing OpenID 2.0 RP support). If I understand correctly, you are >> doing some pattern matching against the Type URIs to determine which schema >> is being used. Also, if the OP supports 10s or 100s of attributes then this >> gets pretty ugly. I'd prefer a single URI the represents the schema being >> used. The rest is pretty simple from there. >> >> Of course it's possible I misunderstood. >> >> Thanks, >> George >> >> Andrew Arnott wrote: >> >>> George, >>> >>> Are you sure they're not defined? AX has attribute Type URIs. I've been >>> an advocate that OPs publish all their supported AX attribute Type URIs in >>> their XRDS document so that RPs know what they might expect from the OP, as >>> well as discern which format of type URI that OP supports. Some OPs do just >>> this, and DotNetOpenAuth (the RP part) automatically detects this from the >>> OP's XRDS and sends either sreg or one of the three known AX type URI >>> formats out there based on what it sees in the XRDS. >>> >>> -- >>> Andrew Arnott >>> "I [may] not agree with what you have to say, but I'll defend to the >>> death your right to say it." - S. G. Tallentyre >>> >>> >>> On Fri, Jul 10, 2009 at 8:48 AM, George Fletcher >> gffletch at aol.com>> wrote: >>> >>> Sure, or just define it in the XRDS for the OP. But those aren't >>> currently defined. >>> >>> Thanks, >>> George >>> >>> >>> SitG Admin wrote: >>> >>> One other issue is that AX supports multiple schema and >>> there is currently no way for the OP to advertise which >>> schema it's using. So an RP has to build it's own mapping >>> table to know what to send to the OP when using AX. >>> >>> >>> Common key/API with "schema translation table" AX link? >>> >>> -Shade >>> >>> _______________________________________________ >>> general mailing list >>> general at openid.net >>> http://openid.net/mailman/listinfo/general >>> >>> >>> >> > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) --0016369205b3972b13046e5c9e37 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Agree with everything that Andrew said

On= Fri, Jul 10, 2009 at 9:34 AM, Andrew Arnott <andrewarnott at gmail.com> wr= ote:
Presumably the RP has downloaded the OP'= ;s entire XRDS document. =A0In that case, the RP just looks through the typ= e URIs advertised until it finds a single AX attribute Type URI that matche= s any of the known three patterns, then it chooses that pattern to use. =A0= I don't think that's ugly, personally, even if there were 100 type = URIs to sift through. =A0But I've never seen an OP advertise that many = type URIs, so it doesn't seem to be too much of a problem.

I did not know that some libraries were doing this matc= hing automatically, otherwise we would have added the individual type URIs = to Google's XRDS document (I guess there is still time). The spec doesn= 't call for that explicitly.
=A0

Rather than standardizing on a new type URI to indicate whic= h pattern to use, which would require some work and agreement, we could exp= end that same effort just standardizing on a single pattern that everyone s= hould use. =A0

=A0Please embrace=A0http://wiki.openid.net/ProposalF= orAURLSchemaRegistry and let's get AX interoperability going.
=



--
Andrew Arnott
"I [may] not agree with what you have to say, b= ut I'll defend to the death your right to say it." - S. G. Tallent= yre


= On Fri, Jul 10, 2009 at 9:29 AM, George Fletcher <gffletch at aol.com><= /span> wrote:
That will work (though I don't remember seeing any at the time we were = implementing OpenID 2.0 RP support). If I understand correctly, you are doi= ng some pattern matching against the Type URIs to determine which schema is= being used. Also, if the OP supports 10s or 100s of attributes then this g= ets pretty ugly. I'd prefer a single URI the represents the schema bein= g used. The rest is pretty simple from there.

Of course it's possible I misunderstood.


Thanks,
George

Andrew Arnott wrote:
George,

Are you sure they're not defined? =A0AX has attribute Type URIs. =A0I&#= 39;ve been an advocate that OPs publish all their supported AX attribute Ty= pe URIs in their XRDS document so that RPs know what they might expect from= the OP, as well as discern which format of type URI that OP supports. =A0S= ome OPs do just this, and DotNetOpenAuth (the RP part) automatically detect= s this from the OP's XRDS and sends either sreg or one of the three kno= wn AX type URI formats out there based on what it sees in the XRDS.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to t= he death your right to say it." - S. G. Tallentyre


On Fri, Jul 10, 2009 at 8:48 AM, George Fletcher <gffletch at aol.com <mailto:gffletch at aol.com>> wro= te:

=A0 =A0Sure, or just define it in the XRDS for the OP. But those aren'= t
=A0 =A0currently defined.

=A0 =A0Thanks,
=A0 =A0George


=A0 =A0SitG Admin wrote:

=A0 =A0 =A0 =A0 =A0 =A0One other issue is that AX supports multiple schema= and
=A0 =A0 =A0 =A0 =A0 =A0there is currently no way for the OP to advertise w= hich
=A0 =A0 =A0 =A0 =A0 =A0schema it's using. So an RP has to build it'= ;s own mapping
=A0 =A0 =A0 =A0 =A0 =A0table to know what to send to the OP when using AX.=


=A0 =A0 =A0 =A0Common key/API with "schema translation table" AX= link?

=A0 =A0 =A0 =A0-Shade

=A0 =A0_______________________________________________
=A0 =A0general mailing list
=A0 =A0general at ope= nid.net <mailto:general at openid.net>



_______________________________________________
general mailing list
general at openid.net
ht= tp://openid.net/mailman/listinfo/general




--
--Breno

+1 (= 650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A=
PST (GMT-8) / PDT(GMT-7)
--0016369205b3972b13046e5c9e37-- From andrewarnott at gmail.com Fri Jul 10 09:50:47 2009 From: andrewarnott at gmail.com (Andrew Arnott) Date: Fri, 10 Jul 2009 09:50:47 -0700 Subject: [OpenID] Why use SREG instead of AX? In-Reply-To: <29fb00360907100939v6469b8ebs162fa6de7dc89265@mail.gmail.com> References: <51dae84d0907100750x6713d62du12a1ed6293519980@mail.gmail.com> <216e54900907100753y6bee87edw7bac7828b62a8b85@mail.gmail.com> <4A57592F.4070704@aol.com> <4A5762B0.80002@aol.com> <216e54900907100920n3d101e9l27551f9eb9316249@mail.gmail.com> <4A576C6E.8030506@aol.com> <216e54900907100934o4806eb7dy730b3bdfbc8acb9b@mail.gmail.com> <29fb00360907100939v6469b8ebs162fa6de7dc89265@mail.gmail.com> Message-ID: <216e54900907100950x455fb45bgd838a8a835d84164@mail.gmail.com> --000e0cd6ad1a542cce046e5cc78d Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Thanks, Breno. What can we, the civilians of OpenID, do to embrace that working group proposal? -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Fri, Jul 10, 2009 at 9:39 AM, Breno de Medeiros wrote: > Agree with everything that Andrew said > > On Fri, Jul 10, 2009 at 9:34 AM, Andrew Arnott wrote: > >> Presumably the RP has downloaded the OP's entire XRDS document. In that >> case, the RP just looks through the type URIs advertised until it finds a >> single AX attribute Type URI that matches any of the known three patterns, >> then it chooses that pattern to use. I don't think that's ugly, personally, >> even if there were 100 type URIs to sift through. But I've never seen an OP >> advertise that many type URIs, so it doesn't seem to be too much of a >> problem. > > > I did not know that some libraries were doing this matching automatically, > otherwise we would have added the individual type URIs to Google's XRDS > document (I guess there is still time). The spec doesn't call for that > explicitly. > > >> >> Rather than standardizing on a new type URI to indicate which pattern to >> use, which would require some work and agreement, we could expend that same >> effort just standardizing on a single pattern that everyone should use. >> > > Please embrace http://wiki.openid.net/ProposalForAURLSchemaRegistry and > let's get AX interoperability going. > > > >> -- >> Andrew Arnott >> "I [may] not agree with what you have to say, but I'll defend to the death >> your right to say it." - S. G. Tallentyre >> >> >> On Fri, Jul 10, 2009 at 9:29 AM, George Fletcher wrote: >> >>> That will work (though I don't remember seeing any at the time we were >>> implementing OpenID 2.0 RP support). If I understand correctly, you are >>> doing some pattern matching against the Type URIs to determine which schema >>> is being used. Also, if the OP supports 10s or 100s of attributes then this >>> gets pretty ugly. I'd prefer a single URI the represents the schema being >>> used. The rest is pretty simple from there. >>> >>> Of course it's possible I misunderstood. >>> >>> Thanks, >>> George >>> >>> Andrew Arnott wrote: >>> >>>> George, >>>> >>>> Are you sure they're not defined? AX has attribute Type URIs. I've >>>> been an advocate that OPs publish all their supported AX attribute Type URIs >>>> in their XRDS document so that RPs know what they might expect from the OP, >>>> as well as discern which format of type URI that OP supports. Some OPs do >>>> just this, and DotNetOpenAuth (the RP part) automatically detects this from >>>> the OP's XRDS and sends either sreg or one of the three known AX type URI >>>> formats out there based on what it sees in the XRDS. >>>> >>>> -- >>>> Andrew Arnott >>>> "I [may] not agree with what you have to say, but I'll defend to the >>>> death your right to say it." - S. G. Tallentyre >>>> >>>> >>>> On Fri, Jul 10, 2009 at 8:48 AM, George Fletcher >>> gffletch at aol.com>> wrote: >>>> >>>> Sure, or just define it in the XRDS for the OP. But those aren't >>>> currently defined. >>>> >>>> Thanks, >>>> George >>>> >>>> >>>> SitG Admin wrote: >>>> >>>> One other issue is that AX supports multiple schema and >>>> there is currently no way for the OP to advertise which >>>> schema it's using. So an RP has to build it's own mapping >>>> table to know what to send to the OP when using AX. >>>> >>>> >>>> Common key/API with "schema translation table" AX link? >>>> >>>> -Shade >>>> >>>> _______________________________________________ >>>> general mailing list >>>> general at openid.net >>>> http://openid.net/mailman/listinfo/general >>>> >>>> >>>> >>> >> >> _______________________________________________ >> general mailing list >> general at openid.net >> http://openid.net/mailman/listinfo/general >> >> > > > -- > --Breno > > +1 (650) 214-1007 desk > +1 (408) 212-0135 (Grand Central) > MTV-41-3 : 383-A > PST (GMT-8) / PDT(GMT-7) > --000e0cd6ad1a542cce046e5cc78d Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Thanks, Breno. =A0What can we, the civilians of OpenID, do to embrace that = working group proposal?

--
Andrew Arnott
"= I [may] not agree with what you have to say, but I'll defend to the dea= th your right to say it." - S. G. Tallentyre


On Fri, Jul 10, 2009 at 9:39 AM, Breno d= e Medeiros <breno@= google.com> wrote:
Agree with everything that Andrew said

On Fri, Jul 10, 2009 at 9:34 AM, Andrew Arnott <andre= warnott at gmail.com> wrote:
Presumably the RP has downloaded the OP'= s entire XRDS document. =A0In that case, the RP just looks through the type= URIs advertised until it finds a single AX attribute Type URI that matches= any of the known three patterns, then it chooses that pattern to use. =A0I= don't think that's ugly, personally, even if there were 100 type U= RIs to sift through. =A0But I've never seen an OP advertise that many t= ype URIs, so it doesn't seem to be too much of a problem.

I did not know that some libraries were doing thi= s matching automatically, otherwise we would have added the individual type= URIs to Google's XRDS document (I guess there is still time). The spec= doesn't call for that explicitly.
=A0

Rather than standardizing on a new type URI to indicate whic= h pattern to use, which would require some work and agreement, we could exp= end that same effort just standardizing on a single pattern that everyone s= hould use. =A0

=A0Please embrace=A0http://w= iki.openid.net/ProposalForAURLSchemaRegistry and let's get AX inter= operability going.



--
Andrew Arnott
"I [may] not agree with what you have to say, b= ut I'll defend to the death your right to say it." - S. G. Tallent= yre


On Fri, Jul 1= 0, 2009 at 9:29 AM, George Fletcher <gffletch at aol.com> wrote:=
That will work (though I don't remember seeing any at the time we were = implementing OpenID 2.0 RP support). If I understand correctly, you are doi= ng some pattern matching against the Type URIs to determine which schema is= being used. Also, if the OP supports 10s or 100s of attributes then this g= ets pretty ugly. I'd prefer a single URI the represents the schema bein= g used. The rest is pretty simple from there.

Of course it's possible I misunderstood.


Thanks,
George

Andrew Arnott wrote:
George,

Are you sure they're not defined? =A0AX has attribute Type URIs. =A0I&#= 39;ve been an advocate that OPs publish all their supported AX attribute Ty= pe URIs in their XRDS document so that RPs know what they might expect from= the OP, as well as discern which format of type URI that OP supports. =A0S= ome OPs do just this, and DotNetOpenAuth (the RP part) automatically detect= s this from the OP's XRDS and sends either sreg or one of the three kno= wn AX type URI formats out there based on what it sees in the XRDS.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to t= he death your right to say it." - S. G. Tallentyre


On Fri, Jul 10, 2009 at 8:48 AM, George Fletcher <gffletch at aol.com <mailto:gffletch at aol.com>> wro= te:

=A0 =A0Sure, or just define it in the XRDS for the OP. But those aren'= t
=A0 =A0currently defined.

=A0 =A0Thanks,
=A0 =A0George


=A0 =A0SitG Admin wrote:

=A0 =A0 =A0 =A0 =A0 =A0One other issue is that AX supports multiple schema= and
=A0 =A0 =A0 =A0 =A0 =A0there is currently no way for the OP to advertise w= hich
=A0 =A0 =A0 =A0 =A0 =A0schema it's using. So an RP has to build it'= ;s own mapping
=A0 =A0 =A0 =A0 =A0 =A0table to know what to send to the OP when using AX.=


=A0 =A0 =A0 =A0Common key/API with "schema translation table" AX= link?

=A0 =A0 =A0 =A0-Shade

=A0 =A0_______________________________________________
=A0 =A0general mailing list
=A0 =A0general at ope= nid.net <mailto:general at openid.net>



_______________________________________________
general mailing list
general at openid.net<= /a>
http://openid.net/mailman/listinfo/general<= br>


=
--
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Gran= d Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)

--000e0cd6ad1a542cce046e5cc78d-- From gffletch at aol.com Fri Jul 10 09:51:37 2009 From: gffletch at aol.com (George Fletcher) Date: Fri, 10 Jul 2009 12:51:37 -0400 Subject: [OpenID] Why use SREG instead of AX? In-Reply-To: <29fb00360907100939v6469b8ebs162fa6de7dc89265@mail.gmail.com> References: <216e54900907100742y242e4498g942d92d7e5b82a31@mail.gmail.com> <51dae84d0907100750x6713d62du12a1ed6293519980@mail.gmail.com> <216e54900907100753y6bee87edw7bac7828b62a8b85@mail.gmail.com> <4A57592F.4070704@aol.com> <4A5762B0.80002@aol.com> <216e54900907100920n3d101e9l27551f9eb9316249@mail.gmail.com> <4A576C6E.8030506@aol.com> <216e54900907100934o4806eb7dy730b3bdfbc8acb9b@mail.gmail.com> <29fb00360907100939v6469b8ebs162fa6de7dc89265@mail.gmail.com> Message-ID: <4A577199.80306@aol.com> Sorry, didn't mean to sound like I didn't agree. I think more implementations could take the approach you've taken Andrew, and then with the registry we could simplify this so that OP's only have to publish one Type URI instead of one for each attribute. I suppose an OP that wanted to hide which attributes are available (for some privacy reason) could just add a URI to a single attribute that identifies the schema and then the RP would just send it's normal AX request asking for the data it wants. Thanks, George Breno de Medeiros wrote: > Agree with everything that Andrew said > > On Fri, Jul 10, 2009 at 9:34 AM, Andrew Arnott > wrote: > > Presumably the RP has downloaded the OP's entire XRDS document. > In that case, the RP just looks through the type URIs advertised > until it finds a single AX attribute Type URI that matches any of > the known three patterns, then it chooses that pattern to use. I > don't think that's ugly, personally, even if there were 100 type > URIs to sift through. But I've never seen an OP advertise that > many type URIs, so it doesn't seem to be too much of a problem. > > > I did not know that some libraries were doing this matching > automatically, otherwise we would have added the individual type URIs > to Google's XRDS document (I guess there is still time). The spec > doesn't call for that explicitly. > > > > Rather than standardizing on a new type URI to indicate which > pattern to use, which would require some work and agreement, we > could expend that same effort just standardizing on a single > pattern that everyone should use. > > > Please embrace http://wiki.openid.net/ProposalForAURLSchemaRegistry > and let's get AX interoperability going. > > > > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll defend to > the death your right to say it." - S. G. Tallentyre > > > On Fri, Jul 10, 2009 at 9:29 AM, George Fletcher > wrote: > > That will work (though I don't remember seeing any at the time > we were implementing OpenID 2.0 RP support). If I understand > correctly, you are doing some pattern matching against the > Type URIs to determine which schema is being used. Also, if > the OP supports 10s or 100s of attributes then this gets > pretty ugly. I'd prefer a single URI the represents the schema > being used. The rest is pretty simple from there. > > Of course it's possible I misunderstood. > > > Thanks, > George > > Andrew Arnott wrote: > > George, > > Are you sure they're not defined? AX has attribute Type > URIs. I've been an advocate that OPs publish all their > supported AX attribute Type URIs in their XRDS document so > that RPs know what they might expect from the OP, as well > as discern which format of type URI that OP supports. > Some OPs do just this, and DotNetOpenAuth (the RP part) > automatically detects this from the OP's XRDS and sends > either sreg or one of the three known AX type URI formats > out there based on what it sees in the XRDS. > > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll > defend to the death your right to say it." - S. G. Tallentyre > > > On Fri, Jul 10, 2009 at 8:48 AM, George Fletcher > > >> wrote: > > Sure, or just define it in the XRDS for the OP. But > those aren't > currently defined. > > Thanks, > George > > > SitG Admin wrote: > > One other issue is that AX supports multiple > schema and > there is currently no way for the OP to > advertise which > schema it's using. So an RP has to build it's > own mapping > table to know what to send to the OP when using AX. > > > Common key/API with "schema translation table" AX link? > > -Shade > > _______________________________________________ > general mailing list > general at openid.net > > > > http://openid.net/mailman/listinfo/general > > > > > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > > > > > -- > --Breno > > +1 (650) 214-1007 desk > +1 (408) 212-0135 (Grand Central) > MTV-41-3 : 383-A > PST (GMT-8) / PDT(GMT-7) From andrewarnott at gmail.com Fri Jul 10 09:53:52 2009 From: andrewarnott at gmail.com (Andrew Arnott) Date: Fri, 10 Jul 2009 09:53:52 -0700 Subject: [OpenID] Why use SREG instead of AX? In-Reply-To: <4A577199.80306@aol.com> References: <216e54900907100753y6bee87edw7bac7828b62a8b85@mail.gmail.com> <4A57592F.4070704@aol.com> <4A5762B0.80002@aol.com> <216e54900907100920n3d101e9l27551f9eb9316249@mail.gmail.com> <4A576C6E.8030506@aol.com> <216e54900907100934o4806eb7dy730b3bdfbc8acb9b@mail.gmail.com> <29fb00360907100939v6469b8ebs162fa6de7dc89265@mail.gmail.com> <4A577199.80306@aol.com> Message-ID: <216e54900907100953y3c19032ar4c6af4cecf755af6@mail.gmail.com> --0015174c11705b37ff046e5cd2a4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hi George, At least for DotNetOpenAuth, only one attribute Type URI in the supported format needs to be listed in the XRDS for DNOA to use that format, and it won't assume that the set of attributes in the XRDS is a comprehensive list of the attributes offered, so this isn't a problem to just list one. In fact, since it does simple pattern matching, if for privacy reasons you wanted to hide which attributes you offer, make one up with one of the 3 patterns, and DNOA will latch onto that pattern and send its request that way. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Fri, Jul 10, 2009 at 9:51 AM, George Fletcher wrote: > Sorry, didn't mean to sound like I didn't agree. I think more > implementations could take the approach you've taken Andrew, and then with > the registry we could simplify this so that OP's only have to publish one > Type URI instead of one for each attribute. I suppose an OP that wanted to > hide which attributes are available (for some privacy reason) could just add > a URI to a single attribute that identifies the schema and then the RP would > just send it's normal AX request asking for the data it wants. > > Thanks, > George > > Breno de Medeiros wrote: > >> Agree with everything that Andrew said >> >> On Fri, Jul 10, 2009 at 9:34 AM, Andrew Arnott > andrewarnott at gmail.com>> wrote: >> >> Presumably the RP has downloaded the OP's entire XRDS document. >> In that case, the RP just looks through the type URIs advertised >> until it finds a single AX attribute Type URI that matches any of >> the known three patterns, then it chooses that pattern to use. I >> don't think that's ugly, personally, even if there were 100 type >> URIs to sift through. But I've never seen an OP advertise that >> many type URIs, so it doesn't seem to be too much of a problem. >> >> >> I did not know that some libraries were doing this matching automatically, >> otherwise we would have added the individual type URIs to Google's XRDS >> document (I guess there is still time). The spec doesn't call for that >> explicitly. >> >> >> Rather than standardizing on a new type URI to indicate which >> pattern to use, which would require some work and agreement, we >> could expend that same effort just standardizing on a single >> pattern that everyone should use. >> >> Please embrace http://wiki.openid.net/ProposalForAURLSchemaRegistry and >> let's get AX interoperability going. >> >> >> >> -- >> Andrew Arnott >> "I [may] not agree with what you have to say, but I'll defend to >> the death your right to say it." - S. G. Tallentyre >> >> >> On Fri, Jul 10, 2009 at 9:29 AM, George Fletcher > > wrote: >> >> That will work (though I don't remember seeing any at the time >> we were implementing OpenID 2.0 RP support). If I understand >> correctly, you are doing some pattern matching against the >> Type URIs to determine which schema is being used. Also, if >> the OP supports 10s or 100s of attributes then this gets >> pretty ugly. I'd prefer a single URI the represents the schema >> being used. The rest is pretty simple from there. >> >> Of course it's possible I misunderstood. >> >> >> Thanks, >> George >> >> Andrew Arnott wrote: >> >> George, >> >> Are you sure they're not defined? AX has attribute Type >> URIs. I've been an advocate that OPs publish all their >> supported AX attribute Type URIs in their XRDS document so >> that RPs know what they might expect from the OP, as well >> as discern which format of type URI that OP supports. >> Some OPs do just this, and DotNetOpenAuth (the RP part) >> automatically detects this from the OP's XRDS and sends >> either sreg or one of the three known AX type URI formats >> out there based on what it sees in the XRDS. >> >> -- >> Andrew Arnott >> "I [may] not agree with what you have to say, but I'll >> defend to the death your right to say it." - S. G. Tallentyre >> >> >> On Fri, Jul 10, 2009 at 8:48 AM, George Fletcher >> >> >> wrote: >> >> Sure, or just define it in the XRDS for the OP. But >> those aren't >> currently defined. >> >> Thanks, >> George >> >> >> SitG Admin wrote: >> >> One other issue is that AX supports multiple >> schema and >> there is currently no way for the OP to >> advertise which >> schema it's using. So an RP has to build it's >> own mapping >> table to know what to send to the OP when using AX. >> >> >> Common key/API with "schema translation table" AX link? >> >> -Shade >> >> _______________________________________________ >> general mailing list >> general at openid.net >> > >> >> http://openid.net/mailman/listinfo/general >> >> >> >> >> >> _______________________________________________ >> general mailing list >> general at openid.net >> http://openid.net/mailman/listinfo/general >> >> >> >> >> -- >> --Breno >> >> +1 (650) 214-1007 desk >> +1 (408) 212-0135 (Grand Central) >> MTV-41-3 : 383-A >> PST (GMT-8) / PDT(GMT-7) >> > > --0015174c11705b37ff046e5cd2a4 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi George,

At least for DotNetOpenAuth, only one attribu= te Type URI in the supported format needs to be listed in the XRDS for DNOA= to use that format, and it won't assume that the set of attributes in = the XRDS is a comprehensive list of the attributes offered, so this isn'= ;t a problem to just list one.

In fact, since it does simple pattern matching, if for = privacy reasons you wanted to hide which attributes you offer, make one up = with one of the 3 patterns, and DNOA will latch onto that pattern and send = its request that way.

--
Andrew Arnott
"I [may] not agree with = what you have to say, but I'll defend to the death your right to say it= ." - S. G. Tallentyre


On Fri, Jul 10, 2009 at 9:51 AM, George = Fletcher <gffletch= @aol.com> wrote:
Sorry, didn't mean to sound like I didn't agree. I think more imple= mentations could take the approach you've taken Andrew, and then with t= he registry we could simplify this so that OP's only have to publish on= e Type URI instead of one for each attribute. I suppose an OP that wanted t= o hide which attributes are available (for some privacy reason) could just = add a URI to a single attribute that identifies the schema and then the RP = would just send it's normal AX request asking for the data it wants.
Thanks,
George

Breno de Medeiros wrote:
Agree with everything that Andrew said

On Fri, Jul 10, 2009 at 9:34 AM, Andrew Arnott <andrewarnott at gmail.com <mailto:<= a href=3D"mailto:andrewarnott at gmail.com" target=3D"_blank">andrewarnott at gma= il.com>> wrote:

=A0 =A0Presumably the RP has downloaded the OP's entire XRDS document.=
=A0 =A0 In that case, the RP just looks through the type URIs advertised =A0 =A0until it finds a single AX attribute Type URI that matches any of =A0 =A0the known three patterns, then it chooses that pattern to use. =A0I=
=A0 =A0don't think that's ugly, personally, even if there were 100= type
=A0 =A0URIs to sift through. =A0But I've never seen an OP advertise th= at
=A0 =A0many type URIs, so it doesn't seem to be too much of a problem.=


I did not know that some libraries were doing this matching automatically, = otherwise we would have added the individual type URIs to Google's XRDS= document (I guess there is still time). The spec doesn't call for that= explicitly.
=A0

=A0 =A0Rather than standardizing on a new type URI to indicate which
=A0 =A0pattern to use, which would require some work and agreement, we
=A0 =A0could expend that same effort just standardizing on a single
=A0 =A0pattern that everyone should use. =A0

=A0Please embrace http://wiki.openid.net/ProposalForAURLSchemaRegis= try and let's get AX interoperability going.



=A0 =A0--
=A0 =A0Andrew Arnott
=A0 =A0"I [may] not agree with what you have to say, but I'll def= end to
=A0 =A0the death your right to say it." - S. G. Tallentyre


=A0 =A0On Fri, Jul 10, 2009 at 9:29 AM, George Fletcher <gffletch at aol.com
=
=A0 =A0<mailto:gf= fletch at aol.com>> wrote:

=A0 =A0 =A0 =A0That will work (though I don't remember seeing any at t= he time
=A0 =A0 =A0 =A0we were implementing OpenID 2.0 RP support). If I understan= d
=A0 =A0 =A0 =A0correctly, you are doing some pattern matching against the<= br> =A0 =A0 =A0 =A0Type URIs to determine which schema is being used. Also, if=
=A0 =A0 =A0 =A0the OP supports 10s or 100s of attributes then this gets =A0 =A0 =A0 =A0pretty ugly. I'd prefer a single URI the represents the= schema
=A0 =A0 =A0 =A0being used. The rest is pretty simple from there.

=A0 =A0 =A0 =A0Of course it's possible I misunderstood.


=A0 =A0 =A0 =A0Thanks,
=A0 =A0 =A0 =A0George

=A0 =A0 =A0 =A0Andrew Arnott wrote:

=A0 =A0 =A0 =A0 =A0 =A0George,

=A0 =A0 =A0 =A0 =A0 =A0Are you sure they're not defined? =A0AX has att= ribute Type
=A0 =A0 =A0 =A0 =A0 =A0URIs. =A0I've been an advocate that OPs publish= all their
=A0 =A0 =A0 =A0 =A0 =A0supported AX attribute Type URIs in their XRDS docu= ment so
=A0 =A0 =A0 =A0 =A0 =A0that RPs know what they might expect from the OP, a= s well
=A0 =A0 =A0 =A0 =A0 =A0as discern which format of type URI that OP support= s.
=A0 =A0 =A0 =A0 =A0 =A0 Some OPs do just this, and DotNetOpenAuth (the RP = part)
=A0 =A0 =A0 =A0 =A0 =A0automatically detects this from the OP's XRDS a= nd sends
=A0 =A0 =A0 =A0 =A0 =A0either sreg or one of the three known AX type URI f= ormats
=A0 =A0 =A0 =A0 =A0 =A0out there based on what it sees in the XRDS.

=A0 =A0 =A0 =A0 =A0 =A0--
=A0 =A0 =A0 =A0 =A0 =A0Andrew Arnott
=A0 =A0 =A0 =A0 =A0 =A0"I [may] not agree with what you have to say, = but I'll
=A0 =A0 =A0 =A0 =A0 =A0defend to the death your right to say it." - S= . G. Tallentyre


=A0 =A0 =A0 =A0 =A0 =A0On Fri, Jul 10, 2009 at 8:48 AM, George Fletcher =A0 =A0 =A0 =A0 =A0 =A0<gffletch at aol.com <mailto:gffletch at aol.com>
=A0 =A0 =A0 =A0 =A0 =A0<mailto:gffletch at aol.com <mailto:gffletch at aol.com>>> wrote:

=A0 =A0 =A0 =A0 =A0 =A0 =A0 Sure, or just define it in the XRDS for the OP= . But
=A0 =A0 =A0 =A0 =A0 =A0those aren't
=A0 =A0 =A0 =A0 =A0 =A0 =A0 currently defined.

=A0 =A0 =A0 =A0 =A0 =A0 =A0 Thanks,
=A0 =A0 =A0 =A0 =A0 =A0 =A0 George


=A0 =A0 =A0 =A0 =A0 =A0 =A0 SitG Admin wrote:

=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 One other issue is that AX sup= ports multiple
=A0 =A0 =A0 =A0 =A0 =A0schema and
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 there is currently no way for = the OP to
=A0 =A0 =A0 =A0 =A0 =A0advertise which
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 schema it's using. So an R= P has to build it's
=A0 =A0 =A0 =A0 =A0 =A0own mapping
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 table to know what to send to = the OP when using AX.


=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Common key/API with "schema trans= lation table" AX link?

=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 -Shade

=A0 =A0 =A0 =A0 =A0 =A0 =A0 ______________________________________________= _
=A0 =A0 =A0 =A0 =A0 =A0 =A0 general mailing list
=A0 =A0 =A0 =A0 =A0 =A0 =A0 general at openid.net <mailto:general at openid.net>
=A0 =A0 =A0 =A0 =A0 =A0<mailto:general at openid.net <mailto:general at openid.net>>


=A0 =A0 =A0 =A0 =A0 =A0 =A0 http://openid.net/mailman/listinfo/general




=A0 =A0_______________________________________________
=A0 =A0general mailing list
=A0 =A0general at ope= nid.net <mailto:general at openid.net>
=A0 =A0http://openid.net/mailman/listinfo/general




--
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)


--0015174c11705b37ff046e5cd2a4-- From breno at google.com Fri Jul 10 10:00:05 2009 From: breno at google.com (Breno de Medeiros) Date: Fri, 10 Jul 2009 10:00:05 -0700 Subject: [OpenID] Why use SREG instead of AX? In-Reply-To: <216e54900907100950x455fb45bgd838a8a835d84164@mail.gmail.com> References: <216e54900907100753y6bee87edw7bac7828b62a8b85@mail.gmail.com> <4A57592F.4070704@aol.com> <4A5762B0.80002@aol.com> <216e54900907100920n3d101e9l27551f9eb9316249@mail.gmail.com> <4A576C6E.8030506@aol.com> <216e54900907100934o4806eb7dy730b3bdfbc8acb9b@mail.gmail.com> <29fb00360907100939v6469b8ebs162fa6de7dc89265@mail.gmail.com> <216e54900907100950x455fb45bgd838a8a835d84164@mail.gmail.com> Message-ID: <29fb00360907101000n77f57032wdd0635a60b660ff@mail.gmail.com> --0016369205b372e192046e5ce7b4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit For one, it would be interesting if someone with expertise on how to create lightweight processes for registration would clarify the language in that wiki document. Hopefully, it would be possible to define a process that exempts the OIDF from the burden of having to impose the current IPR policy on each contributor. (I had hoped JBradley would take that on, but he has plenty on his hands at this point). Once that wiki page is in good shape we could spam specs@ to bless it and then we can get started right away. There is even an initial understanding to use the domain name schemas.openid.net and to host each registered URL at that domain with a description of the wire format for the attribute. So once this is up, I think progress could be made quickly. On Fri, Jul 10, 2009 at 9:50 AM, Andrew Arnott wrote: > Thanks, Breno. What can we, the civilians of OpenID, do to embrace that > working group proposal? > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) --0016369205b372e192046e5ce7b4 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable For one, it would be interesting if someone with expertise on how to create= lightweight processes for registration would clarify the language in that = wiki document. Hopefully, it would be possible to define a process that exe= mpts the OIDF from the burden of having to impose the current IPR policy on= each contributor. (I had hoped JBradley would take that on, but he has ple= nty on his hands at this point).

Once that wiki page is in good shape we could spam specs@ to= bless it and then we can get started right away. There is even an initial = understanding to use the domain name = schemas.openid.net =A0and to host each registered URL at that domain wi= th a description of the wire format for the attribute. So once this is up, = I think progress could be made quickly.

On Fri, Jul 10, 2009 at 9:50 AM, Andrew= Arnott <and= rewarnott at gmail.com> wrote:
Thanks, Breno. =A0What can we, the civilia= ns of OpenID, do to embrace that working group proposal?



--
-= -Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3= : 383-A
PST (GMT-8) / PDT(GMT-7)
--0016369205b372e192046e5ce7b4-- From pwilliams at rapattoni.com Fri Jul 10 10:16:06 2009 From: pwilliams at rapattoni.com (Peter Williams) Date: Fri, 10 Jul 2009 10:16:06 -0700 Subject: [OpenID] Google custom discovery Message-ID: Lets hope it prompts google to do much better: http://op. google.com: forming the eminently typable "op.google.com". They might even have that redirect to http://google.com/op which they might make an xri mount point to the I-brokered authority that serves the op xrd/s. If their op is a real xri-labelled authority, a ref field in the sep can even properly provide for delgated authorization of xrd files by user authorities (which openid auth hacks up as openid delegation, when abusing the semantics of the op local id field per jonny bufu's recent message). I dont think its hard to meet professional security engineering standards within openid: just be complete about xri semantics (even when using http identifiers). We dont need custom extensions for discovery, particularly if they project idp-centric vs user centric identity models. But lets wait and see how they are signing the xrd files (the way the openxri server does it (per the standard), or "otherwise"). The validity logic for verifying that signature will tell us what class of trust semantics they are working towards: google as ttp for attribute sharing, or uci. ________________________________ From: Andrew Arnott Sent: Thursday, July 09, 2009 8:30 PM To: Peter Williams Cc: Eric Sachs ; general at openid.net ; Paul Johnston Subject: Re: [OpenID] What is my Google OpenID URL? Wow. I'm going to have to use that tinyurl everywhere now. :-p -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Thu, Jul 9, 2009 at 8:24 PM, Peter Williams > wrote: come on google, it takes you 10s to have a redirector URL (op.google.com, perhaps?) redirect to the https://www.google.com/accounts/o8/id. Conforming RPs are require to follow the redirect, before detecting that the XRD at that address is an law#4-capable OP, vs a user. http://tinyurl.com/googop now produces - - - http://specs.openid.net/auth/2.0/server http://openid.net/srv/ax/1.0 http://specs.openid.net/extensions/ui/1.0/mode/popup http://specs.openid.net/extensions/ui/1.0/icon http://specs.openid.net/extensions/pape/1.0 https://www.google.com/accounts/o8/ud im sure google can do better than tinyurl.com! How about op.google.com?! ________________________________ From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of Andrew Arnott [andrewarnott at gmail.com] Sent: Thursday, July 09, 2009 7:16 PM To: Eric Sachs Cc: general at openid.net; Paul Johnston Subject: Re: [OpenID] What is my Google OpenID URL? Note that using your Blogger blog URL is not equivalent to using https://www.google.com/accounts/o8/id. Besides the user interface of the login experience being completely different, Blogger's Provider is only an OpenID 1.1 provider, whereas Google's https://www.google.com/accounts/o8/id OpenID Provider is a more secure OpenID 2.0 provider. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Thu, Jul 9, 2009 at 6:38 PM, Eric Sachs >> wrote: If you create a blog on Google's blogger service, then you can type the name of that blog into OpenID login boxes. If you are willing to be really geeky, type in https://www.google.com/accounts/o8/id. That points to the generic Google identity provider, and you will be redirected back with an opaque identifier. But we don't actually expect anyone to know to do that which is why a lot of OpenID relying parties are supporting other user interfaces with buttons for Google. For example, see http://uservoice.com/session/new Similarly a lot of blogs allow you to comment and identify you with an OpenID URL, and while you can try one of the tricks above, many of the blog commenting interfaces also include buttons (or the NASCAR style UI as the community likes to call it) to help users navigate their way through. On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston >> wrote: Hi, I'm sorry for asking such an obvious question, but after considerable time spent searching for this I am unable to figure this out. My google account name is paul.paj. I would like to login to bitbucket.org using OpenID. How do I do it? Paul _______________________________________________ general mailing list general at openid.net> http://openid.net/mailman/listinfo/general _______________________________________________ general mailing list general at openid.net> http://openid.net/mailman/listinfo/general From esachs at google.com Fri Jul 10 10:35:34 2009 From: esachs at google.com (Eric Sachs) Date: Fri, 10 Jul 2009 10:35:34 -0700 Subject: [OpenID] Google custom discovery In-Reply-To: References: Message-ID: --0016364ef4d6568e90046e5d660b Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit The feature in this area that we get more requests for is to support OpenID validation for the relatively new Google Profiles service, i.e. profiles.google.com, which is also a more memorable endpoint for users to type :-). That support is not yet available, but its definitely on the list. On Fri, Jul 10, 2009 at 10:16 AM, Peter Williams wrote: > Lets hope it prompts google to do much better: http://op. google.com: > forming the eminently typable "op.google.com". > > They might even have that redirect to http://google.com/op which they > might make an xri mount point to the I-brokered authority that serves the op > xrd/s. If their op is a real xri-labelled authority, a ref field in the sep > can even properly provide for delgated authorization of xrd files by user > authorities (which openid auth hacks up as openid delegation, when abusing > the semantics of the op local id field per jonny bufu's recent message). > > I dont think its hard to meet professional security engineering standards > within openid: just be complete about xri semantics (even when using http > identifiers). We dont need custom extensions for discovery, particularly if > they project idp-centric vs user centric identity models. > > But lets wait and see how they are signing the xrd files (the way the > openxri server does it (per the standard), or "otherwise"). The validity > logic for verifying that signature will tell us what class of trust > semantics they are working towards: google as ttp for attribute sharing, or > uci. > > ________________________________ > From: Andrew Arnott > Sent: Thursday, July 09, 2009 8:30 PM > To: Peter Williams > Cc: Eric Sachs ; general at openid.net ; > Paul Johnston > Subject: Re: [OpenID] What is my Google OpenID URL? > > Wow. I'm going to have to use that tinyurl everywhere now. :-p > > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll defend to the death > your right to say it." - S. G. Tallentyre > > > On Thu, Jul 9, 2009 at 8:24 PM, Peter Williams > wrote: > come on google, it takes you 10s to have a redirector URL (op.google.com< > http://op.google.com>, perhaps?) redirect to the > https://www.google.com/accounts/o8/id. Conforming RPs are require to > follow the redirect, before detecting that the XRD at that address is an > law#4-capable OP, vs a user. > > > http://tinyurl.com/googop now produces > > - xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> > - > - priority="0"> > http://specs.openid.net/auth/2.0/server > http://openid.net/srv/ax/1.0 > http://specs.openid.net/extensions/ui/1.0/mode/popup > http://specs.openid.net/extensions/ui/1.0/icon > http://specs.openid.net/extensions/pape/1.0 > https://www.google.com/accounts/o8/ud > > > > im sure google can do better than tinyurl.com! > > How about op.google.com?! > > ________________________________ > From: general-bounces at openid.net [ > general-bounces at openid.net] On Behalf > Of Andrew Arnott [andrewarnott at gmail.com] > Sent: Thursday, July 09, 2009 7:16 PM > To: Eric Sachs > Cc: general at openid.net; Paul Johnston > Subject: Re: [OpenID] What is my Google OpenID URL? > > Note that using your Blogger blog URL is not equivalent to using > https://www.google.com/accounts/o8/id. Besides the user interface of the > login experience being completely different, Blogger's Provider is only an > OpenID 1.1 provider, whereas Google's > https://www.google.com/accounts/o8/id OpenID Provider is a more secure > OpenID 2.0 provider. > > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll defend to the death > your right to say it." - S. G. Tallentyre > > > On Thu, Jul 9, 2009 at 6:38 PM, Eric Sachs esachs at google.com>>> > wrote: > If you create a blog on Google's blogger service, then you can type the > name of that blog into OpenID login boxes. > > If you are willing to be really geeky, type in > https://www.google.com/accounts/o8/id. That points to the generic Google > identity provider, and you will be redirected back with an opaque > identifier. But we don't actually expect anyone to know to do that which is > why a lot of OpenID relying parties are supporting other user interfaces > with buttons for Google. For example, see > http://uservoice.com/session/new > > Similarly a lot of blogs allow you to comment and identify you with an > OpenID URL, and while you can try one of the tricks above, many of the blog > commenting interfaces also include buttons (or the NASCAR style UI as the > community likes to call it) to help users navigate their way through. > > On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston paj at pajhome.org.uk>>> > wrote: > Hi, > > I'm sorry for asking such an obvious question, but after considerable > time spent searching for this I am unable to figure this out. > > My google account name is paul.paj. I would like to login to > bitbucket.org using OpenID. > How do I do it? > > Paul > _______________________________________________ > general mailing list > general at openid.net > > http://openid.net/mailman/listinfo/general > > > _______________________________________________ > general mailing list > general at openid.net > > http://openid.net/mailman/listinfo/general > > > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > --0016364ef4d6568e90046e5d660b Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable The feature in this area that we get more requests for is to support OpenID= validation for the relatively new Google Profiles service, i.e.=A0profiles.google.com, which is also a mo= re memorable endpoint for users to type :-). =A0That support is not yet ava= ilable, but its definitely on the list.

On Fri, Jul 10, 2009 at 10:16 AM, Peter Will= iams <pwill= iams at rapattoni.com> wrote:
Lets hope it prompts google to do much better: http://op. = google.com: forming the eminently typable "op.google.com".

They might even have that redirect to http://google.com/op which they might make an xri mount p= oint to the I-brokered authority that serves the op xrd/s. If their op is a= real xri-labelled authority, a ref field in the sep can even properly prov= ide for delgated authorization of xrd files by user authorities (which open= id auth hacks up as openid delegation, when abusing the semantics of the op= local id field per jonny bufu's recent message).

I dont think its hard to meet professional security engineering standards w= ithin openid: just be complete about xri semantics (even when using http id= entifiers). We dont need custom extensions for discovery, particularly if t= hey project idp-centric vs user centric identity models.

But lets wait and see how they are signing the xrd files (the way the openx= ri server does it (per the standard), or "otherwise"). The validi= ty logic for verifying that signature will tell us what class of trust sema= ntics they are working towards: google as ttp for attribute sharing, or uci= .

________________________________
From: Andrew Arnott <andrewarn= ott at gmail.com>
Sent: Thursday, July 09, 2009 8:30 PM
To: Peter Williams <pwilliams= @rapattoni.com>
Cc: Eric Sachs <esachs at google.com>; general at openid.net <general at openid.net>; Paul Johnst= on <paj at pajhome.org.uk>
Subject: Re: [OpenID] What is my Google OpenID URL?

Wow. =A0I'm going to have to use that tinyurl everywhere now. :-p

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to t= he death your right to say it." - S. G. Tallentyre


On Thu, Jul 9, 2009 at 8:24 PM, Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>> wrote:
come =A0on google, it takes you 10s to have a redirector URL (op.google.com<http://op.google.com>, perhaps?) = redirect to the https://www.google.com/accounts/o8/id. Conforming RPs are requ= ire to follow the redirect, before detecting that the XRD at that address i= s an law#4-capable OP, vs a user.


http://tinyurl.com/= googop now produces
<?xml version=3D"1.0" encoding=3D"UTF-8" ?>
-<file:///C:/Documents%20and%20Settings/peter/Desktop/id.xml#> <xr= ds:XRDS xmlns:xrds=3D"xri://$xrds" xmlns=3D"xri://$xrd*($v*2= .0)">
-<file:///C:/Documents%20and%20Settings/peter/Desktop/id.xml#> <XR= D>
-<file:///C:/Documents%20and%20Settings/peter/Desktop/id.xml#> <Se= rvice priority=3D"0">
=A0<Type>http://specs.openid.net/auth/2.0/server</Type>
=A0<Type>h= ttp://openid.net/srv/ax/1.0</Type>
=A0<Type>http://specs.openid.net/extensions/ui/1.0/mode/popup= </Type>
=A0<Type>http://specs.openid.net/extensions/ui/1.0/icon</Typ= e>
=A0<Type>http://specs.openid.net/extensions/pape/1.0</Type><= br> =A0<URI>https://www.google.com/accounts/o8/ud</URI>
=A0</Service>
=A0</XRD>

im sure google can do better than tinyurl.com<http://tinyurl.com>!

How about op.google.com<= /a><http://op.google.= com>?!

________________________________
From: general-bounces at openid.= net<mailto:general-bou= nces at openid.net> [gene= ral-bounces at openid.net<mailto:general-bounces at openid.net>] On Behalf Of Andrew Arnott [andrewarnott at gmail.com<mailto= :andrewarnott at gmail.com>]<= br> Sent: Thursday, July 09, 2009 7:16 PM
To: Eric Sachs
Cc: general at openid.net<mailto:= general at openid.net>; Paul John= ston
Subject: Re: [OpenID] What is my Google OpenID URL?

Note that using your Blogger blog URL is not equivalent to using https://www.googl= e.com/accounts/o8/id. =A0Besides the user interface of the login experi= ence being completely different, Blogger's Provider is only an OpenID 1= .1 provider, whereas Google's https://www.google.com/accounts/o8/id OpenID= Provider is a more secure OpenID 2.0 provider.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to t= he death your right to say it." - S. G. Tallentyre


On Thu, Jul 9, 2009 at 6:38 PM, Eric Sachs <esachs at google.com<mailto:esachs at google.com><mailto:esachs at google.com<mailto:esach= s at google.com>>> wrote:
If you create a blog on Google's blogger service, then you can type the= name of that blog into OpenID login boxes.

If you are willing to be really geeky, type in https://www.google.com/accounts/o8/= id. =A0That points to the generic Google identity provider, and you wil= l be redirected back with an opaque identifier. =A0But we don't actuall= y expect anyone to know to do that which is why a lot of OpenID relying par= ties are supporting other user interfaces with buttons for Google. =A0For e= xample, see = http://uservoice.com/session/new

Similarly a lot of blogs allow you to comment and identify you with an Open= ID URL, and while you can try one of the tricks above, many of the blog com= menting interfaces also include buttons (or the NASCAR style UI as the comm= unity likes to call it) to help users navigate their way through.

On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston <paj at pajhome.org.uk<mailto:paj at pajhome.org.uk><mailto:paj at pajhome.org.uk<mailto:paj at pajhome.org.uk>>> wrote:
Hi,

I'm sorry for asking such an obvious question, but after considerable time spent searching for this I am unable to figure this out.

My google account name is paul.paj. I would like to login to
bitbucket.org<http://bitbucket.org>= ;<http://bitbucket.or= g> using OpenID. How do I do it?

Paul
_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net><mailto:general at openid.net<mailto:general at openid.net>>
ht= tp://openid.net/mailman/listinfo/general


_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net><mailto:general at openid.net<mailto:general at openid.net>>
ht= tp://openid.net/mailman/listinfo/general



_______________________________________________
general mailing list
general at openid.net
ht= tp://openid.net/mailman/listinfo/general

--0016364ef4d6568e90046e5d660b-- From hostmaster at shupp.org Fri Jul 10 10:44:52 2009 From: hostmaster at shupp.org (Bill Shupp) Date: Fri, 10 Jul 2009 10:44:52 -0700 Subject: [OpenID] Fwd: mailing list SPF problems References: <4D2371D1-80AC-43DE-A9E9-692D74C88C26@shupp.org> Message-ID: --Apple-Mail-21-505236343 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Not sure who's running this list, as I didn't get a response from general-owner at openid.net . I had to disable SPF checking in my MTA to get back on this list. If you publish SPF rules, please maintain them! Cheers, Bill Begin forwarded message: > From: Bill Shupp > Date: July 7, 2009 6:27:01 PM PDT > To: OpenID List > Subject: mailing list SPF problems > > I noticed I haven't gotten email from the openid lists > (code,general) in a while, and found this in 551 error message my > qmail logs: > > http://www.openspf.org/Why?id=code-bounces%40openid.net&ip=140.211.166.136&receiver=0 > > Looks like the sending host changed, and the SPF records weren't > updated, so my mail system (which respects SPF rules) is rejecting > them. Can the list admin get this fixed? > > Thanks, > > Bill Shupp --Apple-Mail-21-505236343 Content-Type: text/html; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Not sure who's running this = list, as I didn't get a response from general-owner at openid.net. =  I had to disable SPF checking in my MTA to get back on this list. =  If you publish SPF rules, please maintain = them!

Cheers,

Bill
Begin forwarded message:

From: = Bill Shupp <hostmaster at shupp.org>
Date: July 7, 2009 6:27:01 PM = PDT
To: OpenID List <general at openid.net>
=
Subject: = mailing list SPF problems

I noticed I = haven't gotten email from the openid lists (code,general) in a while, = and found this in 551 error message my qmail logs:

http://www.openspf.org/Why?id=3Dcode-bou= nces%40openid.net&ip=3D140.211.166.136&receiver=3D0

Loo= ks like the sending host changed, and the SPF records weren't updated, = so my mail system (which respects SPF rules) is rejecting them. =  Can the list admin get this fixed?

Thanks,

Bill = Shupp

= --Apple-Mail-21-505236343-- From santrajan at gmail.com Fri Jul 10 10:46:01 2009 From: santrajan at gmail.com (Santosh Rajan) Date: Fri, 10 Jul 2009 10:46:01 -0700 (PDT) Subject: [OpenID] Google custom discovery In-Reply-To: References: Message-ID: <24431923.post@talk.nabble.com> Actually why dont you do discovery on http://google.com/username You can do that without clashing with your google.com namespace by only responding to "Accept" header request with "application/XRD". That would really make a killer OpenID. Eric Sachs wrote: > > The feature in this area that we get more requests for is to support > OpenID > validation for the relatively new Google Profiles service, i.e. > profiles.google.com, which is also a more memorable endpoint for users to > type :-). That support is not yet available, but its definitely on the > list. > On Fri, Jul 10, 2009 at 10:16 AM, Peter Williams > wrote: > >> Lets hope it prompts google to do much better: http://op. google.com: >> forming the eminently typable "op.google.com". >> >> They might even have that redirect to http://google.com/op which they >> might make an xri mount point to the I-brokered authority that serves the >> op >> xrd/s. If their op is a real xri-labelled authority, a ref field in the >> sep >> can even properly provide for delgated authorization of xrd files by user >> authorities (which openid auth hacks up as openid delegation, when >> abusing >> the semantics of the op local id field per jonny bufu's recent message). >> >> I dont think its hard to meet professional security engineering standards >> within openid: just be complete about xri semantics (even when using http >> identifiers). We dont need custom extensions for discovery, particularly >> if >> they project idp-centric vs user centric identity models. >> >> But lets wait and see how they are signing the xrd files (the way the >> openxri server does it (per the standard), or "otherwise"). The validity >> logic for verifying that signature will tell us what class of trust >> semantics they are working towards: google as ttp for attribute sharing, >> or >> uci. >> >> ________________________________ >> From: Andrew Arnott >> Sent: Thursday, July 09, 2009 8:30 PM >> To: Peter Williams >> Cc: Eric Sachs ; general at openid.net >> ; >> Paul Johnston >> Subject: Re: [OpenID] What is my Google OpenID URL? >> >> Wow. I'm going to have to use that tinyurl everywhere now. :-p >> >> -- >> Andrew Arnott >> "I [may] not agree with what you have to say, but I'll defend to the >> death >> your right to say it." - S. G. Tallentyre >> >> >> On Thu, Jul 9, 2009 at 8:24 PM, Peter Williams > > wrote: >> come on google, it takes you 10s to have a redirector URL >> (op.google.com< >> http://op.google.com>, perhaps?) redirect to the >> https://www.google.com/accounts/o8/id. Conforming RPs are require to >> follow the redirect, before detecting that the XRD at that address is an >> law#4-capable OP, vs a user. >> >> >> http://tinyurl.com/googop now produces >> >> - > xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> >> - >> - > priority="0"> >> http://specs.openid.net/auth/2.0/server >> http://openid.net/srv/ax/1.0 >> http://specs.openid.net/extensions/ui/1.0/mode/popup >> http://specs.openid.net/extensions/ui/1.0/icon >> http://specs.openid.net/extensions/pape/1.0 >> https://www.google.com/accounts/o8/ud >> >> >> >> im sure google can do better than tinyurl.com! >> >> How about op.google.com?! >> >> ________________________________ >> From: general-bounces at openid.net [ >> general-bounces at openid.net] On Behalf >> Of Andrew Arnott [andrewarnott at gmail.com] >> Sent: Thursday, July 09, 2009 7:16 PM >> To: Eric Sachs >> Cc: general at openid.net; Paul Johnston >> Subject: Re: [OpenID] What is my Google OpenID URL? >> >> Note that using your Blogger blog URL is not equivalent to using >> https://www.google.com/accounts/o8/id. Besides the user interface of the >> login experience being completely different, Blogger's Provider is only >> an >> OpenID 1.1 provider, whereas Google's >> https://www.google.com/accounts/o8/id OpenID Provider is a more secure >> OpenID 2.0 provider. >> >> -- >> Andrew Arnott >> "I [may] not agree with what you have to say, but I'll defend to the >> death >> your right to say it." - S. G. Tallentyre >> >> >> On Thu, Jul 9, 2009 at 6:38 PM, Eric Sachs > esachs at google.com>>> >> wrote: >> If you create a blog on Google's blogger service, then you can type the >> name of that blog into OpenID login boxes. >> >> If you are willing to be really geeky, type in >> https://www.google.com/accounts/o8/id. That points to the generic Google >> identity provider, and you will be redirected back with an opaque >> identifier. But we don't actually expect anyone to know to do that which >> is >> why a lot of OpenID relying parties are supporting other user interfaces >> with buttons for Google. For example, see >> http://uservoice.com/session/new >> >> Similarly a lot of blogs allow you to comment and identify you with an >> OpenID URL, and while you can try one of the tricks above, many of the >> blog >> commenting interfaces also include buttons (or the NASCAR style UI as the >> community likes to call it) to help users navigate their way through. >> >> On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston >> > paj at pajhome.org.uk>>> >> wrote: >> Hi, >> >> I'm sorry for asking such an obvious question, but after considerable >> time spent searching for this I am unable to figure this out. >> >> My google account name is paul.paj. I would like to login to >> bitbucket.org using OpenID. >> How do I do it? >> >> Paul >> _______________________________________________ >> general mailing list >> general at openid.net> > >> http://openid.net/mailman/listinfo/general >> >> >> _______________________________________________ >> general mailing list >> general at openid.net> > >> http://openid.net/mailman/listinfo/general >> >> >> >> _______________________________________________ >> general mailing list >> general at openid.net >> http://openid.net/mailman/listinfo/general >> > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > > ----- Santosh Rajan http://santrajan.blogspot.com http://santrajan.blogspot.com -- View this message in context: http://www.nabble.com/Google-custom-discovery-tp24431509p24431923.html Sent from the OpenID - General mailing list archive at Nabble.com. From esachs at google.com Fri Jul 10 11:10:00 2009 From: esachs at google.com (Eric Sachs) Date: Fri, 10 Jul 2009 11:10:00 -0700 Subject: [OpenID] Google custom discovery In-Reply-To: <24431923.post@talk.nabble.com> References: <24431923.post@talk.nabble.com> Message-ID: --0016368324ea7ab6ab046e5de1f9 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Only a subset of GoogleProfile users register a username, but yes, for those users that is the common request we get. On Fri, Jul 10, 2009 at 10:46 AM, Santosh Rajan wrote: > > Actually why dont you do discovery on > http://google.com/username > You can do that without clashing with your google.com namespace by only > responding to "Accept" header request with "application/XRD". That would > really make a killer OpenID. > > > Eric Sachs wrote: > > > > The feature in this area that we get more requests for is to support > > OpenID > > validation for the relatively new Google Profiles service, i.e. > > profiles.google.com, which is also a more memorable endpoint for users > to > > type :-). That support is not yet available, but its definitely on the > > list. > > On Fri, Jul 10, 2009 at 10:16 AM, Peter Williams > > wrote: > > > >> Lets hope it prompts google to do much better: http://op. google.com: > >> forming the eminently typable "op.google.com". > >> > >> They might even have that redirect to http://google.com/op which they > >> might make an xri mount point to the I-brokered authority that serves > the > >> op > >> xrd/s. If their op is a real xri-labelled authority, a ref field in the > >> sep > >> can even properly provide for delgated authorization of xrd files by > user > >> authorities (which openid auth hacks up as openid delegation, when > >> abusing > >> the semantics of the op local id field per jonny bufu's recent message). > >> > >> I dont think its hard to meet professional security engineering > standards > >> within openid: just be complete about xri semantics (even when using > http > >> identifiers). We dont need custom extensions for discovery, particularly > >> if > >> they project idp-centric vs user centric identity models. > >> > >> But lets wait and see how they are signing the xrd files (the way the > >> openxri server does it (per the standard), or "otherwise"). The validity > >> logic for verifying that signature will tell us what class of trust > >> semantics they are working towards: google as ttp for attribute sharing, > >> or > >> uci. > >> > >> ________________________________ > >> From: Andrew Arnott > >> Sent: Thursday, July 09, 2009 8:30 PM > >> To: Peter Williams > >> Cc: Eric Sachs ; general at openid.net > >> ; > >> Paul Johnston > >> Subject: Re: [OpenID] What is my Google OpenID URL? > >> > >> Wow. I'm going to have to use that tinyurl everywhere now. :-p > >> > >> -- > >> Andrew Arnott > >> "I [may] not agree with what you have to say, but I'll defend to the > >> death > >> your right to say it." - S. G. Tallentyre > >> > >> > >> On Thu, Jul 9, 2009 at 8:24 PM, Peter Williams >> > wrote: > >> come on google, it takes you 10s to have a redirector URL > >> (op.google.com< > >> http://op.google.com>, perhaps?) redirect to the > >> https://www.google.com/accounts/o8/id. Conforming RPs are require to > >> follow the redirect, before detecting that the XRD at that address is an > >> law#4-capable OP, vs a user. > >> > >> > >> http://tinyurl.com/googop now produces > >> > >> - > >> xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> > >> - > >> - >> priority="0"> > >> http://specs.openid.net/auth/2.0/server > >> http://openid.net/srv/ax/1.0 > >> http://specs.openid.net/extensions/ui/1.0/mode/popup > >> http://specs.openid.net/extensions/ui/1.0/icon > >> http://specs.openid.net/extensions/pape/1.0 > >> https://www.google.com/accounts/o8/ud > >> > >> > >> > >> im sure google can do better than tinyurl.com! > >> > >> How about op.google.com?! > >> > >> ________________________________ > >> From: general-bounces at openid.net [ > >> general-bounces at openid.net] On > Behalf > >> Of Andrew Arnott [andrewarnott at gmail.com >] > >> Sent: Thursday, July 09, 2009 7:16 PM > >> To: Eric Sachs > >> Cc: general at openid.net; Paul Johnston > >> Subject: Re: [OpenID] What is my Google OpenID URL? > >> > >> Note that using your Blogger blog URL is not equivalent to using > >> https://www.google.com/accounts/o8/id. Besides the user interface of > the > >> login experience being completely different, Blogger's Provider is only > >> an > >> OpenID 1.1 provider, whereas Google's > >> https://www.google.com/accounts/o8/id OpenID Provider is a more secure > >> OpenID 2.0 provider. > >> > >> -- > >> Andrew Arnott > >> "I [may] not agree with what you have to say, but I'll defend to the > >> death > >> your right to say it." - S. G. Tallentyre > >> > >> > >> On Thu, Jul 9, 2009 at 6:38 PM, Eric Sachs >> esachs at google.com>>> > >> wrote: > >> If you create a blog on Google's blogger service, then you can type the > >> name of that blog into OpenID login boxes. > >> > >> If you are willing to be really geeky, type in > >> https://www.google.com/accounts/o8/id. That points to the generic > Google > >> identity provider, and you will be redirected back with an opaque > >> identifier. But we don't actually expect anyone to know to do that > which > >> is > >> why a lot of OpenID relying parties are supporting other user interfaces > >> with buttons for Google. For example, see > >> http://uservoice.com/session/new > >> > >> Similarly a lot of blogs allow you to comment and identify you with an > >> OpenID URL, and while you can try one of the tricks above, many of the > >> blog > >> commenting interfaces also include buttons (or the NASCAR style UI as > the > >> community likes to call it) to help users navigate their way through. > >> > >> On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston > >> >> paj at pajhome.org.uk> >>> > >> wrote: > >> Hi, > >> > >> I'm sorry for asking such an obvious question, but after considerable > >> time spent searching for this I am unable to figure this out. > >> > >> My google account name is paul.paj. I would like to login to > >> bitbucket.org using OpenID. > >> How do I do it? > >> > >> Paul > >> _______________________________________________ > >> general mailing list > >> general at openid.net >> > > >> http://openid.net/mailman/listinfo/general > >> > >> > >> _______________________________________________ > >> general mailing list > >> general at openid.net >> > > >> http://openid.net/mailman/listinfo/general > >> > >> > >> > >> _______________________________________________ > >> general mailing list > >> general at openid.net > >> http://openid.net/mailman/listinfo/general > >> > > > > _______________________________________________ > > general mailing list > > general at openid.net > > http://openid.net/mailman/listinfo/general > > > > > > > ----- > > Santosh Rajan > http://santrajan.blogspot.com http://santrajan.blogspot.com > -- > View this message in context: > http://www.nabble.com/Google-custom-discovery-tp24431509p24431923.html > Sent from the OpenID - General mailing list archive at Nabble.com. > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > --0016368324ea7ab6ab046e5de1f9 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Only a subset of GoogleProfile users register a username, but yes, for thos= e users that is the common request we get.

On Fri, Jul 10, 2009 at 10:46 AM, Santosh Rajan <santrajan at gmail.com> wrot= e:

Actually why dont you do discovery on
http://google.com/= username
You can do that without clashing with your google.com namespace by only
responding to "Accept" header request with "application/XRD&= quot;. That would
really make a killer OpenID.


Eric Sachs wrote:
>
> The feature in this area that we get more requests for is to support > OpenID
> validation for the relatively new Google Profiles service, i.e.
> profiles.goog= le.com, which is also a more memorable endpoint for users to
> type :-). =A0That support is not yet available, but its definitely on = the
> list.
> On Fri, Jul 10, 2009 at 10:16 AM, Peter Williams
> <pwilliams at rapattoni.com= >wrote:
>
>> Lets hope it prompts google to do much better: http://op. google.com:
>> forming the eminently typable "op.google.com".
>>
>> They might even have that redirect to http://google.com/op which they
>> might make an xri mount point to the I-brokered authority that ser= ves the
>> op
>> xrd/s. If their op is a real xri-labelled authority, a ref field i= n the
>> sep
>> can even properly provide for delgated authorization of xrd files = by user
>> authorities (which openid auth hacks up as openid delegation, when=
>> abusing
>> the semantics of the op local id field per jonny bufu's recent= message).
>>
>> I dont think its hard to meet professional security engineering st= andards
>> within openid: just be complete about xri semantics (even when usi= ng http
>> identifiers). We dont need custom extensions for discovery, partic= ularly
>> if
>> they project idp-centric vs user centric identity models.
>>
>> But lets wait and see how they are signing the xrd files (the way = the
>> openxri server does it (per the standard), or "otherwise"= ;). The validity
>> logic for verifying that signature will tell us what class of trus= t
>> semantics they are working towards: google as ttp for attribute sh= aring,
>> or
>> uci.
>>
>> ________________________________
>> From: Andrew Arnott <= andrewarnott at gmail.com>
>> Sent: Thursday, July 09, 2009 8:30 PM
>> To: Peter Williams <= pwilliams at rapattoni.com>
>> Cc: Eric Sachs <esachs at goo= gle.com>; general at openid.net
>> <general at openid.net&g= t;;
>> Paul Johnston <paj at pajhom= e.org.uk>
>> Subject: Re: [OpenID] What is my Google OpenID URL?
>>
>> Wow. =A0I'm going to have to use that tinyurl everywhere now. = :-p
>>
>> --
>> Andrew Arnott
>> "I [may] not agree with what you have to say, but I'll de= fend to the
>> death
>> your right to say it." - S. G. Tallentyre
>>
>>
>> On Thu, Jul 9, 2009 at 8:24 PM, Peter Williams <pwilliams at rapattoni.com
>> <mailto:pwilliams at ra= pattoni.com>> wrote:
>> come =A0on google, it takes you 10s to have a redirector URL
>> (op.google.com<= /a><
>> http://op.googl= e.com>, perhaps?) redirect to the
>> https://www.google.com/accounts/o8/id. Conforming RPs are require to<= br> >> follow the redirect, before detecting that the XRD at that address= is an
>> law#4-capable OP, vs a user.
>>
>>
>> http://tin= yurl.com/googop now produces
>> <?xml version=3D"1.0" encoding=3D"UTF-8" ?&= gt;
>> -<file:///C:/Documents%20and%20Settings/peter/Desktop/id.xml#&g= t; <xrds:XRDS
>> xmlns:xrds=3D"xri://$xrds" xmlns=3D"xri://$xrd*($v*= 2.0)">
>> -<file:///C:/Documents%20and%20Settings/peter/Desktop/id.xml#&g= t; <XRD>
>> -<file:///C:/Documents%20and%20Settings/peter/Desktop/id.xml#&g= t; <Service
>> priority=3D"0">
>> =A0<Type>http://specs.openid.net/auth/2.0/server</Type>=
>> =A0<Type>http://openid.net/srv/ax/1.0</Type>
>> =A0<Type>http://specs.openid.net/extensions/ui/1.0/m= ode/popup</Type>
>> =A0<Type>http://specs.openid.net/extensions/ui/1.0/icon</Type>
>> =A0<Type>http://specs.openid.net/extensions/pape/1.0</= Type>
>> =A0<URI>https://www.google.com/accounts/o8/ud</URI>
>> =A0</Service>
>> =A0</XRD>
>>
>> im sure google can do better than tinyurl.com<http://tinyurl.com>!
>>
>> How about op.go= ogle.com<http://o= p.google.com>?!
>>
>> ________________________________
>> From: general-bounce= s at openid.net<mailto:ge= neral-bounces at openid.net> [
>> general-bounces at open= id.net<mailto:general-= bounces at openid.net>] On Behalf
>> Of Andrew Arnott [andrew= arnott at gmail.com<mailto:an= drewarnott at gmail.com>]
>> Sent: Thursday, July 09, 2009 7:16 PM
>> To: Eric Sachs
>> Cc: general at openid.net&l= t;mailto:general at openid.net>; = Paul Johnston
>> Subject: Re: [OpenID] What is my Google OpenID URL?
>>
>> Note that using your Blogger blog URL is not equivalent to using >> https://www.google.com/accounts/o8/id. =A0Besides the user interface = of the
>> login experience being completely different, Blogger's Provide= r is only
>> an
>> OpenID 1.1 provider, whereas Google's
>> https://www.google.com/accounts/o8/id OpenID Provider is a more secur= e
>> OpenID 2.0 provider.
>>
>> --
>> Andrew Arnott
>> "I [may] not agree with what you have to say, but I'll de= fend to the
>> death
>> your right to say it." - S. G. Tallentyre
>>
>>
>> On Thu, Jul 9, 2009 at 6:38 PM, Eric Sachs <esachs at google.com<mailto:
>> esachs at google.com><= mailto:esachs at google.com<mailto= :esachs at google.com>>>
>> wrote:
>> If you create a blog on Google's blogger service, then you can= type the
>> name of that blog into OpenID login boxes.
>>
>> If you are willing to be really geeky, type in
>> https://www.google.com/accounts/o8/id. =A0That points to the generic = Google
>> identity provider, and you will be redirected back with an opaque<= br> >> identifier. =A0But we don't actually expect anyone to know to = do that which
>> is
>> why a lot of OpenID relying parties are supporting other user inte= rfaces
>> with buttons for Google. =A0For example, see
>> htt= p://uservoice.com/session/new
>>
>> Similarly a lot of blogs allow you to comment and identify you wit= h an
>> OpenID URL, and while you can try one of the tricks above, many of= the
>> blog
>> commenting interfaces also include buttons (or the NASCAR style UI= as the
>> community likes to call it) to help users navigate their way throu= gh.
>>
>> On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston
>> <paj at pajhome.org.uk&l= t;mailto:
>> paj at pajhome.org.uk>&l= t;mailto:paj at pajhome.org.uk<ma= ilto:paj at pajhome.org.uk>>&g= t;
>> wrote:
>> Hi,
>>
>> I'm sorry for asking such an obvious question, but after consi= derable
>> time spent searching for this I am unable to figure this out.
>>
>> My google account name is paul.paj. I would like to login to
>> bitbucket.org<http://bitbucket.o= rg><http://bit= bucket.org> using OpenID.
>> How do I do it?
>>
>> Paul
>> _______________________________________________
>> general mailing list
>> general at openid.net<ma= ilto:general at openid.net><ma= ilto:general at openid.net
>> <mailto:general at openid.ne= t>>
>> http://openid.net/mailman/listinfo/general
>>
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net<ma= ilto:general at openid.net><ma= ilto:general at openid.net
>> <mailto:general at openid.ne= t>>
>> http://openid.net/mailman/listinfo/general
>>
>>
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>


-----

Santosh Rajan
http://santraja= n.blogspot.com http://santrajan.blogspot.com
--
View this message in context: http://www.nabble.c= om/Google-custom-discovery-tp24431509p24431923.html
Sent from the OpenID - General mailing list archive at Nabble.com.

_______________________________________________
general mailing list
general at openid.net
ht= tp://openid.net/mailman/listinfo/general

--0016368324ea7ab6ab046e5de1f9-- From breno at google.com Fri Jul 10 11:13:22 2009 From: breno at google.com (Breno de Medeiros) Date: Fri, 10 Jul 2009 11:13:22 -0700 Subject: [OpenID] Google's proprietary discovery extension? In-Reply-To: References: <216e54900907090958p6173707gd66e08bab74c888d@mail.gmail.com> <216e54900907090959k465abe0enb4afdee36a65fa87@mail.gmail.com> Message-ID: <29fb00360907101113h1661302ap8fd9782dd8358207@mail.gmail.com> --0016369205b37e352a046e5dedf2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit There is a proposal for a webfinger protocol based on standards (the IETF LRDD proposal and either (optionally signed) XRDS or the newly proposed (optionally signed) XRD format) that would allow users to type 'google.com' or their email address, and it would just work. It would also work for users of Google Apps for Your Domain, that have email addresses that are not @gmail.com or @googlemail.com. These users comprise a significant portion of our user base. Hopefully the community will be excited about these possibilities and will embrace a new vision for discovery that supports all users. We at Google have NOT been working on this behind the scenes. For instance, see John Panzer's blog post on webfinger at http://www.abstractioneer.org/, our involvement in the XRI TC (see the markmail links in Eric's message), and many emails that we have exchanged in the various openid mailing lists about discovery in the past several months. We have also added our names to a proposal for an OpenID discovery WG http://wiki.openid.net/OpenID-Discovery We invite all that are excited about possibilities with a new discovery mechanism (supporting email and xmpp addresses as OpenID identifiers, improving security of discovery, making it more flexible to work with hosted applications, etc.) to contribute with momentum to move this forward. On Thu, Jul 9, 2009 at 10:14 AM, Eric Sachs wrote: > >> I haven't heard anything about this except from this one article. > In terms of more background on the evolving discovery standards, the best > information is actually on a blog run by Eran Hammer-Lahav at Yahoo who has > led a lot of the work in this space. Here is a hyperlink which will show > you all the blog posts he has done about "discovery" and he has done a good > job of trying to provide background. > > http://www.hueniverse.com/hueniverse/discovery/ > > Note though that this work is not specific to OpenID, but instead is to try > to provide a generic discovery mechanism that can be used my multiple > protocols. > > If you want to join some of the discussions, here are links to a few > threads: > > http://lists.oasis-open.org/archives/xri/200905/msg00025.html > http://markmail.org/message/rup4ikec43bk4wkg > http://markmail.org/message/5ckiqdzjguipa3qf > > We do still want more community discussions about discovery, and its > application to OpenID. While these standards are being refined, we are > providing a proof-of-concept implementation of a next-generation OpenID > discovery protocol. While some of the details of this > proof-of-concept-implementation are different from what the eventual > standards are likely to look like (e.g., we're using XRDS instead of XRD for > discovery documents, and are using temporary namespaces), we believe all the > necessary pieces are there. For nitty gritty details, see > http://sites.google.com/site/oauthgoog/fedlogininterp/openiddiscovery > > > > On Thu, Jul 9, 2009 at 9:59 AM, Andrew Arnott wrote: > >> Oops.... I sent my email to the wrong list. See below. >> >> -- >> Andrew Arnott >> "I [may] not agree with what you have to say, but I'll defend to the death >> your right to say it." - S. G. Tallentyre >> >> >> On Thu, Jul 9, 2009 at 9:58 AM, Andrew Arnott wrote: >> >>> From >>> http://www.readwriteweb.com/archives/google_to_announce_major_identity_initiative_for_1.php >>> >>> OpenID relying parties will need to be redirected from the domain >>> provided at user login over to Google's OpenID service. In order for this >>> redirect to happen, all relying parties will need to start looking for a new >>> OpenID extension that Google has developed and implemented in conjunction >>> with one relying party technology, JanRain's RPX >>> . >>> >>> Is this just FUD about Google? I haven't heard anything about this >>> except from this one article. And Google's own OpenID for Google Appspage says nothing about a special extension. >>> >>> >>> -- >>> Andrew Arnott >>> "I [may] not agree with what you have to say, but I'll defend to the >>> death your right to say it." - S. G. Tallentyre >>> >> >> >> _______________________________________________ >> general mailing list >> general at openid.net >> http://openid.net/mailman/listinfo/general >> >> > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) --0016369205b37e352a046e5dedf2 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
There is a proposal for a webfinger protocol based on standards (the I= ETF LRDD proposal and either (optionally signed) XRDS or the newly proposed= (optionally signed) XRD format) that would allow users to type

=

or their email address,

and it= would just work. It would also work for users of Google Apps for Your Doma= in, that have email addresses that are not @gm= ail.com or @googlemail.com. These= users comprise a significant portion of our user base.

Hopefully the community will be excited about these pos= sibilities and will embrace a new vision for discovery that supports all us= ers. We at Google have NOT been working on this behind the scenes. For inst= ance, see John Panzer's blog post on webfinger at=A0http://www.abstractioneer.org/, our involvement= in the XRI TC (see the markmail links in Eric's message), and many ema= ils that we have exchanged in the various openid mailing lists about discov= ery in the past several months. We have also added our names to a proposal = for an OpenID discovery WG=A0http://wiki.openid.net/OpenID-Discovery

We invite all that are excited about possibilities with= a new discovery mechanism (supporting email and xmpp addresses as OpenID i= dentifiers, improving security of discovery, making it more flexible to wor= k with hosted applications, etc.) to=A0
contribute with momentum to move this forward.

On Thu, Jul 9, 2009 at 10:14 AM, Eric Sachs = <esachs at google.com> w= rote:
>>=A0I haven't heard anything about this except f= rom this one article.

In terms of more background on the evolving discove= ry standards, the best information is actually on a blog run by Eran Hammer= -Lahav at Yahoo who has led a lot of the work in this space. =A0Here is a h= yperlink which will show you all the blog posts he has done about "dis= covery" and he has done a good job of trying to provide background.
http://w= ww.hueniverse.com/hueniverse/discovery/
Note though that this work is not specific to OpenID, but instead is t= o try to provide a generic discovery mechanism that can be used my multiple= protocols.

If you want to join some of the discus= sions, here are links to a few threads:
http://lists.oasis-open.org/archives/xri/200905/msg00025.html=
htt= p://markmail.org/message/rup4ikec43bk4wkg
htt= p://markmail.org/message/5ckiqdzjguipa3qf
We do still want more community discussions about discovery, and its a= pplication to OpenID. =A0W= hile these standards are being refined, we are providing a proof-of-concept= implementation of a next-generation OpenID discovery protocol. While some = of the details of this proof-of-concept-implementation are different from w= hat the eventual standards are likely to look like (e.g., we're using X= RDS instead of XRD for discovery documents, and are using temporary namespa= ces), we believe all the necessary pieces are there. =A0For nitty gritty de= tails, see=A0http://sites.google.com/site/oauthgoog/fedlogininterp/openiddis= covery



On Thu, Jul 9, 2009 at 9:59 AM, Andrew Arnott <an= drewarnott at gmail.com> wrote:
Oops.... I sent my email to the wrong list.=A0 See below.

--
Andrew Arnott
"I [may] not agree with what you have to say, b= ut I'll defend to the death your right to say it." - S. G. Tallent= yre


On Thu, Jul 9, 2009 at 9:58 AM, Andrew A= rnott <andrewarnott at gmail.com> wrote:
--0016369205b37e352a046e5dedf2-- From bogus@does.not.exist.com Thu Jul 9 13:17:08 2009 From: bogus@does.not.exist.com () Date: Thu, 09 Jul 2009 20:17:08 -0000 Subject: No subject Message-ID: .com/archives/google_to_announce_major_identity_initiative_for_1.php
OpenID relying parties will need to be redirected from the domain provided = at=20 user login over to Google's OpenID service. In order for this redirect = to=20 happen, all relying parties will need to start looking for a new OpenID=20 extension that Google has developed and implemented in conjunction with one= =20 relying party technology, JanRain's RPX.

Is this just FUD about Google?=A0 I ha= ven't heard anything about this except from this one article. And Googl= e's own OpenID for Google Apps page says nothing a= bout a special extension.


--
Andrew Arnott
"I [may] not agree with w= hat you have to say, but I'll defend to the death your right to say it.= " - S. G. Tallentyre


_________________________________________= ______
general mailing list
general at openid.net<= /a>
ht= tp://openid.net/mailman/listinfo/general



_______________________________________________
general mailing list
general at openid.net
ht= tp://openid.net/mailman/listinfo/general




--
--Breno

+1 (= 650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A=
PST (GMT-8) / PDT(GMT-7)
--0016369205b37e352a046e5dedf2-- From pwilliams at rapattoni.com Fri Jul 10 11:14:03 2009 From: pwilliams at rapattoni.com (Peter Williams) Date: Fri, 10 Jul 2009 11:14:03 -0700 Subject: [OpenID] Google custom discovery Message-ID: I recognize that openid discovery is inadequate for delegation management : of relying parties offloading to google service bus, to op parties offloading to google service bus, or users delegating their names in the spirit of uci. We all know that this is what the xri architecture facilitates. If an openid extension is the means used to distinguish between the discovery process built into openid auth (a partial xri discovery approach that is somewhat ambiguous and incomplete) and the "full" xri-based discovery, then I don't mind the use of an extension artifact. Its bascially distinguishing between two versions of the same discovery model. If the use of a new discovery artifact is the foil to introduce a non xri model, I worry. If its a foil to introduce even xri-based "exclusionary" trust federations (hub/spoke) based on mr oath's mantra expressed during the board election process (privacy is dead; get used to having none, sucker) I worry. I worry mostly in all that that we have passport "attitudes", and that means using the same means to break those attitudes as were used to break passport. I don't want to see folks subject to that process, as it has a sideeffect: it sets back mass adoption. ________________________________ From: Eric Sachs Sent: Friday, July 10, 2009 10:35 AM To: Peter Williams Cc: Andrew Arnott ; general at openid.net Subject: Re: [OpenID] Google custom discovery The feature in this area that we get more requests for is to support OpenID validation for the relatively new Google Profiles service, i.e. profiles.google.com, which is also a more memorable endpoint for users to type :-). That support is not yet available, but its definitely on the list. On Fri, Jul 10, 2009 at 10:16 AM, Peter Williams > wrote: Lets hope it prompts google to do much better: http://op. google.com: forming the eminently typable "op.google.com". They might even have that redirect to http://google.com/op which they might make an xri mount point to the I-brokered authority that serves the op xrd/s. If their op is a real xri-labelled authority, a ref field in the sep can even properly provide for delgated authorization of xrd files by user authorities (which openid auth hacks up as openid delegation, when abusing the semantics of the op local id field per jonny bufu's recent message). I dont think its hard to meet professional security engineering standards within openid: just be complete about xri semantics (even when using http identifiers). We dont need custom extensions for discovery, particularly if they project idp-centric vs user centric identity models. But lets wait and see how they are signing the xrd files (the way the openxri server does it (per the standard), or "otherwise"). The validity logic for verifying that signature will tell us what class of trust semantics they are working towards: google as ttp for attribute sharing, or uci. ________________________________ From: Andrew Arnott > Sent: Thursday, July 09, 2009 8:30 PM To: Peter Williams > Cc: Eric Sachs >; general at openid.net >; Paul Johnston > Subject: Re: [OpenID] What is my Google OpenID URL? Wow. I'm going to have to use that tinyurl everywhere now. :-p -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Thu, Jul 9, 2009 at 8:24 PM, Peter Williams >> wrote: come on google, it takes you 10s to have a redirector URL (op.google.com, perhaps?) redirect to the https://www.google.com/accounts/o8/id. Conforming RPs are require to follow the redirect, before detecting that the XRD at that address is an law#4-capable OP, vs a user. http://tinyurl.com/googop now produces - - - http://specs.openid.net/auth/2.0/server http://openid.net/srv/ax/1.0 http://specs.openid.net/extensions/ui/1.0/mode/popup http://specs.openid.net/extensions/ui/1.0/icon http://specs.openid.net/extensions/pape/1.0 https://www.google.com/accounts/o8/ud im sure google can do better than tinyurl.com! How about op.google.com?! ________________________________ From: general-bounces at openid.net> [general-bounces at openid.net>] On Behalf Of Andrew Arnott [andrewarnott at gmail.com>] Sent: Thursday, July 09, 2009 7:16 PM To: Eric Sachs Cc: general at openid.net>; Paul Johnston Subject: Re: [OpenID] What is my Google OpenID URL? Note that using your Blogger blog URL is not equivalent to using https://www.google.com/accounts/o8/id. Besides the user interface of the login experience being completely different, Blogger's Provider is only an OpenID 1.1 provider, whereas Google's https://www.google.com/accounts/o8/id OpenID Provider is a more secure OpenID 2.0 provider. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Thu, Jul 9, 2009 at 6:38 PM, Eric Sachs >>>> wrote: If you create a blog on Google's blogger service, then you can type the name of that blog into OpenID login boxes. If you are willing to be really geeky, type in https://www.google.com/accounts/o8/id. That points to the generic Google identity provider, and you will be redirected back with an opaque identifier. But we don't actually expect anyone to know to do that which is why a lot of OpenID relying parties are supporting other user interfaces with buttons for Google. For example, see http://uservoice.com/session/new Similarly a lot of blogs allow you to comment and identify you with an OpenID URL, and while you can try one of the tricks above, many of the blog commenting interfaces also include buttons (or the NASCAR style UI as the community likes to call it) to help users navigate their way through. On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston >>>> wrote: Hi, I'm sorry for asking such an obvious question, but after considerable time spent searching for this I am unable to figure this out. My google account name is paul.paj. I would like to login to bitbucket.org using OpenID. How do I do it? Paul _______________________________________________ general mailing list general at openid.net>>> http://openid.net/mailman/listinfo/general _______________________________________________ general mailing list general at openid.net>>> http://openid.net/mailman/listinfo/general _______________________________________________ general mailing list general at openid.net http://openid.net/mailman/listinfo/general From pwilliams at rapattoni.com Fri Jul 10 11:15:41 2009 From: pwilliams at rapattoni.com (Peter Williams) Date: Fri, 10 Jul 2009 11:15:41 -0700 Subject: [OpenID] Google custom discovery Message-ID: Bcause they want to promote the direct identity flow, which has much better lifecycle management properties for identifiers. -----Original Message----- From: Santosh Rajan Sent: Friday, July 10, 2009 10:46 AM To: general at openid.net Subject: Re: [OpenID] Google custom discovery Actually why dont you do discovery on http://google.com/username You can do that without clashing with your google.com namespace by only responding to "Accept" header request with "application/XRD". That would really make a killer OpenID. Eric Sachs wrote: > > The feature in this area that we get more requests for is to support > OpenID > validation for the relatively new Google Profiles service, i.e. > profiles.google.com, which is also a more memorable endpoint for users to > type :-). That support is not yet available, but its definitely on the > list. > On Fri, Jul 10, 2009 at 10:16 AM, Peter Williams > wrote: > >> Lets hope it prompts google to do much better: http://op. google.com: >> forming the eminently typable "op.google.com". >> >> They might even have that redirect to http://google.com/op which they >> might make an xri mount point to the I-brokered authority that serves the >> op >> xrd/s. If their op is a real xri-labelled authority, a ref field in the >> sep >> can even properly provide for delgated authorization of xrd files by user >> authorities (which openid auth hacks up as openid delegation, when >> abusing >> the semantics of the op local id field per jonny bufu's recent message). >> >> I dont think its hard to meet professional security engineering standards >> within openid: just be complete about xri semantics (even when using http >> identifiers). We dont need custom extensions for discovery, particularly >> if >> they project idp-centric vs user centric identity models. >> >> But lets wait and see how they are signing the xrd files (the way the >> openxri server does it (per the standard), or "otherwise"). The validity >> logic for verifying that signature will tell us what class of trust >> semantics they are working towards: google as ttp for attribute sharing, >> or >> uci. >> >> ________________________________ >> From: Andrew Arnott >> Sent: Thursday, July 09, 2009 8:30 PM >> To: Peter Williams >> Cc: Eric Sachs ; general at openid.net >> ; >> Paul Johnston >> Subject: Re: [OpenID] What is my Google OpenID URL? >> >> Wow. I'm going to have to use that tinyurl everywhere now. :-p >> >> -- >> Andrew Arnott >> "I [may] not agree with what you have to say, but I'll defend to the >> death >> your right to say it." - S. G. Tallentyre >> >> >> On Thu, Jul 9, 2009 at 8:24 PM, Peter Williams > > wrote: >> come on google, it takes you 10s to have a redirector URL >> (op.google.com< >> http://op.google.com>, perhaps?) redirect to the >> https://www.google.com/accounts/o8/id. Conforming RPs are require to >> follow the redirect, before detecting that the XRD at that address is an >> law#4-capable OP, vs a user. >> >> >> http://tinyurl.com/googop now produces >> >> - > xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> >> - >> - > priority="0"> >> http://specs.openid.net/auth/2.0/server >> http://openid.net/srv/ax/1.0 >> http://specs.openid.net/extensions/ui/1.0/mode/popup >> http://specs.openid.net/extensions/ui/1.0/icon >> http://specs.openid.net/extensions/pape/1.0 >> https://www.google.com/accounts/o8/ud >> >> >> >> im sure google can do better than tinyurl.com! >> >> How about op.google.com?! >> >> ________________________________ >> From: general-bounces at openid.net [ >> general-bounces at openid.net] On Behalf >> Of Andrew Arnott [andrewarnott at gmail.com] >> Sent: Thursday, July 09, 2009 7:16 PM >> To: Eric Sachs >> Cc: general at openid.net; Paul Johnston >> Subject: Re: [OpenID] What is my Google OpenID URL? >> >> Note that using your Blogger blog URL is not equivalent to using >> https://www.google.com/accounts/o8/id. Besides the user interface of the >> login experience being completely different, Blogger's Provider is only >> an >> OpenID 1.1 provider, whereas Google's >> https://www.google.com/accounts/o8/id OpenID Provider is a more secure >> OpenID 2.0 provider. >> >> -- >> Andrew Arnott >> "I [may] not agree with what you have to say, but I'll defend to the >> death >> your right to say it." - S. G. Tallentyre >> >> >> On Thu, Jul 9, 2009 at 6:38 PM, Eric Sachs > esachs at google.com>>> >> wrote: >> If you create a blog on Google's blogger service, then you can type the >> name of that blog into OpenID login boxes. >> >> If you are willing to be really geeky, type in >> https://www.google.com/accounts/o8/id. That points to the generic Google >> identity provider, and you will be redirected back with an opaque >> identifier. But we don't actually expect anyone to know to do that which >> is >> why a lot of OpenID relying parties are supporting other user interfaces >> with buttons for Google. For example, see >> http://uservoice.com/session/new >> >> Similarly a lot of blogs allow you to comment and identify you with an >> OpenID URL, and while you can try one of the tricks above, many of the >> blog >> commenting interfaces also include buttons (or the NASCAR style UI as the >> community likes to call it) to help users navigate their way through. >> >> On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston >> > paj at pajhome.org.uk>>> >> wrote: >> Hi, >> >> I'm sorry for asking such an obvious question, but after considerable >> time spent searching for this I am unable to figure this out. >> >> My google account name is paul.paj. I would like to login to >> bitbucket.org using OpenID. >> How do I do it? >> >> Paul >> _______________________________________________ >> general mailing list >> general at openid.net> > >> http://openid.net/mailman/listinfo/general >> >> >> _______________________________________________ >> general mailing list >> general at openid.net> > >> http://openid.net/mailman/listinfo/general >> >> >> >> _______________________________________________ >> general mailing list >> general at openid.net >> http://openid.net/mailman/listinfo/general >> > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > > ----- Santosh Rajan http://santrajan.blogspot.com http://santrajan.blogspot.com -- View this message in context: http://www.nabble.com/Google-custom-discovery-tp24431509p24431923.html Sent from the OpenID - General mailing list archive at Nabble.com. _______________________________________________ general mailing list general at openid.net http://openid.net/mailman/listinfo/general From santrajan at gmail.com Fri Jul 10 11:16:38 2009 From: santrajan at gmail.com (Santosh Rajan) Date: Fri, 10 Jul 2009 11:16:38 -0700 (PDT) Subject: [OpenID] Google custom discovery In-Reply-To: References: <24431923.post@talk.nabble.com> Message-ID: <24432348.post@talk.nabble.com> It could be the gmail username, and google profile usernames they dont clash. Problem is only for Google employees who have google.com email addresses. :) Eric Sachs wrote: > > Only a subset of GoogleProfile users register a username, but yes, for > those > users that is the common request we get. > > On Fri, Jul 10, 2009 at 10:46 AM, Santosh Rajan > wrote: > >> >> Actually why dont you do discovery on >> http://google.com/username >> You can do that without clashing with your google.com namespace by only >> responding to "Accept" header request with "application/XRD". That would >> really make a killer OpenID. >> >> >> Eric Sachs wrote: >> > >> > The feature in this area that we get more requests for is to support >> > OpenID >> > validation for the relatively new Google Profiles service, i.e. >> > profiles.google.com, which is also a more memorable endpoint for users >> to >> > type :-). That support is not yet available, but its definitely on the >> > list. >> > On Fri, Jul 10, 2009 at 10:16 AM, Peter Williams >> > wrote: >> > >> >> Lets hope it prompts google to do much better: http://op. google.com: >> >> forming the eminently typable "op.google.com". >> >> >> >> They might even have that redirect to http://google.com/op which they >> >> might make an xri mount point to the I-brokered authority that serves >> the >> >> op >> >> xrd/s. If their op is a real xri-labelled authority, a ref field in >> the >> >> sep >> >> can even properly provide for delgated authorization of xrd files by >> user >> >> authorities (which openid auth hacks up as openid delegation, when >> >> abusing >> >> the semantics of the op local id field per jonny bufu's recent >> message). >> >> >> >> I dont think its hard to meet professional security engineering >> standards >> >> within openid: just be complete about xri semantics (even when using >> http >> >> identifiers). We dont need custom extensions for discovery, >> particularly >> >> if >> >> they project idp-centric vs user centric identity models. >> >> >> >> But lets wait and see how they are signing the xrd files (the way the >> >> openxri server does it (per the standard), or "otherwise"). The >> validity >> >> logic for verifying that signature will tell us what class of trust >> >> semantics they are working towards: google as ttp for attribute >> sharing, >> >> or >> >> uci. >> >> >> >> ________________________________ >> >> From: Andrew Arnott >> >> Sent: Thursday, July 09, 2009 8:30 PM >> >> To: Peter Williams >> >> Cc: Eric Sachs ; general at openid.net >> >> ; >> >> Paul Johnston >> >> Subject: Re: [OpenID] What is my Google OpenID URL? >> >> >> >> Wow. I'm going to have to use that tinyurl everywhere now. :-p >> >> >> >> -- >> >> Andrew Arnott >> >> "I [may] not agree with what you have to say, but I'll defend to the >> >> death >> >> your right to say it." - S. G. Tallentyre >> >> >> >> >> >> On Thu, Jul 9, 2009 at 8:24 PM, Peter Williams >> > >> > wrote: >> >> come on google, it takes you 10s to have a redirector URL >> >> (op.google.com< >> >> http://op.google.com>, perhaps?) redirect to the >> >> https://www.google.com/accounts/o8/id. Conforming RPs are require to >> >> follow the redirect, before detecting that the XRD at that address is >> an >> >> law#4-capable OP, vs a user. >> >> >> >> >> >> http://tinyurl.com/googop now produces >> >> >> >> - >> > >> xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> >> >> - >> >> - >> > >> priority="0"> >> >> http://specs.openid.net/auth/2.0/server >> >> http://openid.net/srv/ax/1.0 >> >> http://specs.openid.net/extensions/ui/1.0/mode/popup >> >> http://specs.openid.net/extensions/ui/1.0/icon >> >> http://specs.openid.net/extensions/pape/1.0 >> >> https://www.google.com/accounts/o8/ud >> >> >> >> >> >> >> >> im sure google can do better than tinyurl.com! >> >> >> >> How about op.google.com?! >> >> >> >> ________________________________ >> >> From: general-bounces at openid.net [ >> >> general-bounces at openid.net] On >> Behalf >> >> Of Andrew Arnott [andrewarnott at gmail.com> >] >> >> Sent: Thursday, July 09, 2009 7:16 PM >> >> To: Eric Sachs >> >> Cc: general at openid.net; Paul Johnston >> >> Subject: Re: [OpenID] What is my Google OpenID URL? >> >> >> >> Note that using your Blogger blog URL is not equivalent to using >> >> https://www.google.com/accounts/o8/id. Besides the user interface of >> the >> >> login experience being completely different, Blogger's Provider is >> only >> >> an >> >> OpenID 1.1 provider, whereas Google's >> >> https://www.google.com/accounts/o8/id OpenID Provider is a more secure >> >> OpenID 2.0 provider. >> >> >> >> -- >> >> Andrew Arnott >> >> "I [may] not agree with what you have to say, but I'll defend to the >> >> death >> >> your right to say it." - S. G. Tallentyre >> >> >> >> >> >> On Thu, Jul 9, 2009 at 6:38 PM, Eric Sachs > >> >> esachs at google.com>>> >> >> wrote: >> >> If you create a blog on Google's blogger service, then you can type >> the >> >> name of that blog into OpenID login boxes. >> >> >> >> If you are willing to be really geeky, type in >> >> https://www.google.com/accounts/o8/id. That points to the generic >> Google >> >> identity provider, and you will be redirected back with an opaque >> >> identifier. But we don't actually expect anyone to know to do that >> which >> >> is >> >> why a lot of OpenID relying parties are supporting other user >> interfaces >> >> with buttons for Google. For example, see >> >> http://uservoice.com/session/new >> >> >> >> Similarly a lot of blogs allow you to comment and identify you with an >> >> OpenID URL, and while you can try one of the tricks above, many of the >> >> blog >> >> commenting interfaces also include buttons (or the NASCAR style UI as >> the >> >> community likes to call it) to help users navigate their way through. >> >> >> >> On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston >> >> > >> >> paj at pajhome.org.uk>> >>> >> >> wrote: >> >> Hi, >> >> >> >> I'm sorry for asking such an obvious question, but after considerable >> >> time spent searching for this I am unable to figure this out. >> >> >> >> My google account name is paul.paj. I would like to login to >> >> bitbucket.org using >> OpenID. >> >> How do I do it? >> >> >> >> Paul >> >> _______________________________________________ >> >> general mailing list >> >> >> general at openid.net> >> > >> >> http://openid.net/mailman/listinfo/general >> >> >> >> >> >> _______________________________________________ >> >> general mailing list >> >> >> general at openid.net> >> > >> >> http://openid.net/mailman/listinfo/general >> >> >> >> >> >> >> >> _______________________________________________ >> >> general mailing list >> >> general at openid.net >> >> http://openid.net/mailman/listinfo/general >> >> >> > >> > _______________________________________________ >> > general mailing list >> > general at openid.net >> > http://openid.net/mailman/listinfo/general >> > >> > >> >> >> ----- >> >> Santosh Rajan >> http://santrajan.blogspot.com http://santrajan.blogspot.com >> -- >> View this message in context: >> http://www.nabble.com/Google-custom-discovery-tp24431509p24431923.html >> Sent from the OpenID - General mailing list archive at Nabble.com. >> >> _______________________________________________ >> general mailing list >> general at openid.net >> http://openid.net/mailman/listinfo/general >> > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > > ----- Santosh Rajan http://santrajan.blogspot.com http://santrajan.blogspot.com -- View this message in context: http://www.nabble.com/Google-custom-discovery-tp24431509p24432348.html Sent from the OpenID - General mailing list archive at Nabble.com. From breno at google.com Fri Jul 10 11:20:31 2009 From: breno at google.com (Breno de Medeiros) Date: Fri, 10 Jul 2009 11:20:31 -0700 Subject: [OpenID] Google custom discovery In-Reply-To: <24432348.post@talk.nabble.com> References: <24431923.post@talk.nabble.com> <24432348.post@talk.nabble.com> Message-ID: <29fb00360907101120y66df4ae6ndc9fef7243e7f2dd@mail.gmail.com> --001636416929171725046e5e07b9 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit There is already a proposal for this called webfinger: http://www.abstractioneer.org/ It leverages the LRDD proposal to provide a generic mechanism for email addresses, xmpp addresses, etc. On Fri, Jul 10, 2009 at 11:16 AM, Santosh Rajan wrote: > > It could be the gmail username, and google profile usernames they dont > clash. > Problem is only for Google employees who have google.com email addresses. > :) > > Eric Sachs wrote: > > > > Only a subset of GoogleProfile users register a username, but yes, for > > those > > users that is the common request we get. > > > > On Fri, Jul 10, 2009 at 10:46 AM, Santosh Rajan > > wrote: > > > >> > >> Actually why dont you do discovery on > >> http://google.com/username > >> You can do that without clashing with your google.com namespace by only > >> responding to "Accept" header request with "application/XRD". That would > >> really make a killer OpenID. > >> > >> > >> Eric Sachs wrote: > >> > > >> > The feature in this area that we get more requests for is to support > >> > OpenID > >> > validation for the relatively new Google Profiles service, i.e. > >> > profiles.google.com, which is also a more memorable endpoint for > users > >> to > >> > type :-). That support is not yet available, but its definitely on > the > >> > list. > >> > On Fri, Jul 10, 2009 at 10:16 AM, Peter Williams > >> > wrote: > >> > > >> >> Lets hope it prompts google to do much better: http://op. google.com > : > >> >> forming the eminently typable "op.google.com". > >> >> > >> >> They might even have that redirect to http://google.com/op which > they > >> >> might make an xri mount point to the I-brokered authority that serves > >> the > >> >> op > >> >> xrd/s. If their op is a real xri-labelled authority, a ref field in > >> the > >> >> sep > >> >> can even properly provide for delgated authorization of xrd files by > >> user > >> >> authorities (which openid auth hacks up as openid delegation, when > >> >> abusing > >> >> the semantics of the op local id field per jonny bufu's recent > >> message). > >> >> > >> >> I dont think its hard to meet professional security engineering > >> standards > >> >> within openid: just be complete about xri semantics (even when using > >> http > >> >> identifiers). We dont need custom extensions for discovery, > >> particularly > >> >> if > >> >> they project idp-centric vs user centric identity models. > >> >> > >> >> But lets wait and see how they are signing the xrd files (the way the > >> >> openxri server does it (per the standard), or "otherwise"). The > >> validity > >> >> logic for verifying that signature will tell us what class of trust > >> >> semantics they are working towards: google as ttp for attribute > >> sharing, > >> >> or > >> >> uci. > >> >> > >> >> ________________________________ > >> >> From: Andrew Arnott > >> >> Sent: Thursday, July 09, 2009 8:30 PM > >> >> To: Peter Williams > >> >> Cc: Eric Sachs ; general at openid.net > >> >> ; > >> >> Paul Johnston > >> >> Subject: Re: [OpenID] What is my Google OpenID URL? > >> >> > >> >> Wow. I'm going to have to use that tinyurl everywhere now. :-p > >> >> > >> >> -- > >> >> Andrew Arnott > >> >> "I [may] not agree with what you have to say, but I'll defend to the > >> >> death > >> >> your right to say it." - S. G. Tallentyre > >> >> > >> >> > >> >> On Thu, Jul 9, 2009 at 8:24 PM, Peter Williams > >> >> >> > wrote: > >> >> come on google, it takes you 10s to have a redirector URL > >> >> (op.google.com< > >> >> http://op.google.com>, perhaps?) redirect to the > >> >> https://www.google.com/accounts/o8/id. Conforming RPs are require to > >> >> follow the redirect, before detecting that the XRD at that address is > >> an > >> >> law#4-capable OP, vs a user. > >> >> > >> >> > >> >> http://tinyurl.com/googop now produces > >> >> > >> >> - > >> >> >> xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> > >> >> - > >> >> - > >> >> >> priority="0"> > >> >> http://specs.openid.net/auth/2.0/server > >> >> http://openid.net/srv/ax/1.0 > >> >> http://specs.openid.net/extensions/ui/1.0/mode/popup > >> >> http://specs.openid.net/extensions/ui/1.0/icon > >> >> http://specs.openid.net/extensions/pape/1.0 > >> >> https://www.google.com/accounts/o8/ud > >> >> > >> >> > >> >> > >> >> im sure google can do better than tinyurl.com! > >> >> > >> >> How about op.google.com?! > >> >> > >> >> ________________________________ > >> >> From: general-bounces at openid.net > [ > >> >> general-bounces at openid.net] On > >> Behalf > >> >> Of Andrew Arnott [andrewarnott at gmail.com andrewarnott at gmail.com > >> >] > >> >> Sent: Thursday, July 09, 2009 7:16 PM > >> >> To: Eric Sachs > >> >> Cc: general at openid.net; Paul Johnston > >> >> Subject: Re: [OpenID] What is my Google OpenID URL? > >> >> > >> >> Note that using your Blogger blog URL is not equivalent to using > >> >> https://www.google.com/accounts/o8/id. Besides the user interface > of > >> the > >> >> login experience being completely different, Blogger's Provider is > >> only > >> >> an > >> >> OpenID 1.1 provider, whereas Google's > >> >> https://www.google.com/accounts/o8/id OpenID Provider is a more > secure > >> >> OpenID 2.0 provider. > >> >> > >> >> -- > >> >> Andrew Arnott > >> >> "I [may] not agree with what you have to say, but I'll defend to the > >> >> death > >> >> your right to say it." - S. G. Tallentyre > >> >> > >> >> > >> >> On Thu, Jul 9, 2009 at 6:38 PM, Eric Sachs >> >> > >> esachs at google.com>>> > >> >> wrote: > >> >> If you create a blog on Google's blogger service, then you can type > >> the > >> >> name of that blog into OpenID login boxes. > >> >> > >> >> If you are willing to be really geeky, type in > >> >> https://www.google.com/accounts/o8/id. That points to the generic > >> Google > >> >> identity provider, and you will be redirected back with an opaque > >> >> identifier. But we don't actually expect anyone to know to do that > >> which > >> >> is > >> >> why a lot of OpenID relying parties are supporting other user > >> interfaces > >> >> with buttons for Google. For example, see > >> >> http://uservoice.com/session/new > >> >> > >> >> Similarly a lot of blogs allow you to comment and identify you with > an > >> >> OpenID URL, and while you can try one of the tricks above, many of > the > >> >> blog > >> >> commenting interfaces also include buttons (or the NASCAR style UI as > >> the > >> >> community likes to call it) to help users navigate their way through. > >> >> > >> >> On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston > >> >> >> >> > >> paj at pajhome.org.uk> >> >>> > >> >> wrote: > >> >> Hi, > >> >> > >> >> I'm sorry for asking such an obvious question, but after considerable > >> >> time spent searching for this I am unable to figure this out. > >> >> > >> >> My google account name is paul.paj. I would like to login to > >> >> bitbucket.org using > >> OpenID. > >> >> How do I do it? > >> >> > >> >> Paul > >> >> _______________________________________________ > >> >> general mailing list > >> >> > >> general at openid.net >> >> > > >> >> http://openid.net/mailman/listinfo/general > >> >> > >> >> > >> >> _______________________________________________ > >> >> general mailing list > >> >> > >> general at openid.net >> >> > > >> >> http://openid.net/mailman/listinfo/general > >> >> > >> >> > >> >> > >> >> _______________________________________________ > >> >> general mailing list > >> >> general at openid.net > >> >> http://openid.net/mailman/listinfo/general > >> >> > >> > > >> > _______________________________________________ > >> > general mailing list > >> > general at openid.net > >> > http://openid.net/mailman/listinfo/general > >> > > >> > > >> > >> > >> ----- > >> > >> Santosh Rajan > >> http://santrajan.blogspot.com http://santrajan.blogspot.com > >> -- > >> View this message in context: > >> http://www.nabble.com/Google-custom-discovery-tp24431509p24431923.html > >> Sent from the OpenID - General mailing list archive at Nabble.com. > >> > >> _______________________________________________ > >> general mailing list > >> general at openid.net > >> http://openid.net/mailman/listinfo/general > >> > > > > _______________________________________________ > > general mailing list > > general at openid.net > > http://openid.net/mailman/listinfo/general > > > > > > > ----- > > Santosh Rajan > http://santrajan.blogspot.com http://santrajan.blogspot.com > -- > View this message in context: > http://www.nabble.com/Google-custom-discovery-tp24431509p24432348.html > Sent from the OpenID - General mailing list archive at Nabble.com. > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) --001636416929171725046e5e07b9 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable There is already a proposal for this called webfinger:

<= a href=3D"http://www.abstractioneer.org/">http://www.abstractioneer.org/

It leverages the LRDD proposal to provide a gene= ric mechanism for email addresses, xmpp addresses, etc.

On Fri, Jul 10, 2009 at 11:16 AM, Santosh Ra= jan <santrajan@= gmail.com> wrote:

It could be the gmail username, and google profile usernames they dont clas= h.
Problem is only for Google employees who have google.com email addresses. :)

Eric Sachs wrote:
>
> Only a subset of GoogleProfile users register a username, but yes, for=
> those
> users that is the common request we get.
>
> On Fri, Jul 10, 2009 at 10:46 AM, Santosh Rajan <santrajan at gmail.com>
> wrote:
>
>>
>> Actually why dont you do discovery on
>> http://go= ogle.com/username
>> You can do that without clashing with your google.com namespace by only
>> responding to "Accept" header request with "applica= tion/XRD". That would
>> really make a killer OpenID.
>>
>>
>> Eric Sachs wrote:
>> >
>> > The feature in this area that we get more requests for is to = support
>> > OpenID
>> > validation for the relatively new Google Profiles service, i.= e.
>> > prof= iles.google.com, which is also a more memorable endpoint for users
>> to
>> > type :-). =A0That support is not yet available, but its defin= itely on the
>> > list.
>> > On Fri, Jul 10, 2009 at 10:16 AM, Peter Williams
>> > <pwilliams at rapa= ttoni.com>wrote:
>> >
>> >> Lets hope it prompts google to do much better: http://op. google.com:
>> >> forming the eminently typable "op.google.com".
>> >>
>> >> They might even have that redirect to http://google.com/op which they
>> >> might make an xri mount point to the I-brokered authority= that serves
>> the
>> >> op
>> >> xrd/s. If their op is a real xri-labelled authority, a re= f field in
>> the
>> >> sep
>> >> can even properly provide for delgated authorization of x= rd files by
>> user
>> >> authorities (which openid auth hacks up as openid delegat= ion, when
>> >> abusing
>> >> the semantics of the op local id field per jonny bufu'= ;s recent
>> message).
>> >>
>> >> I dont think its hard to meet professional security engin= eering
>> standards
>> >> within openid: just be complete about xri semantics (even= when using
>> http
>> >> identifiers). We dont need custom extensions for discover= y,
>> particularly
>> >> if
>> >> they project idp-centric vs user centric identity models.=
>> >>
>> >> But lets wait and see how they are signing the xrd files = (the way the
>> >> openxri server does it (per the standard), or "other= wise"). The
>> validity
>> >> logic for verifying that signature will tell us what clas= s of trust
>> >> semantics they are working towards: google as ttp for att= ribute
>> sharing,
>> >> or
>> >> uci.
>> >>
>> >> ________________________________
>> >> From: Andrew Arnott <andrewarnott at gmail.com>
>> >> Sent: Thursday, July 09, 2009 8:30 PM
>> >> To: Peter Williams <pwilliams at rapattoni.com>
>> >> Cc: Eric Sachs <e= sachs at google.com>; general at ope= nid.net
>> >> <general at openid.= net>;
>> >> Paul Johnston <p= aj at pajhome.org.uk>
>> >> Subject: Re: [OpenID] What is my Google OpenID URL?
>> >>
>> >> Wow. =A0I'm going to have to use that tinyurl everywh= ere now. :-p
>> >>
>> >> --
>> >> Andrew Arnott
>> >> "I [may] not agree with what you have to say, but I&= #39;ll defend to the
>> >> death
>> >> your right to say it." - S. G. Tallentyre
>> >>
>> >>
>> >> On Thu, Jul 9, 2009 at 8:24 PM, Peter Williams
>> <pwilliams at rapattoni= .com
>> >> <mailto:pwi= lliams at rapattoni.com>> wrote:
>> >> come =A0on google, it takes you 10s to have a redirector = URL
>> >> (op.go= ogle.com<
>> >> http:/= /op.google.com>, perhaps?) redirect to the
>> >> https://www.google.com/accounts/o8/id. Conforming RPs are r= equire to
>> >> follow the redirect, before detecting that the XRD at tha= t address is
>> an
>> >> law#4-capable OP, vs a user.
>> >>
>> >>
>> >> h= ttp://tinyurl.com/googop now produces
>> >> <?xml version=3D"1.0" encoding=3D"UTF-8= " ?>
>> >> -<file:///C:/Documents%20and%20Settings/peter/Desktop/= id.xml#>
>> <xrds:XRDS
>> >> xmlns:xrds=3D"xri://$xrds" xmlns=3D"xri://= $xrd*($v*2.0)">
>> >> -<file:///C:/Documents%20and%20Settings/peter/Desktop/= id.xml#> <XRD>
>> >> -<file:///C:/Documents%20and%20Settings/peter/Desktop/= id.xml#>
>> <Service
>> >> priority=3D"0">
>> >> =A0<Type>http://specs.openid.net/auth/2.0/server<= /Type>
>> >> =A0<Type>http://openid.net/srv/ax/1.0</Type>
>> >> =A0<Type>http://specs.openid.net/extensions= /ui/1.0/mode/popup</Type>
>> >> =A0<Type>http://specs.openid.net/extensions/ui/1.= 0/icon</Type>
>> >> =A0<Type>http://specs.openid.net/extensions/pape/1.0= </Type>
>> >> =A0<URI>https://www.google.com/accounts/o8/ud</URI&= gt;
>> >> =A0</Service>
>> >> =A0</XRD>
>> >>
>> >> im sure google can do better than tinyurl.com<http://tinyurl.com>!
>> >>
>> >> How about op.google.com<http://op.google.com>?!
>> >>
>> >> ________________________________
>> >> From: gener= al-bounces at openid.net<mailto:general-bounces at openid.net> [
>> >> general-bou= nces at openid.net<mailto:general-bounces at openid.net>] On
>> Behalf
>> >> Of Andrew Arnott [andrewarnott at gmail.com<mailto:andrewarnott at gmail.com
>> >]
>> >> Sent: Thursday, July 09, 2009 7:16 PM
>> >> To: Eric Sachs
>> >> Cc: general at openid.= net<mailto:general at openid.net<= /a>>; Paul Johnston
>> >> Subject: Re: [OpenID] What is my Google OpenID URL?
>> >>
>> >> Note that using your Blogger blog URL is not equivalent t= o using
>> >> https://www.google.com/accounts/o8/id. =A0Besides the user = interface of
>> the
>> >> login experience being completely different, Blogger'= s Provider is
>> only
>> >> an
>> >> OpenID 1.1 provider, whereas Google's
>> >> https://www.google.com/accounts/o8/id OpenID Provider is a = more secure
>> >> OpenID 2.0 provider.
>> >>
>> >> --
>> >> Andrew Arnott
>> >> "I [may] not agree with what you have to say, but I&= #39;ll defend to the
>> >> death
>> >> your right to say it." - S. G. Tallentyre
>> >>
>> >>
>> >> On Thu, Jul 9, 2009 at 6:38 PM, Eric Sachs <esachs at google.com<mailto:
>> >>
>> esachs at google.com><= mailto:esachs at google.com<mailto= :esachs at google.com>>>
>> >> wrote:
>> >> If you create a blog on Google's blogger service, the= n you can type
>> the
>> >> name of that blog into OpenID login boxes.
>> >>
>> >> If you are willing to be really geeky, type in
>> >> https://www.google.com/accounts/o8/id. =A0That points to th= e generic
>> Google
>> >> identity provider, and you will be redirected back with a= n opaque
>> >> identifier. =A0But we don't actually expect anyone to= know to do that
>> which
>> >> is
>> >> why a lot of OpenID relying parties are supporting other = user
>> interfaces
>> >> with buttons for Google. =A0For example, see
>> >> http://uservoice.com/session/new
>> >>
>> >> Similarly a lot of blogs allow you to comment and identif= y you with an
>> >> OpenID URL, and while you can try one of the tricks above= , many of the
>> >> blog
>> >> commenting interfaces also include buttons (or the NASCAR= style UI as
>> the
>> >> community likes to call it) to help users navigate their = way through.
>> >>
>> >> On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston
>> >> <paj at pajhome.org= .uk<mailto:
>> >>
>> paj at pajhome.org.uk>&l= t;mailto:paj at pajhome.org.uk<ma= ilto:paj at pajhome.org.uk
>> >>>
>> >> wrote:
>> >> Hi,
>> >>
>> >> I'm sorry for asking such an obvious question, but af= ter considerable
>> >> time spent searching for this I am unable to figure this = out.
>> >>
>> >> My google account name is paul.paj. I would like to login= to
>> >> bitbuc= ket.org<http://bi= tbucket.org><h= ttp://bitbucket.org> using
>> OpenID.
>> >> How do I do it?
>> >>
>> >> Paul
>> >> _______________________________________________
>> >> general mailing list
>> >>
>> general at openid.net<ma= ilto:general at openid.net><ma= ilto:general at openid.net
>> >> <mailto:general@= openid.net>>
>> >> http://openid.net/mailman/listinfo/general
>> >>
>> >>
>> >> _______________________________________________
>> >> general mailing list
>> >>
>> general at openid.net<ma= ilto:general at openid.net><ma= ilto:general at openid.net
>> >> <mailto:general@= openid.net>>
>> >> http://openid.net/mailman/listinfo/general
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> general mailing list
>> >> general at openid.net<= /a>
>> >> http://openid.net/mailman/listinfo/general
>> >>
>> >
>> > _______________________________________________
>> > general mailing list
>> > general at openid.net<= br> >> > http://openid.net/mailman/listinfo/general
>> >
>> >
>>
>>
>> -----
>>
>> Santosh Rajan
>> http:/= /santrajan.blogspot.com http://santrajan.blogspot.com
>> --
>> View this message in context:
>> http://www.nabble.com/Google-custom-disc= overy-tp24431509p24431923.html
>> Sent from the OpenID - General mailing list archive at Nabble.com.=
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>


-----

Santosh Rajan
http://santraja= n.blogspot.com http://santrajan.blogspot.com
--
View this message in context: http://= www.nabble.com/Google-custom-discovery-tp24431509p24432348.html
Sent from the OpenID - General mailing li= st archive at Nabble.com.

_______________________________________________
general mailing list
general at openid.net
ht= tp://openid.net/mailman/listinfo/general



--
--Breno
=
+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3= : 383-A
PST (GMT-8) / PDT(GMT-7)
--001636416929171725046e5e07b9-- From breno at google.com Fri Jul 10 11:21:36 2009 From: breno at google.com (Breno de Medeiros) Date: Fri, 10 Jul 2009 11:21:36 -0700 Subject: [OpenID] Google custom discovery In-Reply-To: <29fb00360907101120y66df4ae6ndc9fef7243e7f2dd@mail.gmail.com> References: <24431923.post@talk.nabble.com> <24432348.post@talk.nabble.com> <29fb00360907101120y66df4ae6ndc9fef7243e7f2dd@mail.gmail.com> Message-ID: <29fb00360907101121oe43a5e0tc226a94e328b380e@mail.gmail.com> --0016e65b41a0fee99e046e5e0a6e Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Actually, the better link is: http://www.abstractioneer.org/2009/04/personal-web-discovery.html and the linked posts in hueniverse.org On Fri, Jul 10, 2009 at 11:20 AM, Breno de Medeiros wrote: > There is already a proposal for this called webfinger: > http://www.abstractioneer.org/ > > It leverages the LRDD proposal to provide a generic mechanism for email > addresses, xmpp addresses, etc. > > > On Fri, Jul 10, 2009 at 11:16 AM, Santosh Rajan wrote: > >> >> It could be the gmail username, and google profile usernames they dont >> clash. >> Problem is only for Google employees who have google.com email addresses. >> :) >> >> Eric Sachs wrote: >> > >> > Only a subset of GoogleProfile users register a username, but yes, for >> > those >> > users that is the common request we get. >> > >> > On Fri, Jul 10, 2009 at 10:46 AM, Santosh Rajan >> > wrote: >> > >> >> >> >> Actually why dont you do discovery on >> >> http://google.com/username >> >> You can do that without clashing with your google.com namespace by >> only >> >> responding to "Accept" header request with "application/XRD". That >> would >> >> really make a killer OpenID. >> >> >> >> >> >> Eric Sachs wrote: >> >> > >> >> > The feature in this area that we get more requests for is to support >> >> > OpenID >> >> > validation for the relatively new Google Profiles service, i.e. >> >> > profiles.google.com, which is also a more memorable endpoint for >> users >> >> to >> >> > type :-). That support is not yet available, but its definitely on >> the >> >> > list. >> >> > On Fri, Jul 10, 2009 at 10:16 AM, Peter Williams >> >> > wrote: >> >> > >> >> >> Lets hope it prompts google to do much better: http://op. >> google.com: >> >> >> forming the eminently typable "op.google.com". >> >> >> >> >> >> They might even have that redirect to http://google.com/op which >> they >> >> >> might make an xri mount point to the I-brokered authority that >> serves >> >> the >> >> >> op >> >> >> xrd/s. If their op is a real xri-labelled authority, a ref field in >> >> the >> >> >> sep >> >> >> can even properly provide for delgated authorization of xrd files by >> >> user >> >> >> authorities (which openid auth hacks up as openid delegation, when >> >> >> abusing >> >> >> the semantics of the op local id field per jonny bufu's recent >> >> message). >> >> >> >> >> >> I dont think its hard to meet professional security engineering >> >> standards >> >> >> within openid: just be complete about xri semantics (even when using >> >> http >> >> >> identifiers). We dont need custom extensions for discovery, >> >> particularly >> >> >> if >> >> >> they project idp-centric vs user centric identity models. >> >> >> >> >> >> But lets wait and see how they are signing the xrd files (the way >> the >> >> >> openxri server does it (per the standard), or "otherwise"). The >> >> validity >> >> >> logic for verifying that signature will tell us what class of trust >> >> >> semantics they are working towards: google as ttp for attribute >> >> sharing, >> >> >> or >> >> >> uci. >> >> >> >> >> >> ________________________________ >> >> >> From: Andrew Arnott >> >> >> Sent: Thursday, July 09, 2009 8:30 PM >> >> >> To: Peter Williams >> >> >> Cc: Eric Sachs ; general at openid.net >> >> >> ; >> >> >> Paul Johnston >> >> >> Subject: Re: [OpenID] What is my Google OpenID URL? >> >> >> >> >> >> Wow. I'm going to have to use that tinyurl everywhere now. :-p >> >> >> >> >> >> -- >> >> >> Andrew Arnott >> >> >> "I [may] not agree with what you have to say, but I'll defend to the >> >> >> death >> >> >> your right to say it." - S. G. Tallentyre >> >> >> >> >> >> >> >> >> On Thu, Jul 9, 2009 at 8:24 PM, Peter Williams >> >> > >> >> > wrote: >> >> >> come on google, it takes you 10s to have a redirector URL >> >> >> (op.google.com< >> >> >> http://op.google.com>, perhaps?) redirect to the >> >> >> https://www.google.com/accounts/o8/id. Conforming RPs are require >> to >> >> >> follow the redirect, before detecting that the XRD at that address >> is >> >> an >> >> >> law#4-capable OP, vs a user. >> >> >> >> >> >> >> >> >> http://tinyurl.com/googop now produces >> >> >> >> >> >> - >> >> > >> >> xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> >> >> >> - >> >> >> - >> >> > >> >> priority="0"> >> >> >> http://specs.openid.net/auth/2.0/server >> >> >> http://openid.net/srv/ax/1.0 >> >> >> http://specs.openid.net/extensions/ui/1.0/mode/popup >> >> >> http://specs.openid.net/extensions/ui/1.0/icon >> >> >> http://specs.openid.net/extensions/pape/1.0 >> >> >> https://www.google.com/accounts/o8/ud >> >> >> >> >> >> >> >> >> >> >> >> im sure google can do better than tinyurl.com! >> >> >> >> >> >> How about op.google.com?! >> >> >> >> >> >> ________________________________ >> >> >> From: general-bounces at openid.net >> [ >> >> >> general-bounces at openid.net] On >> >> Behalf >> >> >> Of Andrew Arnott [andrewarnott at gmail.com> andrewarnott at gmail.com >> >> >] >> >> >> Sent: Thursday, July 09, 2009 7:16 PM >> >> >> To: Eric Sachs >> >> >> Cc: general at openid.net; Paul Johnston >> >> >> Subject: Re: [OpenID] What is my Google OpenID URL? >> >> >> >> >> >> Note that using your Blogger blog URL is not equivalent to using >> >> >> https://www.google.com/accounts/o8/id. Besides the user interface >> of >> >> the >> >> >> login experience being completely different, Blogger's Provider is >> >> only >> >> >> an >> >> >> OpenID 1.1 provider, whereas Google's >> >> >> https://www.google.com/accounts/o8/id OpenID Provider is a more >> secure >> >> >> OpenID 2.0 provider. >> >> >> >> >> >> -- >> >> >> Andrew Arnott >> >> >> "I [may] not agree with what you have to say, but I'll defend to the >> >> >> death >> >> >> your right to say it." - S. G. Tallentyre >> >> >> >> >> >> >> >> >> On Thu, Jul 9, 2009 at 6:38 PM, Eric Sachs > > >> >> >> >> esachs at google.com>> >>> >> >> >> wrote: >> >> >> If you create a blog on Google's blogger service, then you can type >> >> the >> >> >> name of that blog into OpenID login boxes. >> >> >> >> >> >> If you are willing to be really geeky, type in >> >> >> https://www.google.com/accounts/o8/id. That points to the generic >> >> Google >> >> >> identity provider, and you will be redirected back with an opaque >> >> >> identifier. But we don't actually expect anyone to know to do that >> >> which >> >> >> is >> >> >> why a lot of OpenID relying parties are supporting other user >> >> interfaces >> >> >> with buttons for Google. For example, see >> >> >> http://uservoice.com/session/new >> >> >> >> >> >> Similarly a lot of blogs allow you to comment and identify you with >> an >> >> >> OpenID URL, and while you can try one of the tricks above, many of >> the >> >> >> blog >> >> >> commenting interfaces also include buttons (or the NASCAR style UI >> as >> >> the >> >> >> community likes to call it) to help users navigate their way >> through. >> >> >> >> >> >> On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston >> >> >> > >> >> >> >> paj at pajhome.org.uk>> paj at pajhome.org.uk >> >> >>> >> >> >> wrote: >> >> >> Hi, >> >> >> >> >> >> I'm sorry for asking such an obvious question, but after >> considerable >> >> >> time spent searching for this I am unable to figure this out. >> >> >> >> >> >> My google account name is paul.paj. I would like to login to >> >> >> bitbucket.org using >> >> OpenID. >> >> >> How do I do it? >> >> >> >> >> >> Paul >> >> >> _______________________________________________ >> >> >> general mailing list >> >> >> >> >> general at openid.net> general at openid.net >> >> >> > >> >> >> http://openid.net/mailman/listinfo/general >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> >> general mailing list >> >> >> >> >> general at openid.net> general at openid.net >> >> >> > >> >> >> http://openid.net/mailman/listinfo/general >> >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> >> general mailing list >> >> >> general at openid.net >> >> >> http://openid.net/mailman/listinfo/general >> >> >> >> >> > >> >> > _______________________________________________ >> >> > general mailing list >> >> > general at openid.net >> >> > http://openid.net/mailman/listinfo/general >> >> > >> >> > >> >> >> >> >> >> ----- >> >> >> >> Santosh Rajan >> >> http://santrajan.blogspot.com http://santrajan.blogspot.com >> >> -- >> >> View this message in context: >> >> http://www.nabble.com/Google-custom-discovery-tp24431509p24431923.html >> >> Sent from the OpenID - General mailing list archive at Nabble.com. >> >> >> >> _______________________________________________ >> >> general mailing list >> >> general at openid.net >> >> http://openid.net/mailman/listinfo/general >> >> >> > >> > _______________________________________________ >> > general mailing list >> > general at openid.net >> > http://openid.net/mailman/listinfo/general >> > >> > >> >> >> ----- >> >> Santosh Rajan >> http://santrajan.blogspot.com http://santrajan.blogspot.com >> -- >> View this message in context: >> http://www.nabble.com/Google-custom-discovery-tp24431509p24432348.html >> Sent from the OpenID - General mailing list archive at Nabble.com. >> >> _______________________________________________ >> general mailing list >> general at openid.net >> http://openid.net/mailman/listinfo/general >> > > > > -- > --Breno > > +1 (650) 214-1007 desk > +1 (408) 212-0135 (Grand Central) > MTV-41-3 : 383-A > PST (GMT-8) / PDT(GMT-7) > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) --0016e65b41a0fee99e046e5e0a6e Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Actually, the better link is:


and= the linked posts in hueniverse.org
On Fri, Jul 10, 2009 at 11:20 AM, Breno de M= edeiros <breno at goo= gle.com> wrote:
There is already a proposal for this called webfinger:

<= a href=3D"http://www.abstractioneer.org/" target=3D"_blank">http://www.abst= ractioneer.org/

It leverages the LRDD proposal= to provide a generic mechanism for email addresses, xmpp addresses, etc.


On Fri, Jul 10, 2009 at 11:16 AM, Santosh Ra= jan <santrajan at gmail.com> wrote:

It could be the gmail username, and google profile usernames they dont clas= h.
Problem is only for Google employees who have google.com email addresses. :)

Eric Sachs wrote:
>
> Only a subset of GoogleProfile users register a username, but yes, for=
> those
> users that is the common request we get.
>
> On Fri, Jul 10, 2009 at 10:46 AM, Santosh Rajan <santrajan at gmail.com>
> wrote:
>
>>
>> Actually why dont you do discovery on
>> http://go= ogle.com/username
>> You can do that without clashing with your google.com namespace by only
>> responding to "Accept" header request with "applica= tion/XRD". That would
>> really make a killer OpenID.
>>
>>
>> Eric Sachs wrote:
>> >
>> > The feature in this area that we get more requests for is to = support
>> > OpenID
>> > validation for the relatively new Google Profiles service, i.= e.
>> > prof= iles.google.com, which is also a more memorable endpoint for users
>> to
>> > type :-). =A0That support is not yet available, but its defin= itely on the
>> > list.
>> > On Fri, Jul 10, 2009 at 10:16 AM, Peter Williams
>> > <pwilliams at rapattoni.com>wrote:
>> >
>> >> Lets hope it prompts google to do much better: http://op. google.com:
>> >> forming the eminently typable "op.google.com".
>> >>
>> >> They might even have that redirect to http://google.com/op which they
>> >> might make an xri mount point to the I-brokered authority= that serves
>> the
>> >> op
>> >> xrd/s. If their op is a real xri-labelled authority, a re= f field in
>> the
>> >> sep
>> >> can even properly provide for delgated authorization of x= rd files by
>> user
>> >> authorities (which openid auth hacks up as openid delegat= ion, when
>> >> abusing
>> >> the semantics of the op local id field per jonny bufu'= ;s recent
>> message).
>> >>
>> >> I dont think its hard to meet professional security engin= eering
>> standards
>> >> within openid: just be complete about xri semantics (even= when using
>> http
>> >> identifiers). We dont need custom extensions for discover= y,
>> particularly
>> >> if
>> >> they project idp-centric vs user centric identity models.=
>> >>
>> >> But lets wait and see how they are signing the xrd files = (the way the
>> >> openxri server does it (per the standard), or "other= wise"). The
>> validity
>> >> logic for verifying that signature will tell us what clas= s of trust
>> >> semantics they are working towards: google as ttp for att= ribute
>> sharing,
>> >> or
>> >> uci.
>> >>
>> >> ________________________________
>> >> From: Andrew Arnott <andrewarnott at gmail.com>
>> >> Sent: Thursday, July 09, 2009 8:30 PM
>> >> To: Peter Williams <pwilliams at rapattoni.com>
>> >> Cc: Eric Sachs <esachs at google.com>; general at openid.net
>> >> <general at openid.net>;
>> >> Paul Johnston <paj at pajhome.org.uk>
>> >> Subject: Re: [OpenID] What is my Google OpenID URL?
>> >>
>> >> Wow. =A0I'm going to have to use that tinyurl everywh= ere now. :-p
>> >>
>> >> --
>> >> Andrew Arnott
>> >> "I [may] not agree with what you have to say, but I&= #39;ll defend to the
>> >> death
>> >> your right to say it." - S. G. Tallentyre
>> >>
>> >>
>> >> On Thu, Jul 9, 2009 at 8:24 PM, Peter Williams
>> <p= williams at rapattoni.com
>> >> <mailto:pwilliams at rapattoni.com>> wrote:
>> >> come =A0on google, it takes you 10s to have a redirector = URL
>> >> (op.go= ogle.com<
>> >> http:/= /op.google.com>, perhaps?) redirect to the
>> >> https://www.google.com/accounts/o8/id. Conforming RPs are r= equire to
>> >> follow the redirect, before detecting that the XRD at tha= t address is
>> an
>> >> law#4-capable OP, vs a user.
>> >>
>> >>
>> >> h= ttp://tinyurl.com/googop now produces
>> >> <?xml version=3D"1.0" encoding=3D"UTF-8= " ?>
>> >> -<file:///C:/Documents%20and%20Settings/peter/Desktop/= id.xml#>
>> <xrds:XRDS
>> >> xmlns:xrds=3D"xri://$xrds" xmlns=3D"xri://= $xrd*($v*2.0)">
>> >> -<file:///C:/Documents%20and%20Settings/peter/Desktop/= id.xml#> <XRD>
>> >> -<file:///C:/Documents%20and%20Settings/peter/Desktop/= id.xml#>
>> <Service
>> >> priority=3D"0">
>> >> =A0<Type>http://specs.openid.net/auth/2.0/server<= /Type>
>> >> =A0<Type>http://openid.net/srv/ax/1.0</Type>
>> >> =A0<Type>http://specs.openid.net/extensions= /ui/1.0/mode/popup</Type>
>> >> =A0<Type>http://specs.openid.net/extensions/ui/1.= 0/icon</Type>
>> >> =A0<Type>http://specs.openid.net/extensions/pape/1.0= </Type>
>> >> =A0<URI>https://www.google.com/accounts/o8/ud</URI&= gt;
>> >> =A0</Service>
>> >> =A0</XRD>
>> >>
>> >> im sure google can do better than tinyurl.com<http://tinyurl.com>!
>> >>
>> >> How about op.google.com<http://op.google.com>?!
>> >>
>> >> ________________________________
>> >> From: general-bounces at openid.net<mailto:general-bounces at openid.net&g= t; [
>> >> general-bounces at openid.net<mailto:general-bounces at openid.net>] On=
>> Behalf
>> >> Of Andrew Arnott [andrewarnott at gmail.com<mailto:andrewarnott at gmail.com
>> >]
>> >> Sent: Thursday, July 09, 2009 7:16 PM
>> >> To: Eric Sachs
>> >> Cc: general at openid.net<mailto:general at openid.net>; Paul Johnston
>> >> Subject: Re: [OpenID] What is my Google OpenID URL?
>> >>
>> >> Note that using your Blogger blog URL is not equivalent t= o using
>> >> https://www.google.com/accounts/o8/id. =A0Besides the user = interface of
>> the
>> >> login experience being completely different, Blogger'= s Provider is
>> only
>> >> an
>> >> OpenID 1.1 provider, whereas Google's
>> >> https://www.google.com/accounts/o8/id OpenID Provider is a = more secure
>> >> OpenID 2.0 provider.
>> >>
>> >> --
>> >> Andrew Arnott
>> >> "I [may] not agree with what you have to say, but I&= #39;ll defend to the
>> >> death
>> >> your right to say it." - S. G. Tallentyre
>> >>
>> >>
>> >> On Thu, Jul 9, 2009 at 6:38 PM, Eric Sachs <esachs at google.com<mailt= o:
>> >>
>> esachs at goog= le.com><mailto:esachs at google.com<mailto:esachs at google.com>>>
>> >> wrote:
>> >> If you create a blog on Google's blogger service, the= n you can type
>> the
>> >> name of that blog into OpenID login boxes.
>> >>
>> >> If you are willing to be really geeky, type in
>> >> https://www.google.com/accounts/o8/id. =A0That points to th= e generic
>> Google
>> >> identity provider, and you will be redirected back with a= n opaque
>> >> identifier. =A0But we don't actually expect anyone to= know to do that
>> which
>> >> is
>> >> why a lot of OpenID relying parties are supporting other = user
>> interfaces
>> >> with buttons for Google. =A0For example, see
>> >> http://uservoice.com/session/new
>> >>
>> >> Similarly a lot of blogs allow you to comment and identif= y you with an
>> >> OpenID URL, and while you can try one of the tricks above= , many of the
>> >> blog
>> >> commenting interfaces also include buttons (or the NASCAR= style UI as
>> the
>> >> community likes to call it) to help users navigate their = way through.
>> >>
>> >> On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston
>> >> <paj at pajhome.org.uk<mailto:
>> >>
>> paj at pajhom= e.org.uk><mailto:paj at pajhome.org.uk<mailto:paj at pajhome.org.uk
>> >>>
>> >> wrote:
>> >> Hi,
>> >>
>> >> I'm sorry for asking such an obvious question, but af= ter considerable
>> >> time spent searching for this I am unable to figure this = out.
>> >>
>> >> My google account name is paul.paj. I would like to login= to
>> >> bitbuc= ket.org<http://bi= tbucket.org><h= ttp://bitbucket.org> using
>> OpenID.
>> >> How do I do it?
>> >>
>> >> Paul
>> >> _______________________________________________
>> >> general mailing list
>> >>
>> general at op= enid.net<mailto:general at openid.net><mailto:general at openid.net
>> >> <mailto:general at openid.net>>
>> >> http://openid.net/mailman/listinfo/general
>> >>
>> >>
>> >> _______________________________________________
>> >> general mailing list
>> >>
>> general at op= enid.net<mailto:general at openid.net><mailto:general at openid.net
>> >> <mailto:general at openid.net>>
>> >> http://openid.net/mailman/listinfo/general
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> general mailing list
>> >> g= eneral at openid.net
>> >> http://openid.net/mailman/listinfo/general
>> >>
>> >
>> > _______________________________________________
>> > general mailing list
>> > gener= al at openid.net
>> > http://openid.net/mailman/listinfo/general
>> >
>> >
>>
>>
>> -----
>>
>> Santosh Rajan
>> http:/= /santrajan.blogspot.com http://santrajan.blogspot.com
>> --
>> View this message in context:
>> http://www.nabble.com/Google-custom-disc= overy-tp24431509p24431923.html
>> Sent from the OpenID - General mailing list archive at Nabble.com.=
>>
>> _______________________________________________
>> general mailing list
>> general at op= enid.net
>> http://openid.net/mailman/listinfo/general
>>
>
> _______________________________________________
> general mailing list
> general at openid= .net
> http://openid.net/mailman/listinfo/general
>
>


-----

Santosh Rajan
http://santraja= n.blogspot.com http://santrajan.blogspot.com
--
View this message in context: http://= www.nabble.com/Google-custom-discovery-tp24431509p24432348.html
Sent from the OpenID - General mailing list archive at= Nabble.com.

_______________________________________________
general mailing list
general at openid.net<= /a>
ht= tp://openid.net/mailman/listinfo/general



-- --Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)=
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)



--
--Breno

+1 (650)= 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7)
--0016e65b41a0fee99e046e5e0a6e-- From balfanz at google.com Fri Jul 10 11:25:45 2009 From: balfanz at google.com (Dirk Balfanz) Date: Fri, 10 Jul 2009 11:25:45 -0700 Subject: [OpenID] experimental namespace for openid.net In-Reply-To: <60c552b80907091645j23d1a057k3b80e29d9e8f6cac@mail.gmail.com> References: <60c552b80907091645j23d1a057k3b80e29d9e8f6cac@mail.gmail.com> Message-ID: <60c552b80907101125v1a56d875oc846fb332200974b@mail.gmail.com> --0016e65b41a0c8d1b4046e5e19a1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit [+general at openid.net for a broader audience] On Thu, Jul 9, 2009 at 4:45 PM, Dirk Balfanz wrote: > Hi guys, > Google would like to launch a feature in which we're allowing our Google > Apps hosted domains to become OpenID providers. The authentication part of > it is pretty simple - Google is already logging in users to their apps, so > we can also host an OP endpoint for those domains and send assertions back > to Relying Parties. What is more difficult is the discovery part. We have > been working with the XRI TC to define a XRD-based discovery protocol that > would allow this kind of hosting of discovery documents on behalf of our > customers. > > We believe that providing proof-of-concept implementations drives > standardization processes forward, so in this spirit we want to launch this > feature in the near future, using a discovery protocol that as far as we can > tell meets all the requirements of what the XRI TC is currently converging > on, but which has not been vetted as an official standard (it's a chicken > and egg thing - without PoC no standards, without standards by definition no > standards-compliant implementations). > > While we were tossing around ideas in > the standardization committees we just used random identifiers for new XML > namespaces, etc. that we would need for this discovery protocol. Now that > we're about to launch we need to decide what to call these things. We would > like to use a namespace in http://specs.openid.net/... because we want > this kind of discovery protocol to be part of OpenID, but we can't really > use them because we don't have a next-generation discovery protocol yet. > > So what should we use? How about http://experimental.openid.net/... ? That > way, Relying Parties know that what we're trying to do is be a part of the > OpenID community and bring the protocol forward. On the other hand, this > would also be a signal to the RP that they're using a feature that has not > been vetted as a standard yet. > > For example, a discovery document for a domain balfanz.net at Google might > look like this (notice the "experimental" namespace and the XML elements > using it): > > > > > > > > > > > > MIICgjCCA... > > > MIICsDCCAhmgAwIB... > > > > > > balfanz.net > > http://specs.openid.net/auth/2.0/server > http://openid.net/srv/ax/1.0 > http://specs.openid.net/extensions/pape/1.0 > https://www.google.com/a/balfanz.net/o8/ud?be=o8 > > > http://www.iana.org/assignments/relation/describedby > application/xrds+xml > > https://www.google.com/accounts/o8/user-xrds?uri={%uri} > > hosted-id.google.com > > > > > > What do you guys think? > > Dirk. > --0016e65b41a0c8d1b4046e5e19a1 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
[+general at openid.net for a b= roader audience]

On Thu, Jul 9, 20= 09 at 4:45 PM, Dirk Balfanz <balfanz at google.com> wrote:
Hi guys,=A0

G= oogle would like to launch a feature in which we're allowing our Google= Apps hosted domains to become OpenID providers. The authentication part of= it is pretty simple - Google is already logging in users to their apps, so= we can also host an OP endpoint for those domains and send assertions back= to Relying Parties. What is more difficult is the discovery part. We have = been working with the XRI TC to define a XRD-based discovery protocol that = would allow this kind of hosting of discovery documents on behalf of our cu= stomers.=A0

We believe that providing proof-of-concept implementati= ons drives standardization processes forward, so in this spirit we want to = launch this feature in the near future, using a discovery protocol that as = far as we can tell meets all the requirements of what the XRI TC is current= ly converging on, but which has not been vetted as an official standard (it= 's a chicken and egg thing - without PoC no standards, without standard= s by definition no standards-compliant implementations).

While we were=A0toss= ing around ideas=A0in the standardization committees we just used rando= m identifiers for new XML namespaces, etc. that we would need for this disc= overy protocol. Now that we're about to launch we need to decide what t= o call these things. We would like to use a namespace in=A0http://specs.openid.net/... bec= ause we want this kind of discovery protocol to be part of OpenID, but we c= an't really use them because we don't have a next-generation discov= ery protocol yet.=A0

So what should we use? How about=A0http://experimental.openid.net/.= .. ? That way, Relying Parties know that what we're trying to do is= be a part of the OpenID community and bring the protocol forward. On the o= ther hand, this would also be a signal to the RP that they're using a f= eature that has not been vetted as a standard yet.=A0

For example, a discovery document for a domain=A0balfanz.net=A0at Google migh= t look like this (notice the "experimental" namespace and the XML= elements using it):

<?xm= l=A0version=3D"1.0"=A0encoding=3D"UTF-8"?>
<xrds:XRDS=A0xml= ns:xrds=3D"xri://$xrds"=A0xmlns=3D"xri://$xrd*($v*2.0)"= >
=A0=A0<ds:Signature= =A0xmlns:ds=3D"http://www.w3.org/2000/09/xmldsig#">
=A0=A0<ds:SignedInfo&= gt;
=A0=A0<ds:Canonical= izationMethod=A0Algorithm=3D"http://docs.oasis-o= pen.org/xri/xrd/2009/01#canonicalize-raw-octets"=A0/>
=A0=A0<ds:Signature= Method=A0Algorithm=3D"http://www.w3.org/2000/09/xmldsig#rsa-sha1&quo= t;=A0/>
=A0=A0</ds:SignedInfo>= ;
=A0=A0&l= t;ds:KeyInfo>
=A0=A0<ds:X509Data>
=A0=A0<ds:X509Certi= ficate>
=A0=A0MIICgjCCA...
=A0=A0</ds:X509Certificate>
=A0=A0<ds:X509Certi= ficate>
=A0=A0MIICsDCCAhmgAwIB...
=A0=A0</ds:X509Certificate>
=A0=A0</ds:X509Data= >
=A0= =A0</ds:KeyInfo>
=A0=A0</ds:Signature>
=A0=A0<XRD>
=A0=A0<Cano= nicalID>balfanz.net= </CanonicalID>
=A0=A0<Service=A0pr= iority=3D"0">
=A0=A0<URI>https://www.google.com/a/balfanz.net/o8/ud?be=3Do8</URI><= /div>
=A0=A0</Service>
=A0=A0<Service=A0pr= iority=3D"0"=A0xmlns:experimental=3D"http://experime= ntal.openid.net/google/2009/07/xmlns/">
=A0=A0<MediaType>= ;application/xrds+xml</MediaType>
=A0=A0<experimental= :URITemplate>https://www.google.com/accounts/o8/user-xr= ds?uri=3D{%uri}</experimental:URITemplate>
=A0=A0<experimental= :NextAuthority>hosted-id.google.com</experimental:NextAuthority>
=A0=A0</Service>
=A0=A0</XRD>
</xrds:XRD= S>

What do you guys think?
Dirk.

--0016e65b41a0c8d1b4046e5e19a1-- From johnny.bufu at gmail.com Fri Jul 10 11:40:50 2009 From: johnny.bufu at gmail.com (Johnny Bufu) Date: Fri, 10 Jul 2009 11:40:50 -0700 Subject: [OpenID] Delegation leading to new accounts on websites In-Reply-To: <29fb00360907091320n69cacd6cp9acfe7fdfb44a7cc@mail.gmail.com> References: <2496E279-A373-4719-AD0A-CDC28F025FC2@wingaa.com> <20090707230302.GD19965@rationalarts.com> <29fb00360907091320n69cacd6cp9acfe7fdfb44a7cc@mail.gmail.com> Message-ID: <20090710184049.GG19965@rationalarts.com> > On Tue, Jul 7, 2009 at 4:03 PM, Johnny Bufu wrote: > > Doesn't even have to be a URI even; what matters is that the OP issues > > it, so they (can) have full control/authority over it if that's a > > concern for them. On Thu, Jul 09, 2009 at 01:20:07PM -0700, Breno de Medeiros wrote: > It does need to be an URI (at least for OpenID). See the spec definition of > identifiers. That part was overspecified, mostly for keeping the spec simpler by having all identifiers be a subclass of URI and at the expense of some flexibility for the OPs (if they choose to be strict about this). But from a practical / protocol point of view, the OPs are the only ones that produce (issue) and consume (recognize/authenticate) delegate identifiers, while the rest of the parties involved pass around and compare them as opaque strings. Johnny From john.bradley at wingaa.com Fri Jul 10 11:41:15 2009 From: john.bradley at wingaa.com (John Bradley) Date: Fri, 10 Jul 2009 14:41:15 -0400 Subject: [OpenID] Why use SREG instead of AX? In-Reply-To: References: Message-ID: Breno, It's on my list for this weekend. I think Andrew's idea is a interesting solution. I don't think that overloading the attribute is a good long term solution. I hope we could do something better for XRD 1.0 discovery to describe the features of a OP. In the short term overloading is something we can do. The other pressing issues for AX are: 1 Registering a for discovering the RP privacy policy 2 Registering a for discovering the RP Terms of Service. 3 Having a way for the RP to know if the OP supports if_available. The last one is important to deal with the fact that some OP ignore if_available in requests and only give the user the choice to return the attributes that are requested as "REQUIRED". All the OPs could agree on a single way to interpret AX requests but that is a touch optimistic:) Having a way for a RP to differentiate between OPs operating on different theories would be good for RPs. John B. On 10-Jul-09, at 1:35 PM, general-request at openid.net wrote: > Date: Fri, 10 Jul 2009 10:00:05 -0700 > From: Breno de Medeiros > Subject: Re: [OpenID] Why use SREG instead of AX? > To: Andrew Arnott > Cc: general at openid.net > Message-ID: > <29fb00360907101000n77f57032wdd0635a60b660ff at mail.gmail.com> > Content-Type: multipart/alternative; > boundary=0016369205b372e192046e5ce7b4 > > --0016369205b372e192046e5ce7b4 > Content-Type: text/plain; charset=ISO-8859-1 > Content-Transfer-Encoding: 7bit > > For one, it would be interesting if someone with expertise on how to > create > lightweight processes for registration would clarify the language in > that > wiki document. Hopefully, it would be possible to define a process > that > exempts the OIDF from the burden of having to impose the current IPR > policy > on each contributor. (I had hoped JBradley would take that on, but > he has > plenty on his hands at this point). > Once that wiki page is in good shape we could spam specs@ to bless > it and > then we can get started right away. There is even an initial > understanding > to use the domain name schemas.openid.net and to host each > registered URL > at that domain with a description of the wire format for the > attribute. So > once this is up, I think progress could be made quickly. From breno at google.com Fri Jul 10 11:45:39 2009 From: breno at google.com (Breno de Medeiros) Date: Fri, 10 Jul 2009 11:45:39 -0700 Subject: [OpenID] Delegation leading to new accounts on websites In-Reply-To: <20090710184049.GG19965@rationalarts.com> References: <2496E279-A373-4719-AD0A-CDC28F025FC2@wingaa.com> <20090707230302.GD19965@rationalarts.com> <29fb00360907091320n69cacd6cp9acfe7fdfb44a7cc@mail.gmail.com> <20090710184049.GG19965@rationalarts.com> Message-ID: <29fb00360907101145s3eaa0af4i58bdd38521160158@mail.gmail.com> --0016369fa3a4efb559046e5e6089 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit --0016369fa3a4efb559046e5e6089-- From bogus@does.not.exist.com Thu Jul 9 13:17:08 2009 From: bogus@does.not.exist.com () Date: Thu, 09 Jul 2009 20:17:08 -0000 Subject: No subject Message-ID: libraries will not implement checks for URL-ness of local identities and crash and burn when something else appears there. On Fri, Jul 10, 2009 at 11:40 AM, Johnny Bufu wrote: > But from a practical / protocol point of view, the OPs are the only ones > that produce (issue) and consume (recognize/authenticate) delegate > identifiers, while the rest of the parties involved pass around and > compare them as opaque strings. > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) --0016369fa3a4efb559046e5e6089 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit From bogus@does.not.exist.com Thu Jul 9 13:17:08 2009 From: bogus@does.not.exist.com () Date: Thu, 09 Jul 2009 20:17:08 -0000 Subject: No subject Message-ID: that produce (issue) and consume (recognize/authenticate) delegate
identifiers, while the rest of the parties involved pass around and
compare them as opaque strings.


--
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
--0016369fa3a4efb559046e5e6089-- From pwilliams at rapattoni.com Fri Jul 10 11:46:50 2009 From: pwilliams at rapattoni.com (Peter Williams) Date: Fri, 10 Jul 2009 11:46:50 -0700 Subject: [OpenID] experimental namespace for openid.net Message-ID: There is a relationship between 2 https urls (which have their own trust chains of certs), and there is a chain of certs in the xrd. Is there a writeup of the validation logic, combining all the trust signals for the signing keys? Its looks rather like its setup for a saml hok type validation logic, where the ssl client has to show knowledge of a secret.if that secret is derived (properly) from the ssl master secret, such that uer-sr ssl session can validate the hok secret, folk are on the right track. But folkshave to disclose the crypto used to link the 2 ssl sessions. If the crypto for that leverages the key in the xrd's own certs, then I can see how it would all work - and I see how that can also serve as a "custom" association handle (rather than using the awful inband dh). ________________________________ From: Dirk Balfanz Sent: Friday, July 10, 2009 11:26 AM To: specs at openid.net ; general at openid.net List Subject: Re: [OpenID] experimental namespace for openid.net [+general at openid.net for a broader audience] On Thu, Jul 9, 2009 at 4:45 PM, Dirk Balfanz > wrote: Hi guys, Google would like to launch a feature in which we're allowing our Google Apps hosted domains to become OpenID providers. The authentication part of it is pretty simple - Google is already logging in users to their apps, so we can also host an OP endpoint for those domains and send assertions back to Relying Parties. What is more difficult is the discovery part. We have been working with the XRI TC to define a XRD-based discovery protocol that would allow this kind of hosting of discovery documents on behalf of our customers. We believe that providing proof-of-concept implementations drives standardization processes forward, so in this spirit we want to launch this feature in the near future, using a discovery protocol that as far as we can tell meets all the requirements of what the XRI TC is currently converging on, but which has not been vetted as an official standard (it's a chicken and egg thing - without PoC no standards, without standards by definition no standards-compliant implementations). While we were tossing around ideas in the standardization committees we just used random identifiers for new XML namespaces, etc. that we would need for this discovery protocol. Now that we're about to launch we need to decide what to call these things. We would like to use a namespace in http://specs.openid.net/... because we want this kind of discovery protocol to be part of OpenID, but we can't really use them because we don't have a next-generation discovery protocol yet. So what should we use? How about http://experimental.openid.net/... ? That way, Relying Parties know that what we're trying to do is be a part of the OpenID community and bring the protocol forward. On the other hand, this would also be a signal to the RP that they're using a feature that has not been vetted as a standard yet. For example, a discovery document for a domain balfanz.net at Google might look like this (notice the "experimental" namespace and the XML elements using it): MIICgjCCA... MIICsDCCAhmgAwIB... balfanz.net http://specs.openid.net/auth/2.0/server http://openid.net/srv/ax/1.0 http://specs.openid.net/extensions/pape/1.0 https://www.google.com/a/balfanz.net/o8/ud?be=o8 http://www.iana.org/assignments/relation/describedby application/xrds+xml https://www.google.com/accounts/o8/user-xrds?uri={%uri} hosted-id.google.com What do you guys think? Dirk. From johnny.bufu at gmail.com Fri Jul 10 11:50:32 2009 From: johnny.bufu at gmail.com (Johnny Bufu) Date: Fri, 10 Jul 2009 11:50:32 -0700 Subject: [OpenID] Delegation leading to new accounts on websites In-Reply-To: <115AC3AA-A3FD-4C12-91CC-70B91813A3E2@wingaa.com> References: <2496E279-A373-4719-AD0A-CDC28F025FC2@wingaa.com> <20090707230302.GD19965@rationalarts.com> <115AC3AA-A3FD-4C12-91CC-70B91813A3E2@wingaa.com> Message-ID: <20090710185032.GH19965@rationalarts.com> On Tue, Jul 07, 2009 at 07:20:49PM -0400, John Bradley wrote: > Yes the delegated openid.identity is issued by the OP but in the case of > delegation the openid.claimed_id is not. > > If as an example we have a psydonomous id type that a RP can request via > PAPE or some other extension and someone has delegated to that OP say > Google, then Google has no control over the claimed_id and the resulting > assertion may violate the non-correlation privacy policy. > > If for example the OP is assessing some profile that mandates a > particular password strength etc. The OP has no knowledge of how the > XRD doing the delegating is secured. > > I am saying that with delegation some of the security is outside of the > control of the OP and hence the OP can't be authoritative for it and may > not be able to make the same PAPE or other assertions regarding it. Ok, I get your point now. The disconnect was that I took 'assertion' in the original comment to mean the openid _core_ assertion, in which case it's clear what it means and I saw no concerns for OPs. If PAPE or other extensions expand their scope and include the claimed identifiers or other entities into what they assert - it's a totally different deal. > There might be a legitimate reason for an OP not to support delegation > under some limited circumstances. > However most of the time it shouldn't be a problem as long as RPs are > properly validating the returned assertions and not believing the > openid.identity is something it is not. So bottom line is that OPs should be careful how they handle delegation with regard to certain extensions. Maybe PAPE and other extensions should note their impact on delegation. Johnny From balfanz at google.com Fri Jul 10 11:56:43 2009 From: balfanz at google.com (Dirk Balfanz) Date: Fri, 10 Jul 2009 11:56:43 -0700 Subject: [OpenID] experimental namespace for openid.net In-Reply-To: References: Message-ID: <60c552b80907101156x2d87ee17ka9e587d7f91edd29@mail.gmail.com> --00163662e5ae8bc423046e5e882e Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit On Fri, Jul 10, 2009 at 11:46 AM, Peter Williams wrote: > There is a relationship between 2 https urls (which have their own trust > chains of certs), and there is a chain of certs in the xrd. > > Is there a writeup of the validation logic, combining all the trust signals > for the signing keys? > There is something here: https://sites.google.com/site/oauthgoog/fedlogininterp/openiddiscovery, but mostly this has been a discussion on the XRI TC. But anyway, the point wasn't really to ask whether the discovery mechanism makes sense (that discussion is happening in the XRI TC), but which XML namespaces to use in a proof-of-concept implementation that is supposed to showcase the state of the discussion before the spec is gelled down. Dirk. > Its looks rather like its setup for a saml hok type validation logic, where > the ssl client has to show knowledge of a secret.if that secret is derived > (properly) from the ssl master secret, such that uer-sr ssl session can > validate the hok secret, folk are on the right track. But folkshave to > disclose the crypto used to link the 2 ssl sessions. If the crypto for that > leverages the key in the xrd's own certs, then I can see how it would all > work - and I see how that can also serve as a "custom" association handle > (rather than using the awful inband dh). > > > > > ________________________________ > From: Dirk Balfanz > Sent: Friday, July 10, 2009 11:26 AM > To: specs at openid.net ; general at openid.net List < > general at openid.net> > Subject: Re: [OpenID] experimental namespace for openid.net > > [+general at openid.net for a broader audience] > > On Thu, Jul 9, 2009 at 4:45 PM, Dirk Balfanz balfanz at google.com>> wrote: > Hi guys, > > Google would like to launch a feature in which we're allowing our Google > Apps hosted domains to become OpenID providers. The authentication part of > it is pretty simple - Google is already logging in users to their apps, so > we can also host an OP endpoint for those domains and send assertions back > to Relying Parties. What is more difficult is the discovery part. We have > been working with the XRI TC to define a XRD-based discovery protocol that > would allow this kind of hosting of discovery documents on behalf of our > customers. > > We believe that providing proof-of-concept implementations drives > standardization processes forward, so in this spirit we want to launch this > feature in the near future, using a discovery protocol that as far as we can > tell meets all the requirements of what the XRI TC is currently converging > on, but which has not been vetted as an official standard (it's a chicken > and egg thing - without PoC no standards, without standards by definition no > standards-compliant implementations). > > While we were tossing around ideas < > http://markmail.org/message/ixc5led2lobdwij2> in the standardization > committees we just used random identifiers for new XML namespaces, etc. that > we would need for this discovery protocol. Now that we're about to launch we > need to decide what to call these things. We would like to use a namespace > in http://specs.openid.net/... because we want this kind of discovery > protocol to be part of OpenID, but we can't really use them because we don't > have a next-generation discovery protocol yet. > > So what should we use? How about http://experimental.openid.net/... ? That > way, Relying Parties know that what we're trying to do is be a part of the > OpenID community and bring the protocol forward. On the other hand, this > would also be a signal to the RP that they're using a feature that has not > been vetted as a standard yet. > > For example, a discovery document for a domain balfanz.net< > http://balfanz.net> at Google might look like this (notice the > "experimental" namespace and the XML elements using it): > > > > > > > /> > > > > > MIICgjCCA... > > > MIICsDCCAhmgAwIB... > > > > > > balfanz.net > > http://specs.openid.net/auth/2.0/server > http://openid.net/srv/ax/1.0 > http://specs.openid.net/extensions/pape/1.0 > https://www.google.com/a/balfanz.net/o8/ud?be=o8 > > > http://www.iana.org/assignments/relation/describedby > application/xrds+xml > > https://www.google.com/accounts/o8/user-xrds?uri={%uri}< > https://www.google.com/accounts/o8/user-xrds?uri=%7B%uri%7D > > > hosted-id.google.com< > http://hosted-id.google.com> > > > > > What do you guys think? > > Dirk. > > --00163662e5ae8bc423046e5e882e Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

On Fri, Jul 10, 2009 at 11:46 AM, Peter = Williams <p= williams at rapattoni.com> wrote:
There is a relationship between 2 https urls (which have their own trust ch= ains of certs), and there is a chain of certs in the xrd.

Is there a writeup of the validation logic, combining all the trust signals= for the signing keys?

There is something here:=A0https:/= /sites.google.com/site/oauthgoog/fedlogininterp/openiddiscovery, but mo= stly this has been a discussion on the XRI TC.
=A0
But anyway, the point wasn't really to ask whether t= he discovery mechanism makes sense (that discussion is happening in the XRI= TC), but which XML namespaces to use in a proof-of-concept implementation = that is supposed to showcase the state of the discussion before the spec is= gelled down.

Dirk.


Its looks rather like its setup for a saml hok type validation logic, where= the ssl client has to show knowledge of a secret.if that secret is derived= (properly) from the ssl master secret, such that uer-sr ssl session can va= lidate the hok secret, folk are on the right track. But folkshave to disclo= se the crypto used to link the 2 ssl sessions. If the crypto for that lever= ages the key in the xrd's own certs, then I can see how it would all wo= rk - and I see how that can also serve as a "custom" association = handle (rather than using the awful inband dh).




________________________________
From: Dirk Balfanz <balfanz at google= .com>
Sent: Friday, July 10, 2009 11:26 AM
To: specs at openid.net <specs at openid.net>; general at openid.net List <general at openid.net>
Subject: Re: [OpenID] experimental namespace for openid.net

[+general at openid.net<mailto:general at openid.net> for a broade= r audience]

On Thu, Jul 9, 2009 at 4:45 PM, Dirk Balfanz <balfanz at google.com<mailto:balfanz at google.com>> wrote:
Hi guys,

Google would like to launch a feature in which we're allowing our Googl= e Apps hosted domains to become OpenID providers. The authentication part o= f it is pretty simple - Google is already logging in users to their apps, s= o we can also host an OP endpoint for those domains and send assertions bac= k to Relying Parties. What is more difficult is the discovery part. We have= been working with the XRI TC to define a XRD-based discovery protocol that= would allow this kind of hosting of discovery documents on behalf of our c= ustomers.

We believe that providing proof-of-concept implementations drives standardi= zation processes forward, so in this spirit we want to launch this feature = in the near future, using a discovery protocol that as far as we can tell m= eets all the requirements of what the XRI TC is currently converging on, bu= t which has not been vetted as an official standard (it's a chicken and= egg thing - without PoC no standards, without standards by definition no s= tandards-compliant implementations).

While we were tossing around ideas <http://markmail.org/message/ix= c5led2lobdwij2> in the standardization committees we just used rando= m identifiers for new XML namespaces, etc. that we would need for this disc= overy protocol. Now that we're about to launch we need to decide what t= o call these things. We would like to use a namespace in http://specs.openid.net/... becau= se we want this kind of discovery protocol to be part of OpenID, but we can= 't really use them because we don't have a next-generation discover= y protocol yet.

So what should we use? How about http://experimental.openid.net/... ? That way, Rel= ying Parties know that what we're trying to do is be a part of the Open= ID community and bring the protocol forward. On the other hand, this would = also be a signal to the RP that they're using a feature that has not be= en vetted as a standard yet.

For example, a discovery document for a domain balfanz.net<http://balfanz.net> at Google might look like th= is (notice the "experimental" namespace and the XML elements usin= g it):

<?xml version=3D"1.0" encoding=3D"UTF-8"?>
<xrds:XRDS xmlns:xrds=3D"xri://$xrds" xmlns=3D"xri://$xrd= *($v*2.0)">
=A0<ds:Signature xmlns:ds=3D"http://www.w3.org/2000/09/xmldsig#">= ;
=A0<ds:SignedInfo>
=A0<ds:CanonicalizationMethod Algorithm=3D"h= ttp://docs.oasis-open.org/xri/xrd/2009/01#canonicalize-raw-octets"= />
=A0<ds:SignatureMethod Algorithm=3D"http://www.w3.org/2000/09/xmldsi= g#rsa-sha1" />
=A0</ds:SignedInfo>
=A0<ds:KeyInfo>
=A0<ds:X509Data>
=A0<ds:X509Certificate>
=A0MIICgjCCA...
=A0</ds:X509Certificate>
=A0<ds:X509Certificate>
=A0MIICsDCCAhmgAwIB...
=A0</ds:X509Certificate>
=A0</ds:X509Data>
=A0</ds:KeyInfo>
=A0</ds:Signature>
=A0<XRD>
=A0<CanonicalID>balfanz.net<http= ://balfanz.net></CanonicalID>
=A0<Service priority=3D"0">
=A0<Type>http://specs.openid.net/auth/2.0/server</Type>
=A0<Type>= http://openid.net/srv/ax/1.0</Type>
=A0<Type>http://specs.openid.net/extensions/pape/1.0</Type>=
=A0<URI>https://www.google.com/a/balfanz.net/o8/ud?be=3Do8= </URI>
=A0</Service>
=A0<Service priority=3D"0" xmlns:experimental=3D"http://experimental.openid.net/google/2009/07/xmlns/">
=A0<Type>http://www.iana.org/assignments/relation/describedb= y</Type>
=A0<MediaType>application/xrds+xml</MediaType>
=A0<experimental:URITemplate>https://www.google.c= om/accounts/o8/user-xrds?uri=3D{%uri}<https://www.g= oogle.com/accounts/o8/user-xrds?uri=3D%7B%uri%7D></experimental:U= RITemplate>
=A0<experimental:NextAuthority>hosted-id.google.com<http://hosted-id.google.com></exp= erimental:NextAuthority>
=A0</Service>
=A0</XRD>
</xrds:XRDS>

What do you guys think?

Dirk.


--00163662e5ae8bc423046e5e882e-- From breno at google.com Fri Jul 10 11:57:02 2009 From: breno at google.com (Breno de Medeiros) Date: Fri, 10 Jul 2009 11:57:02 -0700 Subject: [OpenID] Delegation leading to new accounts on websites In-Reply-To: <20090710185032.GH19965@rationalarts.com> References: <2496E279-A373-4719-AD0A-CDC28F025FC2@wingaa.com> <20090707230302.GD19965@rationalarts.com> <115AC3AA-A3FD-4C12-91CC-70B91813A3E2@wingaa.com> <20090710185032.GH19965@rationalarts.com> Message-ID: <29fb00360907101157y1a21f3c2j7f5dfe5d6af1f820@mail.gmail.com> --0016e65b41a0a5af79046e5e89a3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit It is not a question of expanding scope. From a security standpoint, it makes no sense to assess only one aspect of the flow. It could be argued that the other aspect of the flow (performing discovery of the OpenID identifier to resolve the OP) is already performed by the RP so it can assess the security of that secondary flow directly. One then hopes that RPs will be sophisticated enough to understand that if they do not assess that flow themselves (and know how to do it) then they get essentially no benefit from using PAPE. On Fri, Jul 10, 2009 at 11:50 AM, Johnny Bufu wrote: > If PAPE or other extensions expand their scope and include the claimed > identifiers or other entities into what they assert - it's a totally > different deal. > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) --0016e65b41a0a5af79046e5e89a3 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable It is not a question of expanding scope. From a security standpoint, it mak= es no sense to assess only one aspect of the flow. It could be argued that = the other aspect of the flow (performing discovery of the OpenID identifier= to resolve the OP) is already performed by the RP so it can assess the sec= urity of that secondary flow directly. One then hopes that RPs will be soph= isticated enough to understand that if they do not assess that flow themsel= ves (and know how to do it) then they get essentially no benefit from using= PAPE.

On Fri, Jul 10, 2009 at 11:50 AM, Johnny Buf= u <johnny.buf= u at gmail.com> wrote:
If PAPE or other extensions expand their s= cope and include the claimed
identifiers or other entities into what they assert - it's a totally different deal.



= --
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Ce= ntral)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
--0016e65b41a0a5af79046e5e89a3-- From gffletch at aol.com Fri Jul 10 11:58:55 2009 From: gffletch at aol.com (George Fletcher) Date: Fri, 10 Jul 2009 14:58:55 -0400 Subject: [OpenID] experimental namespace for openid.net In-Reply-To: <60c552b80907101125v1a56d875oc846fb332200974b@mail.gmail.com> References: <60c552b80907091645j23d1a057k3b80e29d9e8f6cac@mail.gmail.com> <60c552b80907101125v1a56d875oc846fb332200974b@mail.gmail.com> Message-ID: <4A578F6F.70309@aol.com> +1 to http://experimental.openid.net It would be good to add this to the "repository" work Breno and John are doing as having a registry for experimental URIs would be good as well. Thanks, George Dirk Balfanz wrote: > [+general at openid.net for a broader audience] > > On Thu, Jul 9, 2009 at 4:45 PM, Dirk Balfanz > wrote: > > Hi guys, > > Google would like to launch a feature in which we're allowing our > Google Apps hosted domains to become OpenID providers. The > authentication part of it is pretty simple - Google is already > logging in users to their apps, so we can also host an OP endpoint > for those domains and send assertions back to Relying Parties. > What is more difficult is the discovery part. We have been working > with the XRI TC to define a XRD-based discovery protocol that > would allow this kind of hosting of discovery documents on behalf > of our customers. > > We believe that providing proof-of-concept implementations drives > standardization processes forward, so in this spirit we want to > launch this feature in the near future, using a discovery protocol > that as far as we can tell meets all the requirements of what the > XRI TC is currently converging on, but which has not been vetted > as an official standard (it's a chicken and egg thing - without > PoC no standards, without standards by definition no > standards-compliant implementations). > > While we were tossing around ideas > in the > standardization committees we just used random identifiers for new > XML namespaces, etc. that we would need for this discovery > protocol. Now that we're about to launch we need to decide what to > call these things. We would like to use a namespace > in http://specs.openid.net/... because we want this kind of > discovery protocol to be part of OpenID, but we can't really use > them because we don't have a next-generation discovery protocol yet. > > So what should we use? How > about http://experimental.openid.net/... ? That way, Relying > Parties know that what we're trying to do is be a part of the > OpenID community and bring the protocol forward. On the other > hand, this would also be a signal to the RP that they're using a > feature that has not been vetted as a standard yet. > > For example, a discovery document for a domain balfanz.net > at Google might look like this (notice the > "experimental" namespace and the XML elements using it): > > > > > > > > > > > > MIICgjCCA... > > > MIICsDCCAhmgAwIB... > > > > > > balfanz.net > > http://specs.openid.net/auth/2.0/server > http://openid.net/srv/ax/1.0 > http://specs.openid.net/extensions/pape/1.0 > https://www.google.com/a/balfanz.net/o8/ud?be=o8 > > > http://www.iana.org/assignments/relation/describedby > application/xrds+xml > https://www.google.com/accounts/o8/user-xrds?uri={%uri} > > hosted-id.google.com > > > > > > What do you guys think? > > Dirk. > > > ------------------------------------------------------------------------ > > _______________________________________________ > specs mailing list > specs at openid.net > http://openid.net/mailman/listinfo/specs > From john.bradley at wingaa.com Fri Jul 10 12:05:11 2009 From: john.bradley at wingaa.com (John Bradley) Date: Fri, 10 Jul 2009 15:05:11 -0400 Subject: [OpenID] Delegation leading to new accounts on websites In-Reply-To: <20090710185032.GH19965@rationalarts.com> References: <2496E279-A373-4719-AD0A-CDC28F025FC2@wingaa.com> <20090707230302.GD19965@rationalarts.com> <115AC3AA-A3FD-4C12-91CC-70B91813A3E2@wingaa.com> <20090710185032.GH19965@rationalarts.com> Message-ID: We will have to consider it for the next rev of PAPE at-least. Once there are Profiles like NIST where the OP is asserting some level of identity proofing over the claimed_id. Those profiles should be clear on how or if delegation is supported. Thanks John B. On 10-Jul-09, at 2:50 PM, Johnny Bufu wrote: > On Tue, Jul 07, 2009 at 07:20:49PM -0400, John Bradley wrote: >> Yes the delegated openid.identity is issued by the OP but in the >> case of >> delegation the openid.claimed_id is not. >> >> If as an example we have a psydonomous id type that a RP can >> request via >> PAPE or some other extension and someone has delegated to that OP say >> Google, then Google has no control over the claimed_id and the >> resulting >> assertion may violate the non-correlation privacy policy. >> >> If for example the OP is assessing some profile that mandates a >> particular password strength etc. The OP has no knowledge of how >> the >> XRD doing the delegating is secured. >> >> I am saying that with delegation some of the security is outside of >> the >> control of the OP and hence the OP can't be authoritative for it >> and may >> not be able to make the same PAPE or other assertions regarding it. > > Ok, I get your point now. The disconnect was that I took 'assertion' > in > the original comment to mean the openid _core_ assertion, in which > case > it's clear what it means and I saw no concerns for OPs. > > If PAPE or other extensions expand their scope and include the claimed > identifiers or other entities into what they assert - it's a totally > different deal. > >> There might be a legitimate reason for an OP not to support >> delegation >> under some limited circumstances. >> However most of the time it shouldn't be a problem as long as RPs are >> properly validating the returned assertions and not believing the >> openid.identity is something it is not. > > So bottom line is that OPs should be careful how they handle > delegation > with regard to certain extensions. Maybe PAPE and other extensions > should note their impact on delegation. > > > Johnny > From pwilliams at rapattoni.com Fri Jul 10 12:36:24 2009 From: pwilliams at rapattoni.com (Peter Williams) Date: Fri, 10 Jul 2009 12:36:24 -0700 Subject: [OpenID] experimental namespace for openid.net Message-ID: Lets remember that we are operating on this discovery topic in a culture in which corporate board members have access to political and economic info that community board members do not have, that members do not have, and folks in the openid community (eg peter) do not have. To be fair, the likes of peter should have no such acess! About the only redeeming feature was that the goverance apparatus was only used for PR purposes, vs technical decision making. If google is making openid ops of millions of domains, I can live with a bit of pr stage management to get positive initial press. The good of such massive adoption outweighes the evil of a bit of staged news management. Now the cat is out of the bag, I think that even nominal endorsement (allowing use of the domain) should require complete technical disclosure. There should be an authroized release of the xri tc draft to the specs list. Opend.net experimental domains may only referenced by those protools for which (authorized) draft dumps have been made. -----Original Message----- From: George Fletcher Sent: Friday, July 10, 2009 11:59 AM To: Dirk Balfanz Cc: specs at openid.net ; general at openid.net List Subject: Re: [OpenID] experimental namespace for openid.net +1 to http://experimental.openid.net It would be good to add this to the "repository" work Breno and John are doing as having a registry for experimental URIs would be good as well. Thanks, George Dirk Balfanz wrote: > [+general at openid.net for a broader audience] > > On Thu, Jul 9, 2009 at 4:45 PM, Dirk Balfanz > wrote: > > Hi guys, > > Google would like to launch a feature in which we're allowing our > Google Apps hosted domains to become OpenID providers. The > authentication part of it is pretty simple - Google is already > logging in users to their apps, so we can also host an OP endpoint > for those domains and send assertions back to Relying Parties. > What is more difficult is the discovery part. We have been working > with the XRI TC to define a XRD-based discovery protocol that > would allow this kind of hosting of discovery documents on behalf > of our customers. > > We believe that providing proof-of-concept implementations drives > standardization processes forward, so in this spirit we want to > launch this feature in the near future, using a discovery protocol > that as far as we can tell meets all the requirements of what the > XRI TC is currently converging on, but which has not been vetted > as an official standard (it's a chicken and egg thing - without > PoC no standards, without standards by definition no > standards-compliant implementations). > > While we were tossing around ideas > in the > standardization committees we just used random identifiers for new > XML namespaces, etc. that we would need for this discovery > protocol. Now that we're about to launch we need to decide what to > call these things. We would like to use a namespace > in http://specs.openid.net/... because we want this kind of > discovery protocol to be part of OpenID, but we can't really use > them because we don't have a next-generation discovery protocol yet. > > So what should we use? How > about http://experimental.openid.net/... ? That way, Relying > Parties know that what we're trying to do is be a part of the > OpenID community and bring the protocol forward. On the other > hand, this would also be a signal to the RP that they're using a > feature that has not been vetted as a standard yet. > > For example, a discovery document for a domain balfanz.net > at Google might look like this (notice the > "experimental" namespace and the XML elements using it): > > > > > > > > > > > > MIICgjCCA... > > > MIICsDCCAhmgAwIB... > > > > > > balfanz.net > > http://specs.openid.net/auth/2.0/server > http://openid.net/srv/ax/1.0 > http://specs.openid.net/extensions/pape/1.0 > https://www.google.com/a/balfanz.net/o8/ud?be=o8 > > > http://www.iana.org/assignments/relation/describedby > application/xrds+xml > https://www.google.com/accounts/o8/user-xrds?uri={%uri} > > hosted-id.google.com > > > > > > What do you guys think? > > Dirk. > > > ------------------------------------------------------------------------ > > _______________________________________________ > specs mailing list > specs at openid.net > http://openid.net/mailman/listinfo/specs > _______________________________________________ general mailing list general at openid.net http://openid.net/mailman/listinfo/general From john.bradley at wingaa.com Fri Jul 10 12:48:40 2009 From: john.bradley at wingaa.com (John Bradley) Date: Fri, 10 Jul 2009 15:48:40 -0400 Subject: [OpenID] experimental namespace for openid.net In-Reply-To: References: Message-ID: +1 Having a separate space in the OIDF schema registry for things that are experimental is a good idea. Other registries have similar concepts. We should however set some life expectancy for experimental things otherwise they tend to become permanent. There are a number of us George, Breno, Nat, Will, Dirk and others from this community working on the XRD spec. Google has been supportive of the process. I think a proof of concept is a good idea. I am however concerned over Google setting themselves up as a resolver for host-meta documents. That is however a separate issue from Dirk's question about the namespace. Assuming we get a registry I support using http://experimental.openid.net for this. John B. On 10-Jul-09, at 2:59 PM, general-request at openid.net wrote: > Date: Fri, 10 Jul 2009 14:58:55 -0400 > From: George Fletcher > Subject: Re: [OpenID] experimental namespace for openid.net > To: Dirk Balfanz > Cc: specs at openid.net, "general at openid.net List" > Message-ID: <4A578F6F.70309 at aol.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > +1 to http://experimental.openid.net > > It would be good to add this to the "repository" work Breno and John > are > doing as having a registry for experimental URIs would be good as > well. > > Thanks, > George From pwilliams at rapattoni.com Fri Jul 10 13:34:29 2009 From: pwilliams at rapattoni.com (Peter Williams) Date: Fri, 10 Jul 2009 13:34:29 -0700 Subject: [OpenID] experimental namespace for openid.net In-Reply-To: References: , Message-ID: "I think a proof of concept is a good idea." ----------- Its hard to understand the technical discussion intelligently, as I for one have had no particualr access to notions such as host-meta documents. I did quickly read the google disclosure about host-meta documents, and what I see at first glance is this:- * The notion we already have in openid - of an signed-link between meta-provider and authority - has moved from the existing XRD's SAML assertion's nameid/namequalifier/subject field to a couple of locator fields in a new type of SEP. The XRD is signed directly by xmldsig, rather than using the SAML token as a signing scheme (which just removes a bit of superflous syntax). The xmldsig has a keyinfo specifically showcasing a cert *chain* - of unknown role. The role of X.509's built-in hierarchical or policy-driven namespace-delegation-management controls is UNKNOWN. The intent is to eventually sign an XRD withOUT reference to XRDS semantics. Therefore, rather than resolve the XRD.SAML2.Subject's nameid-qualifier (to validate the authoritavieness of the SEP's link between namespaces provider and delegate), the RP will now follow the SEP's link to another meta-document - another (signed) XRD. If the above is the main thrust of the logic, I can go off an program the openxri server to generate such a world, and see what happens in prototype interworking between discovery agents. It looks like about 16h work, at this point; mostly fiddling around with existing messages and syntaxes. Application of such core discovery processes to openid RP (where some kind of RP extension actually "tests" the authorization of an IDP service bus ("provider") to act for a given OP domain ("tenant") seems a distinct topic to the process of merely collecting and validating the authority-claim evidence. From atom at yahoo-inc.com Fri Jul 10 13:39:58 2009 From: atom at yahoo-inc.com (Allen Tom) Date: Fri, 10 Jul 2009 13:39:58 -0700 Subject: [OpenID] Google custom discovery In-Reply-To: References: <24431923.post@talk.nabble.com> Message-ID: <4A57A71E.5080608@yahoo-inc.com> Would it make sense for Profile URLs to be OpenIDs, or should the Profile URL be an attribute that is shared via AX? What about users who already have both a Profile and an OpenID (with different urls) from their OP? Should the Profile URL be delegated to the OpenID, or should they be kept separate? In the interest of interop, it would be great if the community could come up with best practices for combining Profiles and OpenIDs. Allen Eric Sachs wrote: > Only a subset of GoogleProfile users register a username, but yes, for > those users that is the common request we get. > From andrewarnott at gmail.com Fri Jul 10 13:57:37 2009 From: andrewarnott at gmail.com (Andrew Arnott) Date: Fri, 10 Jul 2009 13:57:37 -0700 Subject: [OpenID] Delegation leading to new accounts on websites In-Reply-To: <20090710184049.GG19965@rationalarts.com> References: <2496E279-A373-4719-AD0A-CDC28F025FC2@wingaa.com> <20090707230302.GD19965@rationalarts.com> <29fb00360907091320n69cacd6cp9acfe7fdfb44a7cc@mail.gmail.com> <20090710184049.GG19965@rationalarts.com> Message-ID: <216e54900907101357j235a1796rdc3fa53eaf46de9d@mail.gmail.com> --000e0cd6ab80e247f3046e603831 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Johnny, I agree that RPs should treat them as opaque strings, but due to the constraints in the spec, I can name at least a couple of .NET openid libraries that would choke on openid.local_id values if they were not XRIs or URIs. I'm *for* loosening this up, but in the meantime, OPs should please conform to this constraint to avoid breaking RPs. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre 2009/7/10 Johnny Bufu > > On Tue, Jul 7, 2009 at 4:03 PM, Johnny Bufu > wrote: > > > Doesn't even have to be a URI even; what matters is that the OP issues > > > it, so they (can) have full control/authority over it if that's a > > > concern for them. > > On Thu, Jul 09, 2009 at 01:20:07PM -0700, Breno de Medeiros wrote: > > It does need to be an URI (at least for OpenID). See the spec definition > of > > identifiers. > > That part was overspecified, mostly for keeping the spec simpler by > having all identifiers be a subclass of URI and at the expense of some > flexibility for the OPs (if they choose to be strict about this). > > But from a practical / protocol point of view, the OPs are the only ones > that produce (issue) and consume (recognize/authenticate) delegate > identifiers, while the rest of the parties involved pass around and > compare them as opaque strings. > > > Johnny > > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > --000e0cd6ab80e247f3046e603831 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Johnny,

I agree that RPs should treat them as opaque str= ings, but due to the constraints in the spec, I can name at least a couple = of .NET openid libraries that would choke on openid.local_id values if they= were not XRIs or URIs. =A0I'm for=A0loosening this up, but in t= he meantime, OPs should please conform to this constraint to avoid breaking= RPs.

--
Andrew Arnott
"I [may] not agree with = what you have to say, but I'll defend to the death your right to say it= ." - S. G. Tallentyre


2009/7/10 Johnny Bufu = <johnny.bufu at gmail.com><= /span>
> On Tue, Jul 7, 2009 at 4:03 PM, Johnny Bufu <johnny.bufu at gmail.com> wrote: > > Doesn't even have to be a URI even; what matters is that the = OP issues
> > it, so they (can) have full control/authority over it if that'= ;s a
> > concern for them.

On Thu, Jul 09, 2009 at 01:20:07PM -0700, Breno de = Medeiros wrote:
> It does need to be an URI (at least for OpenID). See the spec definiti= on of
> identifiers.

That part was overspecified, mostly for keeping the spec simpler by having all identifiers be a subclass of URI and at the expense of some
flexibility for the OPs (if they choose to be strict about this).

But from a practical / protocol point of view, the OPs are the only ones that produce (issue) and consume (recognize/authenticate) delegate
identifiers, while the rest of the parties involved pass around and
compare them as opaque strings.


Johnny


_______________________________________________
general mailing list
general at openid.net
ht= tp://openid.net/mailman/listinfo/general

--000e0cd6ab80e247f3046e603831-- From sysadmin at shadowsinthegarden.com Fri Jul 10 14:02:17 2009 From: sysadmin at shadowsinthegarden.com (SitG Admin) Date: Fri, 10 Jul 2009 14:02:17 -0700 Subject: [OpenID] experimental namespace for openid.net In-Reply-To: References: Message-ID: >We should however set some life expectancy for experimental things >otherwise they tend to become permanent. Lifespan measured in duration or by adoption level? >I am however concerned over Google setting themselves up as a >resolver for host-meta documents. I would be more concerned over this were the proposed URL "experimental.google.com" rather than "experimental.openid.net". As it is I was a little sad to see a major OP being the first to gateway users to itself through openid.net, but it does make sense since major corporations have the most resources to casually lavish upon such ideas. Hopefully we will see others following this example. -Shade From johnny.bufu at gmail.com Fri Jul 10 14:11:01 2009 From: johnny.bufu at gmail.com (Johnny Bufu) Date: Fri, 10 Jul 2009 14:11:01 -0700 Subject: [OpenID] Delegation leading to new accounts on websites In-Reply-To: <216e54900907101357j235a1796rdc3fa53eaf46de9d@mail.gmail.com> References: <2496E279-A373-4719-AD0A-CDC28F025FC2@wingaa.com> <20090707230302.GD19965@rationalarts.com> <29fb00360907091320n69cacd6cp9acfe7fdfb44a7cc@mail.gmail.com> <20090710184049.GG19965@rationalarts.com> <216e54900907101357j235a1796rdc3fa53eaf46de9d@mail.gmail.com> Message-ID: <20090710211100.GA32602@rationalarts.com> On Fri, Jul 10, 2009 at 01:57:37PM -0700, Andrew Arnott wrote: > I agree that RPs should treat them as opaque strings, but due to the > constraints in the spec, I can name at least a couple of .NET openid > libraries that would choke on openid.local_id values if they were not XRIs > or URIs. I'm *for* loosening this up, but in the meantime, OPs should > please conform to this constraint to avoid breaking RPs. I wasn't suggesting that they don't, either. My comments were about the concerns about being authoritative over some asserted URIs, when in the case of delegated identifiers nothing of their URI-ness is actually used. Johnny From john.bradley at wingaa.com Fri Jul 10 14:11:18 2009 From: john.bradley at wingaa.com (John Bradley) Date: Fri, 10 Jul 2009 17:11:18 -0400 Subject: [OpenID] experimental namespace for openid.net In-Reply-To: References: Message-ID: inline On 10-Jul-09, at 5:02 PM, SitG Admin wrote: >> We should however set some life expectancy for experimental things >> otherwise they tend to become permanent. > > Lifespan measured in duration or by adoption level? I think a URI should be removed after 2 years. They should be able to qualify for a specs URI in that time. Perhaps a one year extension after that if the schemas group thinks it is warranted. Otherwise people will keep the experimental URI and the distinction will become meaningless. > >> I am however concerned over Google setting themselves up as a >> resolver for host-meta documents. > > I would be more concerned over this were the proposed URL > "experimental.google.com" rather than "experimental.openid.net". As > it is I was a little sad to see a major OP being the first to > gateway users to itself through openid.net, but it does make sense > since major corporations have the most resources to casually lavish > upon such ideas. Hopefully we will see others following this example. > > -Shade This is a URI for a XML namespace. I don't think that in it self qualifies as gatewaying users to itself. Other things in there proposal may, but that is a separate issue from the namespace. John B. From jpanzer at acm.org Fri Jul 10 14:49:16 2009 From: jpanzer at acm.org (John Panzer) Date: Fri, 10 Jul 2009 14:49:16 -0700 Subject: [OpenID] Delegation leading to new accounts on websites In-Reply-To: <216e54900907101357j235a1796rdc3fa53eaf46de9d@mail.gmail.com> References: <2496E279-A373-4719-AD0A-CDC28F025FC2@wingaa.com> <20090707230302.GD19965@rationalarts.com> <29fb00360907091320n69cacd6cp9acfe7fdfb44a7cc@mail.gmail.com> <20090710184049.GG19965@rationalarts.com> <216e54900907101357j235a1796rdc3fa53eaf46de9d@mail.gmail.com> Message-ID: <30ac519d0907101449u378ca719pb98da748fea67cba@mail.gmail.com> --0015174be18a9a7b0e046e60f102 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit (What practical constraint does this impose on OPs -- which comes down to asking, what strings would cause an exception when processed by the set of existing RP libraries? Is urn:isbn:0-486-27557-4 okay, for example?) On Fri, Jul 10, 2009 at 1:57 PM, Andrew Arnott wrote: > Johnny, > I agree that RPs should treat them as opaque strings, but due to the > constraints in the spec, I can name at least a couple of .NET openid > libraries that would choke on openid.local_id values if they were not XRIs > or URIs. I'm *for* loosening this up, but in the meantime, OPs should > please conform to this constraint to avoid breaking RPs. > > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll defend to the death > your right to say it." - S. G. Tallentyre > > > 2009/7/10 Johnny Bufu > > > On Tue, Jul 7, 2009 at 4:03 PM, Johnny Bufu >> wrote: >> > > Doesn't even have to be a URI even; what matters is that the OP issues >> > > it, so they (can) have full control/authority over it if that's a >> > > concern for them. >> >> On Thu, Jul 09, 2009 at 01:20:07PM -0700, Breno de Medeiros wrote: >> > It does need to be an URI (at least for OpenID). See the spec definition >> of >> > identifiers. >> >> That part was overspecified, mostly for keeping the spec simpler by >> having all identifiers be a subclass of URI and at the expense of some >> flexibility for the OPs (if they choose to be strict about this). >> >> But from a practical / protocol point of view, the OPs are the only ones >> that produce (issue) and consume (recognize/authenticate) delegate >> identifiers, while the rest of the parties involved pass around and >> compare them as opaque strings. >> >> >> Johnny >> >> >> _______________________________________________ >> general mailing list >> general at openid.net >> http://openid.net/mailman/listinfo/general >> > > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > > --0015174be18a9a7b0e046e60f102 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable (What practical constraint does this impose on OPs -- which comes down to a= sking, what strings would cause an exception when processed by the set of e= xisting RP libraries? =A0Is=A0urn:isbn:0-486-= 27557-4 okay, for example?)

On Fri, Jul 10, 2009 at 1:57 PM, Andrew Arno= tt <andrewar= nott at gmail.com> wrote:
Johnny,

I agree that RPs should treat them as opaque str= ings, but due to the constraints in the spec, I can name at least a couple = of .NET openid libraries that would choke on openid.local_id values if they= were not XRIs or URIs. =A0I'm for=A0loosening this up, but in t= he meantime, OPs should please conform to this constraint to avoid breaking= RPs.

--
Andrew Arnott
"I [ma= y] not agree with what you have to say, but I'll defend to the death yo= ur right to say it." - S. G. Tallentyre


2009/7/10 Johnny Bufu <johnny= .bufu at gmail.com>

> On Tue, Jul 7, 2009 at 4:03 PM, Johnny Bufu <johnny.bufu at gmail.com> wro= te:
> > Doesn't even have to be a URI even; what matters is that the = OP issues
> > it, so they (can) have full control/authority over it if that'= ;s a
> > concern for them.

On Thu, Jul 09, 2009 at 01:20:07PM -0700, Breno de Medeiros wrot= e:
> It does need to be an URI (at least for OpenID). See the spec definiti= on of
> identifiers.

That part was overspecified, mostly for keeping the spec simpler by having all identifiers be a subclass of URI and at the expense of some
flexibility for the OPs (if they choose to be strict about this).

But from a practical / protocol point of view, the OPs are the only ones that produce (issue) and consume (recognize/authenticate) delegate
identifiers, while the rest of the parties involved pass around and
compare them as opaque strings.


Johnny


_______________________________________________
general mailing list
general at openid.net<= /a>
ht= tp://openid.net/mailman/listinfo/general


_______________________________________________
general mailing list
general at openid.net
ht= tp://openid.net/mailman/listinfo/general


--0015174be18a9a7b0e046e60f102-- From john.bradley at wingaa.com Fri Jul 10 15:02:15 2009 From: john.bradley at wingaa.com (John Bradley) Date: Fri, 10 Jul 2009 18:02:15 -0400 Subject: [OpenID] Delegation leading to new accounts on websites In-Reply-To: <30ac519d0907101449u378ca719pb98da748fea67cba@mail.gmail.com> References: <2496E279-A373-4719-AD0A-CDC28F025FC2@wingaa.com> <20090707230302.GD19965@rationalarts.com> <29fb00360907091320n69cacd6cp9acfe7fdfb44a7cc@mail.gmail.com> <20090710184049.GG19965@rationalarts.com> <216e54900907101357j235a1796rdc3fa53eaf46de9d@mail.gmail.com> <30ac519d0907101449u378ca719pb98da748fea67cba@mail.gmail.com> Message-ID: <0035815E-2DCA-4AB7-A5BE-ABD0BF71CB33@wingaa.com> The spec is quite specific http: , https: URI or XRI. I suspect that RPs that support XRI will be more forgiving. Other libs may be using underlying libraries that are validating them as URL. If that assumption had not been built into the spec any string would have been appropriate. Some of those same assumptions break IRI as openID. John B. On 10-Jul-09, at 5:49 PM, John Panzer wrote: > (What practical constraint does this impose on OPs -- which comes > down to asking, what strings would cause an exception when processed > by the set of existing RP libraries? Is urn:isbn:0-486-27557-4 > okay, for example?) > > On Fri, Jul 10, 2009 at 1:57 PM, Andrew Arnott > wrote: > Johnny, > > I agree that RPs should treat them as opaque strings, but due to the > constraints in the spec, I can name at least a couple of .NET openid > libraries that would choke on openid.local_id values if they were > not XRIs or URIs. I'm for loosening this up, but in the meantime, > OPs should please conform to this constraint to avoid breaking RPs. > > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll defend to the > death your right to say it." - S. G. Tallentyre > > > 2009/7/10 Johnny Bufu > > > On Tue, Jul 7, 2009 at 4:03 PM, Johnny Bufu > wrote: > > > Doesn't even have to be a URI even; what matters is that the OP > issues > > > it, so they (can) have full control/authority over it if that's a > > > concern for them. > > On Thu, Jul 09, 2009 at 01:20:07PM -0700, Breno de Medeiros wrote: > > It does need to be an URI (at least for OpenID). See the spec > definition of > > identifiers. > > That part was overspecified, mostly for keeping the spec simpler by > having all identifiers be a subclass of URI and at the expense of some > flexibility for the OPs (if they choose to be strict about this). > > But from a practical / protocol point of view, the OPs are the only > ones > that produce (issue) and consume (recognize/authenticate) delegate > identifiers, while the rest of the parties involved pass around and > compare them as opaque strings. > > > Johnny > > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > > From david at sixapart.com Fri Jul 10 16:49:49 2009 From: david at sixapart.com (David Recordon) Date: Fri, 10 Jul 2009 16:49:49 -0700 Subject: [OpenID] experimental namespace for openid.net In-Reply-To: <4A578F6F.70309@aol.com> References: <60c552b80907091645j23d1a057k3b80e29d9e8f6cac@mail.gmail.com> <60c552b80907101125v1a56d875oc846fb332200974b@mail.gmail.com> <4A578F6F.70309@aol.com> Message-ID: <3C9C10F1-E8BF-483B-9458-2FEF752A9846@sixapart.com> Should this experimental namespace only apply to work being done by OpenID working groups? I'm very supportive of pushing the standards forward via prototypes, but that should be done as part of the OpenID community instead of by a single company. I'd be very happy to help get a discovery working group spun up and charter them to modernize OpenID 2.0's discovery process. --David On Jul 10, 2009, at 11:58 AM, George Fletcher wrote: > +1 to http://experimental.openid.net > > It would be good to add this to the "repository" work Breno and John > are doing as having a registry for experimental URIs would be good > as well. > > Thanks, > George > > Dirk Balfanz wrote: >> [+general at openid.net for a broader >> audience] >> >> On Thu, Jul 9, 2009 at 4:45 PM, Dirk Balfanz > >> wrote: >> >> Hi guys, >> Google would like to launch a feature in which we're allowing our >> Google Apps hosted domains to become OpenID providers. The >> authentication part of it is pretty simple - Google is already >> logging in users to their apps, so we can also host an OP endpoint >> for those domains and send assertions back to Relying Parties. >> What is more difficult is the discovery part. We have been working >> with the XRI TC to define a XRD-based discovery protocol that >> would allow this kind of hosting of discovery documents on behalf >> of our customers. >> We believe that providing proof-of-concept implementations drives >> standardization processes forward, so in this spirit we want to >> launch this feature in the near future, using a discovery protocol >> that as far as we can tell meets all the requirements of what the >> XRI TC is currently converging on, but which has not been vetted >> as an official standard (it's a chicken and egg thing - without >> PoC no standards, without standards by definition no >> standards-compliant implementations). >> >> While we were tossing around ideas > >in the >> standardization committees we just used random identifiers for new >> XML namespaces, etc. that we would need for this discovery >> protocol. Now that we're about to launch we need to decide what to >> call these things. We would like to use a namespace >> in http://specs.openid.net/... because we want this kind of >> discovery protocol to be part of OpenID, but we can't really use >> them because we don't have a next-generation discovery protocol >> yet. >> So what should we use? How >> about http://experimental.openid.net/... ? That way, Relying >> Parties know that what we're trying to do is be a part of the >> OpenID community and bring the protocol forward. On the other >> hand, this would also be a signal to the RP that they're using a >> feature that has not been vetted as a standard yet. >> For example, a discovery document for a domain balfanz.net >> at Google might look like this (notice the >> "experimental" namespace and the XML elements using it): >> >> >> >> >> >> >> >> >> >> >> >> MIICgjCCA... >> >> >> MIICsDCCAhmgAwIB... >> >> >> >> >> >> balfanz.net >> >> http://specs.openid.net/auth/2.0/server >> http://openid.net/srv/ax/1.0 >> http://specs.openid.net/extensions/pape/1.0 >> https://www.google.com/a/balfanz.net/o8/ud?be=o8 >> >> >> http://www.iana.org/assignments/relation/describedby> Type> >> application/xrds+xml >> https://www.google.com/accounts/o8/user-xrds?uri= >> {%uri} >> > experimental:URITemplate> >> hosted-id.google.com >> >> >> >> >> >> What do you guys think? >> >> Dirk. >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> specs mailing list >> specs at openid.net >> http://openid.net/mailman/listinfo/specs >> > > _______________________________________________ > specs mailing list > specs at openid.net > http://openid.net/mailman/listinfo/specs From jpanzer at acm.org Fri Jul 10 16:59:46 2009 From: jpanzer at acm.org (John Panzer) Date: Fri, 10 Jul 2009 16:59:46 -0700 Subject: [OpenID] Delegation leading to new accounts on websites In-Reply-To: <0035815E-2DCA-4AB7-A5BE-ABD0BF71CB33@wingaa.com> References: <2496E279-A373-4719-AD0A-CDC28F025FC2@wingaa.com> <20090707230302.GD19965@rationalarts.com> <29fb00360907091320n69cacd6cp9acfe7fdfb44a7cc@mail.gmail.com> <20090710184049.GG19965@rationalarts.com> <216e54900907101357j235a1796rdc3fa53eaf46de9d@mail.gmail.com> <30ac519d0907101449u378ca719pb98da748fea67cba@mail.gmail.com> <0035815E-2DCA-4AB7-A5BE-ABD0BF71CB33@wingaa.com> Message-ID: <30ac519d0907101659o2f98ee24jc33b4774aadc2906@mail.gmail.com> --0015174be87458945d046e62c44f Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Too bad. Good nit to fix in a potential future rev when libraries need upgrading anyway. On Fri, Jul 10, 2009 at 3:02 PM, John Bradley wrote: > The spec is quite specific http: , https: URI or XRI. > > I suspect that RPs that support XRI will be more forgiving. Other libs may > be using underlying libraries that are validating them as URL. > > If that assumption had not been built into the spec any string would have > been appropriate. > > Some of those same assumptions break IRI as openID. > > John B. > > On 10-Jul-09, at 5:49 PM, John Panzer wrote: > > (What practical constraint does this impose on OPs -- which comes down to >> asking, what strings would cause an exception when processed by the set of >> existing RP libraries? Is urn:isbn:0-486-27557-4 okay, for example?) >> >> On Fri, Jul 10, 2009 at 1:57 PM, Andrew Arnott >> wrote: >> Johnny, >> >> I agree that RPs should treat them as opaque strings, but due to the >> constraints in the spec, I can name at least a couple of .NET openid >> libraries that would choke on openid.local_id values if they were not XRIs >> or URIs. I'm for loosening this up, but in the meantime, OPs should please >> conform to this constraint to avoid breaking RPs. >> >> -- >> Andrew Arnott >> "I [may] not agree with what you have to say, but I'll defend to the death >> your right to say it." - S. G. Tallentyre >> >> >> 2009/7/10 Johnny Bufu >> >> > On Tue, Jul 7, 2009 at 4:03 PM, Johnny Bufu >> wrote: >> > > Doesn't even have to be a URI even; what matters is that the OP issues >> > > it, so they (can) have full control/authority over it if that's a >> > > concern for them. >> >> On Thu, Jul 09, 2009 at 01:20:07PM -0700, Breno de Medeiros wrote: >> > It does need to be an URI (at least for OpenID). See the spec definition >> of >> > identifiers. >> >> That part was overspecified, mostly for keeping the spec simpler by >> having all identifiers be a subclass of URI and at the expense of some >> flexibility for the OPs (if they choose to be strict about this). >> >> But from a practical / protocol point of view, the OPs are the only ones >> that produce (issue) and consume (recognize/authenticate) delegate >> identifiers, while the rest of the parties involved pass around and >> compare them as opaque strings. >> >> >> Johnny >> >> >> _______________________________________________ >> general mailing list >> general at openid.net >> http://openid.net/mailman/listinfo/general >> >> >> _______________________________________________ >> general mailing list >> general at openid.net >> http://openid.net/mailman/listinfo/general >> >> >> > --0015174be87458945d046e62c44f Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Too bad. =A0Good nit to fix in a potential future rev when libraries need u= pgrading anyway.

On Fri, Jul 10, 2009 at = 3:02 PM, John Bradley <john.bradley at wingaa.com> wrote:
The spec is quite specific http: , https: U= RI or XRI.

I suspect that RPs that support XRI will be more forgiving. =A0Other libs m= ay be using underlying libraries that are validating them as URL.

If that assumption had not been built into the spec any string would have b= een appropriate.

Some of those same assumptions break IRI as openID.

John B.

On 10-Jul-09, at 5:49 PM, John Panzer wrote:

(What practical constraint does this impose on OPs -- which comes down to a= sking, what strings would cause an exception when processed by the set of e= xisting RP libraries? =A0Is urn:isbn:0-486-27557-4 okay, for example?)

On Fri, Jul 10, 2009 at 1:57 PM, Andrew Arnott <andrewarnott at gmail.com> wrote: Johnny,

I agree that RPs should treat them as opaque strings, but due to the constr= aints in the spec, I can name at least a couple of .NET openid libraries th= at would choke on openid.local_id values if they were not XRIs or URIs. =A0= I'm for loosening this up, but in the meantime, OPs should please confo= rm to this constraint to avoid breaking RPs.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to t= he death your right to say it." - S. G. Tallentyre


2009/7/10 Johnny Bufu <johnny.bufu at gmail.com>

> On Tue, Jul 7, 2009 at 4:03 PM, Johnny Bufu <johnny.bufu at gmail.com> wrote: > > Doesn't even have to be a URI even; what matters is that the = OP issues
> > it, so they (can) have full control/authority over it if that'= ;s a
> > concern for them.

On Thu, Jul 09, 2009 at 01:20:07PM -0700, Breno de Medeiros wrote:
> It does need to be an URI (at least for OpenID). See the spec definiti= on of
> identifiers.

That part was overspecified, mostly for keeping the spec simpler by
having all identifiers be a subclass of URI and at the expense of some
flexibility for the OPs (if they choose to be strict about this).

But from a practical / protocol point of view, the OPs are the only ones that produce (issue) and consume (recognize/authenticate) delegate
identifiers, while the rest of the parties involved pass around and
compare them as opaque strings.


Johnny


_______________________________________________
general mailing list
general at openid.net<= /a>
ht= tp://openid.net/mailman/listinfo/general


_______________________________________________
general mailing list
general at openid.net<= /a>
ht= tp://openid.net/mailman/listinfo/general




--0015174be87458945d046e62c44f-- From jpanzer at acm.org Fri Jul 10 17:12:40 2009 From: jpanzer at acm.org (John Panzer) Date: Fri, 10 Jul 2009 17:12:40 -0700 Subject: [OpenID] Delegation leading to new accounts on websites In-Reply-To: <4A3EB277.1000206@btinternet.com> References: <4A3EB277.1000206@btinternet.com> Message-ID: <30ac519d0907101712s7e7088e4p1e45a1a10f13f0b8@mail.gmail.com> --0015174bdf287974be046e62f25e Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Just to double check, it sounds like Get Satisfaction and Userstyles.org are not spec-compliant if they are picking up the OP-relative local_id and using it as the users's claimed_id. Right? On Sun, Jun 21, 2009 at 3:21 PM, Tom Edwards wrote: > My personal OpenID server broke a while back, and I've decided this evening > to start delegating in order continue using my personal URL (< > http://steamreview.org>). This is the code now in my page header: > >> >> >> > But when I login to the sites I used my openid on before it broke (I've > tried Get Satisfaction and Userstyles.org so far), they don't recognise me > as an pre-existing user. They think I'm www.flickr.com/photos/varsity/, > whereas I actually still want to be steamreview.org. > > Is this intended behaviour? I thought the point of delegation was to allow > people to switch providers without changing consumer-facing identity. > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > --0015174bdf287974be046e62f25e Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Just to double check, it sounds like Get Satisfaction and Userstyles.org ar= e not spec-compliant if they are picking up the OP-relative local_id and us= ing it as the users's claimed_id.=A0=A0Right?

On Sun, Jun 21, 2009 at 3:21 PM, Tom Edwards <t_edwards at btinternet.com> wrote:
My personal OpenID server broke a while back, and I've decided this eve= ning to start delegating in order continue using my personal URL (<http://steamreview.org&= gt;). This is the code now in my page header:
<link rel=3D"openid.delegate openid2.local_id" href=3D"http://ww= w.flickr.com/photos/varsity/" />
<link rel=3D"openid.server openid2.provider" href=3D"h= ttps://open.login.yahooapis.com/openid/op/auth" />
But when I login to the sites I used my openid on before it broke (I've= tried Get Satisfaction and Userstyles.org so far), they don't recognis= e me as an pre-existing user. They think I'm www.flickr.com/photos/varsity/, whereas I actually still want to be steamreview.org.

Is this intended behaviour? I thought the point of delegation was to allow = people to switch providers without changing consumer-facing identity.

_______________________________________________
general mailing list
general at openid.net<= /a>
ht= tp://openid.net/mailman/listinfo/general

--0015174bdf287974be046e62f25e-- From breno at google.com Fri Jul 10 17:13:21 2009 From: breno at google.com (Breno de Medeiros) Date: Fri, 10 Jul 2009 17:13:21 -0700 Subject: [OpenID] experimental namespace for openid.net In-Reply-To: <3C9C10F1-E8BF-483B-9458-2FEF752A9846@sixapart.com> References: <60c552b80907091645j23d1a057k3b80e29d9e8f6cac@mail.gmail.com> <60c552b80907101125v1a56d875oc846fb332200974b@mail.gmail.com> <4A578F6F.70309@aol.com> <3C9C10F1-E8BF-483B-9458-2FEF752A9846@sixapart.com> Message-ID: <29fb00360907101713g2d327f75obd61278634867ddb@mail.gmail.com> A charter proposal for the WG already exists. On Fri, Jul 10, 2009 at 4:49 PM, David Recordon wrote: > Should this experimental namespace only apply to work being done by OpenID > working groups? ?I'm very supportive of pushing the standards forward via > prototypes, but that should be done as part of the OpenID community instead > of by a single company. > > I'd be very happy to help get a discovery working group spun up and charter > them to modernize OpenID 2.0's discovery process. > > --David > > On Jul 10, 2009, at 11:58 AM, George Fletcher wrote: > >> +1 to http://experimental.openid.net >> >> It would be good to add this to the "repository" work Breno and John are >> doing as having a registry for experimental URIs would be good as well. >> >> Thanks, >> George >> >> Dirk Balfanz wrote: >>> >>> [+general at openid.net for a broader audience] >>> >>> On Thu, Jul 9, 2009 at 4:45 PM, Dirk Balfanz >> > wrote: >>> >>> ? Hi guys, >>> ? Google would like to launch a feature in which we're allowing our >>> ? Google Apps hosted domains to become OpenID providers. The >>> ? authentication part of it is pretty simple - Google is already >>> ? logging in users to their apps, so we can also host an OP endpoint >>> ? for those domains and send assertions back to Relying Parties. >>> ? What is more difficult is the discovery part. We have been working >>> ? with the XRI TC to define a XRD-based discovery protocol that >>> ? would allow this kind of hosting of discovery documents on behalf >>> ? of our customers. >>> ? We believe that providing proof-of-concept implementations drives >>> ? standardization processes forward, so in this spirit we want to >>> ? launch this feature in the near future, using a discovery protocol >>> ? that as far as we can tell meets all the requirements of what the >>> ? XRI TC is currently converging on, but which has not been vetted >>> ? as an official standard (it's a chicken and egg thing - without >>> ? PoC no standards, without standards by definition no >>> ? standards-compliant implementations). >>> >>> ? While we were tossing around ideas >>> in the >>> ? standardization committees we just used random identifiers for new >>> ? XML namespaces, etc. that we would need for this discovery >>> ? protocol. Now that we're about to launch we need to decide what to >>> ? call these things. We would like to use a namespace >>> ? in http://specs.openid.net/... because we want this kind of >>> ? discovery protocol to be part of OpenID, but we can't really use >>> ? them because we don't have a next-generation discovery protocol yet. >>> ? So what should we use? How >>> ? about http://experimental.openid.net/... ? That way, Relying >>> ? Parties know that what we're trying to do is be a part of the >>> ? OpenID community and bring the protocol forward. On the other >>> ? hand, this would also be a signal to the RP that they're using a >>> ? feature that has not been vetted as a standard yet. >>> ? For example, a discovery document for a domain balfanz.net >>> ? at Google might look like this (notice the >>> ? "experimental" namespace and the XML elements using it): >>> >>> ? >>> ? >>> ? ? >>> ? ? >>> ? ? >> Algorithm="http://docs.oasis-open.org/xri/xrd/2009/01#canonicalize-raw-octets" >>> /> >>> ? ? >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> >>> ? ? >>> ? ? >>> ? ? >>> ? ? >>> ? ? MIICgjCCA... >>> ? ? >>> ? ? >>> ? ? MIICsDCCAhmgAwIB... >>> ? ? >>> ? ? >>> ? ? >>> ? ? >>> ? ? >>> ? ? balfanz.net >>> ? ? >>> ? ? http://specs.openid.net/auth/2.0/server >>> ? ? http://openid.net/srv/ax/1.0 >>> ? ? http://specs.openid.net/extensions/pape/1.0 >>> ? ? https://www.google.com/a/balfanz.net/o8/ud?be=o8 >>> ? ? >>> ? ? >> xmlns:experimental="http://experimental.openid.net/google/2009/07/xmlns/"> >>> ? ? http://www.iana.org/assignments/relation/describedby >>> ? ? application/xrds+xml >>> >>> https://www.google.com/accounts/o8/user-xrds?uri={%uri} >>> >>> >>> ? ? hosted-id.google.com >>> ? >>> ? ? >>> ? ? >>> ? >>> >>> ? What do you guys think? >>> >>> ? Dirk. >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> specs mailing list >>> specs at openid.net >>> http://openid.net/mailman/listinfo/specs >>> >> >> _______________________________________________ >> specs mailing list >> specs at openid.net >> http://openid.net/mailman/listinfo/specs > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) From breno at google.com Fri Jul 10 17:13:46 2009 From: breno at google.com (Breno de Medeiros) Date: Fri, 10 Jul 2009 17:13:46 -0700 Subject: [OpenID] Delegation leading to new accounts on websites In-Reply-To: <30ac519d0907101712s7e7088e4p1e45a1a10f13f0b8@mail.gmail.com> References: <4A3EB277.1000206@btinternet.com> <30ac519d0907101712s7e7088e4p1e45a1a10f13f0b8@mail.gmail.com> Message-ID: <29fb00360907101713q42978114i1872325a2a364ba5@mail.gmail.com> Yes. On Fri, Jul 10, 2009 at 5:12 PM, John Panzer wrote: > Just to double check, it sounds like Get Satisfaction and Userstyles.org are > not spec-compliant if they are picking up the OP-relative local_id and using > it as the users's claimed_id.??Right? -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) From santrajan at gmail.com Fri Jul 10 19:35:25 2009 From: santrajan at gmail.com (Santosh Rajan) Date: Fri, 10 Jul 2009 19:35:25 -0700 (PDT) Subject: [OpenID] Google custom discovery In-Reply-To: <29fb00360907101121oe43a5e0tc226a94e328b380e@mail.gmail.com> References: <24431923.post@talk.nabble.com> <24432348.post@talk.nabble.com> <29fb00360907101120y66df4ae6ndc9fef7243e7f2dd@mail.gmail.com> <29fb00360907101121oe43a5e0tc226a94e328b380e@mail.gmail.com> Message-ID: <24436735.post@talk.nabble.com> Short of pimping something I have started off here, Why didnt Google go for something like this? http://wiki.openid.net/OpenID-discovery-for-Email-Like-identifiers http://wiki.openid.net/OpenID-discovery-for-Email-Like-identifiers This would have avoided XRDS and would have been more in line with the current work done. Breno de Medeiros wrote: > > Actually, the better link is: > http://www.abstractioneer.org/2009/04/personal-web-discovery.html > > and the linked posts in hueniverse.org > > On Fri, Jul 10, 2009 at 11:20 AM, Breno de Medeiros > wrote: > >> There is already a proposal for this called webfinger: >> http://www.abstractioneer.org/ >> >> It leverages the LRDD proposal to provide a generic mechanism for email >> addresses, xmpp addresses, etc. >> >> >> On Fri, Jul 10, 2009 at 11:16 AM, Santosh Rajan >> wrote: >> >>> >>> It could be the gmail username, and google profile usernames they dont >>> clash. >>> Problem is only for Google employees who have google.com email >>> addresses. >>> :) >>> >>> Eric Sachs wrote: >>> > >>> > Only a subset of GoogleProfile users register a username, but yes, for >>> > those >>> > users that is the common request we get. >>> > >>> > On Fri, Jul 10, 2009 at 10:46 AM, Santosh Rajan >>> > wrote: >>> > >>> >> >>> >> Actually why dont you do discovery on >>> >> http://google.com/username >>> >> You can do that without clashing with your google.com namespace by >>> only >>> >> responding to "Accept" header request with "application/XRD". That >>> would >>> >> really make a killer OpenID. >>> >> >>> >> >>> >> Eric Sachs wrote: >>> >> > >>> >> > The feature in this area that we get more requests for is to >>> support >>> >> > OpenID >>> >> > validation for the relatively new Google Profiles service, i.e. >>> >> > profiles.google.com, which is also a more memorable endpoint for >>> users >>> >> to >>> >> > type :-). That support is not yet available, but its definitely on >>> the >>> >> > list. >>> >> > On Fri, Jul 10, 2009 at 10:16 AM, Peter Williams >>> >> > wrote: >>> >> > >>> >> >> Lets hope it prompts google to do much better: http://op. >>> google.com: >>> >> >> forming the eminently typable "op.google.com". >>> >> >> >>> >> >> They might even have that redirect to http://google.com/op which >>> they >>> >> >> might make an xri mount point to the I-brokered authority that >>> serves >>> >> the >>> >> >> op >>> >> >> xrd/s. If their op is a real xri-labelled authority, a ref field >>> in >>> >> the >>> >> >> sep >>> >> >> can even properly provide for delgated authorization of xrd files >>> by >>> >> user >>> >> >> authorities (which openid auth hacks up as openid delegation, when >>> >> >> abusing >>> >> >> the semantics of the op local id field per jonny bufu's recent >>> >> message). >>> >> >> >>> >> >> I dont think its hard to meet professional security engineering >>> >> standards >>> >> >> within openid: just be complete about xri semantics (even when >>> using >>> >> http >>> >> >> identifiers). We dont need custom extensions for discovery, >>> >> particularly >>> >> >> if >>> >> >> they project idp-centric vs user centric identity models. >>> >> >> >>> >> >> But lets wait and see how they are signing the xrd files (the way >>> the >>> >> >> openxri server does it (per the standard), or "otherwise"). The >>> >> validity >>> >> >> logic for verifying that signature will tell us what class of >>> trust >>> >> >> semantics they are working towards: google as ttp for attribute >>> >> sharing, >>> >> >> or >>> >> >> uci. >>> >> >> >>> >> >> ________________________________ >>> >> >> From: Andrew Arnott >>> >> >> Sent: Thursday, July 09, 2009 8:30 PM >>> >> >> To: Peter Williams >>> >> >> Cc: Eric Sachs ; general at openid.net >>> >> >> ; >>> >> >> Paul Johnston >>> >> >> Subject: Re: [OpenID] What is my Google OpenID URL? >>> >> >> >>> >> >> Wow. I'm going to have to use that tinyurl everywhere now. :-p >>> >> >> >>> >> >> -- >>> >> >> Andrew Arnott >>> >> >> "I [may] not agree with what you have to say, but I'll defend to >>> the >>> >> >> death >>> >> >> your right to say it." - S. G. Tallentyre >>> >> >> >>> >> >> >>> >> >> On Thu, Jul 9, 2009 at 8:24 PM, Peter Williams >>> >> >> >> >> > wrote: >>> >> >> come on google, it takes you 10s to have a redirector URL >>> >> >> (op.google.com< >>> >> >> http://op.google.com>, perhaps?) redirect to the >>> >> >> https://www.google.com/accounts/o8/id. Conforming RPs are require >>> to >>> >> >> follow the redirect, before detecting that the XRD at that address >>> is >>> >> an >>> >> >> law#4-capable OP, vs a user. >>> >> >> >>> >> >> >>> >> >> http://tinyurl.com/googop now produces >>> >> >> >>> >> >> - >>> >> >> >> >> xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> >>> >> >> - >>> >>> >> >> - >>> >> >> >> >> priority="0"> >>> >> >> http://specs.openid.net/auth/2.0/server >>> >> >> http://openid.net/srv/ax/1.0 >>> >> >> http://specs.openid.net/extensions/ui/1.0/mode/popup >>> >> >> http://specs.openid.net/extensions/ui/1.0/icon >>> >> >> http://specs.openid.net/extensions/pape/1.0 >>> >> >> https://www.google.com/accounts/o8/ud >>> >> >> >>> >> >> >>> >> >> >>> >> >> im sure google can do better than tinyurl.com! >>> >> >> >>> >> >> How about op.google.com?! >>> >> >> >>> >> >> ________________________________ >>> >> >> From: >>> general-bounces at openid.net >>> [ >>> >> >> general-bounces at openid.net] On >>> >> Behalf >>> >> >> Of Andrew Arnott [andrewarnott at gmail.com>> andrewarnott at gmail.com >>> >> >] >>> >> >> Sent: Thursday, July 09, 2009 7:16 PM >>> >> >> To: Eric Sachs >>> >> >> Cc: general at openid.net; Paul Johnston >>> >> >> Subject: Re: [OpenID] What is my Google OpenID URL? >>> >> >> >>> >> >> Note that using your Blogger blog URL is not equivalent to using >>> >> >> https://www.google.com/accounts/o8/id. Besides the user interface >>> of >>> >> the >>> >> >> login experience being completely different, Blogger's Provider is >>> >> only >>> >> >> an >>> >> >> OpenID 1.1 provider, whereas Google's >>> >> >> https://www.google.com/accounts/o8/id OpenID Provider is a more >>> secure >>> >> >> OpenID 2.0 provider. >>> >> >> >>> >> >> -- >>> >> >> Andrew Arnott >>> >> >> "I [may] not agree with what you have to say, but I'll defend to >>> the >>> >> >> death >>> >> >> your right to say it." - S. G. Tallentyre >>> >> >> >>> >> >> >>> >> >> On Thu, Jul 9, 2009 at 6:38 PM, Eric Sachs >> >> >> >> >>> >> esachs at google.com>>> >>> >>> >> >> wrote: >>> >> >> If you create a blog on Google's blogger service, then you can >>> type >>> >> the >>> >> >> name of that blog into OpenID login boxes. >>> >> >> >>> >> >> If you are willing to be really geeky, type in >>> >> >> https://www.google.com/accounts/o8/id. That points to the generic >>> >> Google >>> >> >> identity provider, and you will be redirected back with an opaque >>> >> >> identifier. But we don't actually expect anyone to know to do >>> that >>> >> which >>> >> >> is >>> >> >> why a lot of OpenID relying parties are supporting other user >>> >> interfaces >>> >> >> with buttons for Google. For example, see >>> >> >> http://uservoice.com/session/new >>> >> >> >>> >> >> Similarly a lot of blogs allow you to comment and identify you >>> with >>> an >>> >> >> OpenID URL, and while you can try one of the tricks above, many of >>> the >>> >> >> blog >>> >> >> commenting interfaces also include buttons (or the NASCAR style UI >>> as >>> >> the >>> >> >> community likes to call it) to help users navigate their way >>> through. >>> >> >> >>> >> >> On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston >>> >> >> >> >> >> >>> >> paj at pajhome.org.uk>>> paj at pajhome.org.uk >>> >> >>> >>> >> >> wrote: >>> >> >> Hi, >>> >> >> >>> >> >> I'm sorry for asking such an obvious question, but after >>> considerable >>> >> >> time spent searching for this I am unable to figure this out. >>> >> >> >>> >> >> My google account name is paul.paj. I would like to login to >>> >> >> bitbucket.org using >>> >> OpenID. >>> >> >> How do I do it? >>> >> >> >>> >> >> Paul >>> >> >> _______________________________________________ >>> >> >> general mailing list >>> >> >> >>> >> general at openid.net>> general at openid.net >>> >> >> > >>> >> >> http://openid.net/mailman/listinfo/general >>> >> >> >>> >> >> >>> >> >> _______________________________________________ >>> >> >> general mailing list >>> >> >> >>> >> general at openid.net>> general at openid.net >>> >> >> > >>> >> >> http://openid.net/mailman/listinfo/general >>> >> >> >>> >> >> >>> >> >> >>> >> >> _______________________________________________ >>> >> >> general mailing list >>> >> >> general at openid.net >>> >> >> http://openid.net/mailman/listinfo/general >>> >> >> >>> >> > >>> >> > _______________________________________________ >>> >> > general mailing list >>> >> > general at openid.net >>> >> > http://openid.net/mailman/listinfo/general >>> >> > >>> >> > >>> >> >>> >> >>> >> ----- >>> >> >>> >> Santosh Rajan >>> >> http://santrajan.blogspot.com http://santrajan.blogspot.com >>> >> -- >>> >> View this message in context: >>> >> >>> http://www.nabble.com/Google-custom-discovery-tp24431509p24431923.html >>> >> Sent from the OpenID - General mailing list archive at Nabble.com. >>> >> >>> >> _______________________________________________ >>> >> general mailing list >>> >> general at openid.net >>> >> http://openid.net/mailman/listinfo/general >>> >> >>> > >>> > _______________________________________________ >>> > general mailing list >>> > general at openid.net >>> > http://openid.net/mailman/listinfo/general >>> > >>> > >>> >>> >>> ----- >>> >>> Santosh Rajan >>> http://santrajan.blogspot.com http://santrajan.blogspot.com >>> -- >>> View this message in context: >>> http://www.nabble.com/Google-custom-discovery-tp24431509p24432348.html >>> Sent from the OpenID - General mailing list archive at Nabble.com. >>> >>> _______________________________________________ >>> general mailing list >>> general at openid.net >>> http://openid.net/mailman/listinfo/general >>> >> >> >> >> -- >> --Breno >> >> +1 (650) 214-1007 desk >> +1 (408) 212-0135 (Grand Central) >> MTV-41-3 : 383-A >> PST (GMT-8) / PDT(GMT-7) >> > > > > -- > --Breno > > +1 (650) 214-1007 desk > +1 (408) 212-0135 (Grand Central) > MTV-41-3 : 383-A > PST (GMT-8) / PDT(GMT-7) > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > > ----- Santosh Rajan http://santrajan.blogspot.com http://santrajan.blogspot.com -- View this message in context: http://www.nabble.com/Google-custom-discovery-tp24431509p24436735.html Sent from the OpenID - General mailing list archive at Nabble.com. From santrajan at gmail.com Fri Jul 10 19:49:34 2009 From: santrajan at gmail.com (Santosh Rajan) Date: Fri, 10 Jul 2009 19:49:34 -0700 (PDT) Subject: [OpenID] experimental namespace for openid.net In-Reply-To: <3C9C10F1-E8BF-483B-9458-2FEF752A9846@sixapart.com> References: <60c552b80907101125v1a56d875oc846fb332200974b@mail.gmail.com> <4A578F6F.70309@aol.com> <3C9C10F1-E8BF-483B-9458-2FEF752A9846@sixapart.com> Message-ID: <24436805.post@talk.nabble.com> Yes please start one immediately with people who can afford to throw in a substantial amount of time on this in the near future. I am willing to put in 25 hrs a week for this, for the the next 4 weeks. I am not up to speed on all the authentication technologies but at least I can help with writing, co ordination etc if someone more experienced in all this (and has less time to offer) can guide me. As for the old discovery proposal I think it is as good as defunct now. David Recordon wrote: > > > > I'd be very happy to help get a discovery working group spun up and > charter them to modernize OpenID 2.0's discovery process. > > --David > > On Jul 10, 2009, at 11:58 AM, George Fletcher wrote: > >> +1 to http://experimental.openid.net >> >> It would be good to add this to the "repository" work Breno and John >> are doing as having a registry for experimental URIs would be good >> as well. >> >> Thanks, >> George >> >> Dirk Balfanz wrote: >>> [+general at openid.net for a broader >>> audience] >>> >>> On Thu, Jul 9, 2009 at 4:45 PM, Dirk Balfanz >> >> >> wrote: >>> >>> Hi guys, >>> Google would like to launch a feature in which we're allowing our >>> Google Apps hosted domains to become OpenID providers. The >>> authentication part of it is pretty simple - Google is already >>> logging in users to their apps, so we can also host an OP endpoint >>> for those domains and send assertions back to Relying Parties. >>> What is more difficult is the discovery part. We have been working >>> with the XRI TC to define a XRD-based discovery protocol that >>> would allow this kind of hosting of discovery documents on behalf >>> of our customers. >>> We believe that providing proof-of-concept implementations drives >>> standardization processes forward, so in this spirit we want to >>> launch this feature in the near future, using a discovery protocol >>> that as far as we can tell meets all the requirements of what the >>> XRI TC is currently converging on, but which has not been vetted >>> as an official standard (it's a chicken and egg thing - without >>> PoC no standards, without standards by definition no >>> standards-compliant implementations). >>> >>> While we were tossing around ideas >>> >> >in the >>> standardization committees we just used random identifiers for new >>> XML namespaces, etc. that we would need for this discovery >>> protocol. Now that we're about to launch we need to decide what to >>> call these things. We would like to use a namespace >>> in http://specs.openid.net/... because we want this kind of >>> discovery protocol to be part of OpenID, but we can't really use >>> them because we don't have a next-generation discovery protocol >>> yet. >>> So what should we use? How >>> about http://experimental.openid.net/... ? That way, Relying >>> Parties know that what we're trying to do is be a part of the >>> OpenID community and bring the protocol forward. On the other >>> hand, this would also be a signal to the RP that they're using a >>> feature that has not been vetted as a standard yet. >>> For example, a discovery document for a domain balfanz.net >>> at Google might look like this (notice the >>> "experimental" namespace and the XML elements using it): >>> >>> >>> >>> >>> >>> >> Algorithm="http://docs.oasis-open.org/xri/xrd/2009/01#canonicalize-raw-octets >>> " /> >>> >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1 >>> " /> >>> >>> >>> >>> >>> MIICgjCCA... >>> >>> >>> MIICsDCCAhmgAwIB... >>> >>> >>> >>> >>> >>> balfanz.net >>> >>> http://specs.openid.net/auth/2.0/server >>> http://openid.net/srv/ax/1.0 >>> http://specs.openid.net/extensions/pape/1.0 >>> https://www.google.com/a/balfanz.net/o8/ud?be=o8 >>> >>> >> xmlns:experimental="http://experimental.openid.net/google/2009/07/xmlns/ >>> "> >>> http://www.iana.org/assignments/relation/describedby>> Type> >>> application/xrds+xml >>> >>> https://www.google.com/accounts/o8/user-xrds?uri= >>> {%uri} >>> >> experimental:URITemplate> >>> hosted-id.google.com >>> >>> >>> >>> >>> >>> What do you guys think? >>> >>> Dirk. >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> specs mailing list >>> specs at openid.net >>> http://openid.net/mailman/listinfo/specs >>> >> >> _______________________________________________ >> specs mailing list >> specs at openid.net >> http://openid.net/mailman/listinfo/specs > > _______________________________________________ > general mailing list > general at openid.net > http://openid.net/mailman/listinfo/general > > ----- Santosh Rajan http://santrajan.blogspot.com http://santrajan.blogspot.com -- View this message in context: http://www.nabble.com/Re%3A-experimental-namespace-for-openid.net-tp24432471p24436805.html Sent from the OpenID - General mailing list archive at Nabble.com. From john.bradley at wingaa.com Fri Jul 10 21:09:30 2009 From: john.bradley at wingaa.com (John Bradley) Date: Sat, 11 Jul 2009 00:09:30 -0400 Subject: [OpenID] Delegation leading to new accounts on websites In-Reply-To: References: Message-ID: Using the OP Local ID as the claimed_id would be broken. I just had a quick look at Userstyles.org they have broken ruby code in there RP. The good news is that they have a flaw that will let the user log back in withy his original claimed_id. The bad news is that anyone else can as well. They have bigger problems than delegation they should update to the latest version of the Ruby library. I didn't check the other RP. It would be a good idea for those RPs to check themselves against the OSIS tests. John B. On 10-Jul-09, at 10:35 PM, general-request at openid.net wrote: > Date: Fri, 10 Jul 2009 17:12:40 -0700 > From: John Panzer > Subject: Re: [OpenID] Delegation leading to new accounts on websites > Cc: general at openid.net > Message-ID: > <30ac519d0907101712s7e7088e4p1e45a1a10f13f0b8 at mail.gmail.com> > Content-Type: multipart/alternative; > boundary=0015174bdf287974be046e62f25e > > --0015174bdf287974be046e62f25e > Content-Type: text/plain; charset=ISO-8859-1 > Content-Transfer-Encoding: 7bit > > Just to double check, it sounds like Get Satisfaction and > Userstyles.org are > not spec-compliant if they are picking up the OP-relative local_id > and using > it as the users's claimed_id. Right? > > On Sun, Jun 21, 2009 at 3:21 PM, Tom Edwards > wrote: > >> My personal OpenID server broke a while back, and I've decided this >> evening >> to start delegating in order continue using my personal URL (< >> http://steamreview.org>). This is the code now in my page header: >> >>> >>> >>> >> But when I login to the sites I used my openid on before it broke >> (I've >> tried Get Satisfaction and Userstyles.org so far), they don't >> recognise me >> as an pre-existing user. They think I'm www.flickr.com/photos/varsity/ >> , >> whereas I actually still want to be steamreview.org. >> >> Is this intended behaviour? I thought the point of delegation was >> to allow >> people to switch providers without changing consumer-facing identity. >> >> ____________________________________ From pwilliams at rapattoni.com Sat Jul 11 12:40:34 2009 From: pwilliams at rapattoni.com (Peter Williams) Date: Sat, 11 Jul 2009 12:40:34 -0700 Subject: [OpenID] experimental namespace for openid.net In-Reply-To: <60c552b80907101125v1a56d875oc846fb332200974b@mail.gmail.com> References: <60c552b80907091645j23d1a057k3b80e29d9e8f6cac@mail.gmail.com>, <60c552b80907101125v1a56d875oc846fb332200974b@mail.gmail.com> Message-ID: I successfully subclassed the openxri java server to sign XRDs using xmldsig - removing the SAML2 assertion wrapper used by XRI's own trusted resolution procedures -- when providing evidence that agents are authoritative (or delegates are authorized) according to the native XRI validation logic. The tool produces signed output similar to the mail below. http://cid-05061d4609325b60.skydrive.live.com/self.aspx/Public/openxri/signxrd.zip if someone would like to check my bit of additional signing and formatting work is done "correctly". (a) since all major programming platforms already have an xmldsig library that is well settled in terms of functionality, interoperability and access to crypto hardware, I'm really not sure what we gain in openid-land by using the Google/TC canonicalization method. I don't have that canonicalization in my FIPS 140-1 level 3 crypto device, and probably wont for 2+ years (until and IF the cryptomodule vendor decides to update the firmware, having gone to the trouble of getting a new NIST FIPS certification). For my part, the new variant of xml signing is not "simpler" : it means writing crypto code; and that code has to run in software crypto modules that are at most FIPS 140-1 level 1. With the alternative, more standard scheme for signing, so far I've needed ZERO crypto-programming skills. All I've done to sign XRDs is act as an application programmer (albeit probably one of the worst in the world). At my skill level it took forever, but at the end of the day all I had to do was make a subclass and do some virtual overrides. (b) The XRD type defined in XRI Resolution v2 already allows arbitrary extensions to be placed at the end of the xml serializing of the standard elements. Why not place the digital signature in that area as an extension, formally? That placement would line up better for systems using existing XRD libraries, as they are all ready structured to add code for extensions in that extensibility area. Peter @blog*lockbox Success Success @!E459.819D.771.7990!5B62.6F13.7602.5176 http://www.iana.org/assignments/relation/describedby application/xrds+xml hosted-id.google.com https://www.google.com/accounts/o8/user-xrds?uri={%uri} @!E459.819D.771.7990!5B62.6F13.7602.5176 xri://$res*auth*($v*2.0) application/xrds+xml http://localhost:80/server/resolve/ns/@!E459.819D.771.7990!5B62.6F13.7602.5176/ https://localhost:443/server/resolve/ns/@!E459.819D.771.7990!5B62.6F13.7602.5176/ OpenXRI lDSA829isbUDf8vzDjpiRyq/G4U= ZNxc4Yvgztyl5LthPZVfGxPQyPNa5Wdun8XRZpJqbWBA/mWYFFq5IEnyjOvaTrwnEjMWVRTrvLPv 3DRtSwrpWcLjk+dXUUrVEphWIMEdaEsEcY0YLlzMOJNdp8TRGz/drhRgE/qJZVoryW8l1Au6hk8f yo8fTt/goird9vj+kPo= ________________________________ From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of Dirk Balfanz [balfanz at google.com] Sent: Friday, July 10, 2009 11:25 AM To: specs at openid.net; general at openid.net List Subject: Re: [OpenID] experimental namespace for openid.net [+general at openid.net for a broader audience] On Thu, Jul 9, 2009 at 4:45 PM, Dirk Balfanz > wrote: Hi guys, Google would like to launch a feature in which we're allowing our Google Apps hosted domains to become OpenID providers. The authentication part of it is pretty simple - Google is already logging in users to their apps, so we can also host an OP endpoint for those domains and send assertions back to Relying Parties. What is more difficult is the discovery part. We have been working with the XRI TC to define a XRD-based discovery protocol that would allow this kind of hosting of discovery documents on behalf of our customers. We believe that providing proof-of-concept implementations drives standardization processes forward, so in this spirit we want to launch this feature in the near future, using a discovery protocol that as far as we can tell meets all the requirements of what the XRI TC is currently converging on, but which has not been vetted as an official standard (it's a chicken and egg thing - without PoC no standards, without standards by definition no standards-compliant implementations). While we were tossing around ideas in the standardization committees we just used random identifiers for new XML namespaces, etc. that we would need for this discovery protocol. Now that we're about to launch we need to decide what to call these things. We would like to use a namespace in http://specs.openid.net/... because we want this kind of discovery protocol to be part of OpenID, but we can't really use them because we don't have a next-generation discovery protocol yet. So what should we use? How about http://experimental.openid.net/... ? That way, Relying Parties know that what we're trying to do is be a part of the OpenID community and bring the protocol forward. On the other hand, this would also be a signal to the RP that they're using a feature that has not been vetted as a standard yet. For example, a discovery document for a domain balfanz.net at Google might look like this (notice the "experimental" namespace and the XML elements using it): MIICgjCCA... MIICsDCCAhmgAwIB... balfanz.net http://specs.openid.net/auth/2.0/server http://openid.net/srv/ax/1.0 http://specs.openid.net/extensions/pape/1.0 https://www.google.com/a/balfanz.net/o8/ud?be=o8 http://www.iana.org/assignments/relation/describedby application/xrds+xml https://www.google.com/accounts/o8/user-xrds?uri={%uri} hosted-id.google.com What do you guys think? Dirk. From santrajan at gmail.com Sat Jul 11 19:05:50 2009 From: santrajan at gmail.com (Santosh Rajan) Date: Sat, 11 Jul 2009 19:05:50 -0700 (PDT) Subject: [OpenID] experimental namespace for openid.net In-Reply-To: References: <60c552b80907101125v1a56d875oc846fb332200974b@mail.gmail.com> Message-ID: <24445325.post@talk.nabble.com> xmldsig works fine in proprietary systems where both signing and verification is done by software from the same vendor, or at least where the vendor has solved the interop problems on a case to case basis. Otherwise xmldsig as far as I can read all over the web is plagued with interop problems. For a case like OpenID with a multitude of vendors and platforms I dont think it would be possible to solve all the interop probs on a case to case basis. I am looking for someone who has successfully implemented xmldsig with XRDS and I have not been able to find even one! Because if there was one, they would be the best people to tell you. Unfortunately there isnt (or I havent found them, let me know if you know of anyone). Peter Williams wrote: > > (a) since all major programming platforms already have an xmldsig library > that is well settled in terms of functionality, interoperability and > access to crypto hardware, I'm really not sure what we gain in openid-land > by using the Google/TC canonicalization method. > ----- Santosh Rajan http://santrajan.blogspot.com http://santrajan.blogspot.com -- View this message in context: http://www.nabble.com/Re%3A-experimental-namespace-for-openid.net-tp24432471p24445325.html Sent from the OpenID - General mailing list archive at Nabble.com. From pwilliams at rapattoni.com Sat Jul 11 21:58:42 2009 From: pwilliams at rapatto