<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Note that in sections 2 and 6, it's not fetching the issuer URL, but
rather it's fetching the OpenID 2.0 Identifier URL, which contains
the issuer. Thus, the webfinger style discovery doesn't really fit
here.<br>
<br>
-- Justin<br>
<br>
<div class="moz-cite-prefix">On 08/23/2014 08:36 AM, Markus
Sabadello wrote:<br>
</div>
<blockquote
cite="mid:CAJF45PQGROSrE4zOGzAEGDD6vHvYkCrW7aCQxHKfkE08wsjyWw@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div dir="ltr"><a moz-do-not-send="true"
href="http://openid.bitbucket.org/openid-connect-migration-1_0.html">http://openid.bitbucket.org/openid-connect-migration-1_0.html</a><br>
<br>
<div class="gmail_quote">--------------
<div dir="ltr">
<div>In section 1.2:<br>
<dl>
<dt>"OpenID 2.0 Identifier<br>
Verified user identifier as specified by OpenID
Authentication 2.0."</dt>
</dl>
<p>maybe change to<br>
</p>
<p>"OpenID 2.0 Identifier<br>
Verified <b>Claimed Identifier</b> as specified by
OpenID Authentication 2.0. "<br>
</p>
<p>--------------</p>
<p>In sections 2 and 6, something feels a bit strange
about retrieving the "iss" simply with a plain GET and
Content-Type application/json. I was wondering if this
shouldn't instead use OIDC Issuer Discovery / Webfinger?
But of course it would work the way it is written now.<br>
</p>
<p>--------------</p>
<p>In section 4:</p>
<p>"For XRI, OpenID 2.0 Identifier MUST be created as <a
moz-do-not-send="true" href="https://xri.net/"
target="_blank">https://xri.net/</a> concatenated with
the user’s verified XRI without the xri:// scheme. "<br>
</p>
<p>The problem with this I think is that in OpenID 2.0,
for an XRI the Claimed Identifier is the pure
CanonicalID (I-Number), without <a class="moz-txt-link-freetext" href="https://">https://</a> or xri://
scheme. For example, an RP might have <b>=!91F2.8153.F600.AE24</b>
as the Claimed Identifier (openid2_id) for a user in its
database.<br>
</p>
So I think in section 4, we should either not say anything
specific at all about XRI, or say something like this:<br>
<br>
"For XRI, OpenID 2.0 Identifier MUST be the content of the
<CanonicalID> element, as specified in [OpenID.2.0]"<br>
<br>
</div>
<div>Then an example ID Token would be:<br>
<pre>{
"iss": "?? not sure",
"sub": "?? not sure",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
"openid2_id": "<b>=!91F2.8153.F600.AE24</b>"
}</pre>
But then I can see that obtaining an "iss" as described in
sections 2 and 6 won't work.<br>
<br>
--------------<br>
<br>
I remember Nat+John telling me at one of the previous IIWs
how XRI to OIDC migration would work, but I don't remember
the details.<br>
</div>
<div>
<p>Would this involve a Self-Issued OIDC Provider?<br>
Would there be just one OIDC Provider (<a
moz-do-not-send="true" href="http://xri.net"
target="_blank">xri.net</a>), or would there be a way
to have one OIDC for each registrar (i-broker)?<br>
What would the "iss" and "sub" values be?<br>
</p>
--------------<br>
<br>
</div>
<div>In section 6:<br>
<br>
</div>
<div>Grammar: "A malicious OP may try to impersonate the
user by returning <b>an</b> OpenID 2.0 Identifier that it
is not authoritative for."<br>
<p>--------------</p>
</div>
<div>
<p>In appendix A in the diagram, shouldn't "Resource" be
"Relying Party"?</p>
<p>--------------</p>
<p>Markus<br>
</p>
</div>
</div>
<div class="">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Aug 21, 2014 at 3:18
AM, Nat Sakimura <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:sakimura@gmail.com" target="_blank">sakimura@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">ping... </div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2014-08-08 6:42 GMT+09:00
Nat Sakimura <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:sakimura@gmail.com"
target="_blank">sakimura@gmail.com</a>></span>:
<div>
<div><br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Thanks a lot.
<div><br>
</div>
<div>I really appreciate it. </div>
<div><br>
</div>
<div>
Best, </div>
<div><br>
</div>
<div>Nat</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2014-08-08 6:06
GMT+09:00 Markus Sabadello <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:markus.sabadello@gmail.com"
target="_blank">markus.sabadello@gmail.com</a>></span>:
<div>
<div><br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Hi Nat, I
remember our discussions after
last IIW, but haven't looked
into this much deeper since
then.<br>
I'll read through the
migration spec now.<span><font
color="#888888"><br>
<br>
Markus<br>
<br>
</font></span></div>
<div>
<div>
<div class="gmail_extra">
<br>
<br>
<div class="gmail_quote">On
Thu, Aug 7, 2014 at 9:18
PM, Nat Sakimura <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:sakimura@gmail.com" target="_blank">sakimura@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0px 0px
0px
0.8ex;border-left:1px
solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Hi
Markus, <br>
<br>
The migration spec
is now in the WG
Last Call. I would
very much appreciate
if you could quickly
review it. <br>
<br>
Here is the
announcement I sent
out earlier today to
the list: <br>
<br>
OpenID 2.0 to OpenID
Connect Migration
(aka OID2 to OIDC
Migration) is a spec
that allows RPs to
associate the old
OpenID 2.0
identifiers to the
new OpenID Connect
identifiers without
user intervention or
extra round trip.<br>
<br>
The spec has been
under development
for approximately
half a year and has
recently gone into
WGLC[1].<br>
<br>
During the WGLC,
several comments
were gathered and
the WG decided to
normatively change /
simplify the
verification rule.<br>
<br>
In the draft 01, the
OpenID 2.0
identifier was
returning public key
of the issuer but it
is now returning the
issuer in draft 02.
This actually
simplifies the
verification rule as
well as it would
make it more
flexible.<br>
<br>
The diffs can be
found from here:<br>
<br>
<a
moz-do-not-send="true"
href="http://hg.openid.net/connect/commits/0752b8ff5d11602be9dd0ceefd5e61d420ab6703"
target="_blank">http://hg.openid.net/connect/commits/0752b8ff5d11602be9dd0ceefd5e61d420ab6703</a><br>
<br>
<br>
and the HTML version
of the document can
be found here:<br>
<br>
<a
moz-do-not-send="true"
href="http://openid.bitbucket.org/openid-connect-migration-1_0.html"
target="_blank">http://openid.bitbucket.org/openid-connect-migration-1_0.html</a><br>
<br>
<br>
[1] Working Group
Last Call<br>
<br>
<br>
Best, <br>
--<br>
Nat Sakimura (=nat)<br>
Chairman, OpenID
Foundation<br>
<a
moz-do-not-send="true"
href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en<br>
<div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
<div>
<div><br>
<br clear="all">
<div><br>
</div>
-- <br>
Nat Sakimura (=nat)
<div>Chairman, OpenID Foundation<br>
<a moz-do-not-send="true"
href="http://nat.sakimura.org/"
target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
<div>
<div><br>
<br clear="all">
<div><br>
</div>
-- <br>
Nat Sakimura (=nat)
<div>Chairman, OpenID Foundation<br>
<a moz-do-not-send="true"
href="http://nat.sakimura.org/"
target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</body>
</html>