Yahoo available AX attrs

Peter Watkins peterw at tux.org
Tue Dec 8 15:28:45 UTC 2009


On Tue, Dec 08, 2009 at 10:30:06AM +0100, Chris Obdam wrote:
> There already is work done on that part right?
> 
> See http://step2.googlecode.com/svn/spec/attribute_exchange_validate/trunk/openid-attribute-exchange-validate-mode.html

Thanks for that pointer. I see two big problems with that draft

1) As Allen's later email suggested, it could be very useful to know
   *when* an attribute was verified. This is probably true of every
   single attribute. Of the standard (http://www.axschema.org/types/)
   and experimental attributes, only date of birth is an immutable
   fact, and even that might be revised at some point to correct 
   clerical errors. Don't tell me that you have at some point verified
   the user's name to be Cat Stevens, tell me you verified that fact
   in 1977 and let me decide if that data is fresh enough.

2) The openid.ax.validation parameter purports to be about quality, but
   the examples don't show the sort of options that Joseph A Holsten
   suggested (Supplied by user vs. OP thinks this is the user's email vs.
   the OP indemnifies the RP for any legal claims arising from the 
   assertion being false). The examples show RPs specifying specific
   means of verification (token_via_email, pin_via_sms) which sounds
   both contentious (deciding which of two methods is stronger) and
   difficult to manage (who maintains the enumerated lists of methods?
   what happens if later research reveals a fundamental flaw in some
   method, or infrastructure changes alter the value of some methods?).
   I think it would be better to define the validation level as a 
   number, and provide some guidance on what sort of current (i.e.
   as of the date the spec is approved) validation methods should 
   equate to certain levels. There's always going to be a problem of
   trust here, as anybody could set up an OP that claims with 100%
   certaintly that my name is David Recordon. There will be a natural
   tendency for RPs to whitelist trustworthy OPs, just as we've seen
   whitelists of the PKI vendors we all depend on for our TLS/SSL certs.
   So don't get bogged down in an exhaustive enumeration of methods
   (I can just imagine providers of patended systems clamoring to
   be listed) and an exhausting excercise of comparing methods (whose
   PIN mailer is better? Is the US postal service more or less 
   secure and trustworthy than the Swiss postal service?). Use general
   examples and numeric scores.

-Peter

> Op 8 dec 2009, om 05:36 heeft Allen Tom het volgende geschreven:
> 
> > I’d recommend using a timestamp indicating when it was last verified, with a special value to indicate that the OP is also the email provider and has 100% certainty. (perhaps just setting the verification time==now is sufficient)
> > 
> > Allen
> > 
> > 
> > On 12/7/09 8:29 PM, "Chris Messina" <chris.messina at gmail.com> wrote:
> > 
> >> Sounds like something to add to PoCo... perhaps something as simple as a "verified" boolean added to email addresses?
> >> 
> >> http://portablecontacts.net/draft-schema.html#anchor4
> >> 
> >> Chris
> >> 
> >> On Mon, Dec 7, 2009 at 8:25 PM, Brian Kissel <bkissel at janrain.com> wrote:
> >>> +1 on email address metadata, many RPs definitely want this.
> >>> 
> >>> Cheers,
> >>> 
> >>> Brian
> >>> ___________
> >>> 
> >>> Brian Kissel
> >>> CEO, JanRain - WebID and Social Publishing for User Engagement
> >>> Email: bkissel at janrain.com     Cell: 503.866.4424     Fax: 503.296.5502
> >>> 
> >>> 
> >>> -----Original Message-----
> >>> From: openid-specs-bounces at lists.openid.net [mailto:openid-specs-bounces at lists.openid.net] On Behalf Of Allen Tom
> >>> Sent: Monday, December 07, 2009 7:46 PM
> >>> To: Peter Watkins; Chris Obdam; openid-specs at lists.openid.net
> >>> Subject: Re: Yahoo available AX attrs
> >>> 
> >>> Oops - I clicked send too early.
> >>> 
> >>> The bad UX with AX is the security warning that most browsers display when
> >>> POSTing a form from HTTPS to HTTP, which is the case when the Yahoo OP
> >>> returns a lot of attributes. AX attribute names are excessively long, so
> >>> it's very likely that using different attribute names for first/last/middle
> >>> name will cause the response to be returned via POST. (2KB is the cutoff
> >>> point)
> >>> 
> >>> With regards to email address - unless we're 100% sure about the email
> >>> address, we'd like to return metadata about the email address. Specifically,
> >>> we'd like to indicate whether or not the email address was verified, and if
> >>> so, when it was verified. This is definitely something that we'd like to get
> >>> in to AX 2.0.
> >>> 
> >>> Allen


More information about the specs mailing list