Google Apps availability broadcasting

John Bradley john.bradley at wingaa.com
Mon Dec 14 19:23:54 UTC 2009


We currently have two different openID selectors making the rounds.

One from MS for IE and one from Higgins.  

At the NIH iTrust event last week we demoed both selectors and received a good response.

The two selectors use slightly different approaches.   The MS one is using a object tag and the Higgins one is looking for a link to XRD/S meta-data.

They both use unsolicited positive assertions.

The ICAM profile for openID allows for that. (Whoever wrote that profile must have known something:)

MS has indicated that if there is enough interest in the idea they will add it to there existing platform.
If people want it send in your cards and letters to MS.

While a smart client is required to provide ease of use with privacy, we can't loose sight of having a good RP hosted experience.   Unfortunately that will always be subject to phishing attacks and a limitation on the OP who can have one click buttons in the UI.

John B.


On 2009-12-14, at 3:52 PM, Drummond Reed wrote:

> I just want to reinforce the point that there are serious privacy issues (not to mention security issues) with an RP being able to discovery the OPs a user uses (let alone the OPs the user is currently logged in with) without the user opting in to grant permission to the RP to know that.
> 
> I know it's not very helpful to say, "This problem is much more easily solved - without any of the attendant privacy risks - with an active client", but based on my experience (folks like the Liberty Alliance tried to solve this problem for three years to no avail), it may just be than an active client is the place to focus time/attention. After IIW it appears it's inevitable that its coming, and probably built directly into the browser itself.
> 
> =Drummond
> 
> On Mon, Dec 14, 2009 at 9:52 AM, Dirk Balfanz <balfanz at google.com> wrote:
> Breno just forwarded this thread to me. Bizarrely, even though I'm subscribed to specs, I never get a single message from that list. 
> 
> Anyway - what we demonstrated at IIW was a simple "broadcasting" of who your OP is. The RP would just do a JSONP call to a central discovery service (which would carry the user's cookies for that service with it), and the discovery service would reply with a list of OPs. As Andrew points out there are privacy issues with this approach that make it infeasible - you would either have to tell the central discovery service about your OPs, our you don't. In the former case, the identity of the OPs would be revealed to any RP that asks. Which is not good enough. 
> 
> So our current thinking is to access-control this per-RP. The central discovery service would somehow know which RPs you're using (or at least which RPs you're willing to tell it about). Then, when one of those whitelisted RPs asks about your OPs (and only then), the discovery service will respond with the list of your OPs. I'd say it's still up in the air whether this can be made seamless enough so that average users can handle it. It would work for Google Apps (with Google playing the role of the central discovery service), but I'm not quite sure what it would look like in general. 
> 
> As for the can-my-mother-log-in scenario: I believe the percentage of users that are already logged into their OP when they visit an RP is way above 90% in the case where that OP is something like Google.
> 
> Dirk.
> 
> On Mon, Dec 14, 2009 at 8:59 AM, Breno de Medeiros <breno at google.com> wrote:
> ---------- Forwarded message ----------
> From: Andrew Arnott <andrewarnott at gmail.com>
> Date: Mon, Dec 14, 2009 at 7:22 AM
> Subject: Re: Google Apps availability broadcasting
> To: Santosh Rajan <santrajan at gmail.com>
> Cc: specs <specs at openid.net>
> 
> 
> I'm a bit concerned about the privacy aspect, but I'm sure regardless
> of the future spec that OPs will be smart about giving the user the
> option to "advertise" their login status at an OP to an untrusted RP.
> As I recall the way Google resolved the privacy concern is actually
> giving each domain admin the option to advertise or not to RPs.
> A standard addition to the protocol would be interesting, to be sure.
> However, it doesn't make as much sense out of the context of Google
> Apps, since that's the only host that represents very many OP
> endpoints, which is what makes it interesting for the RP to poll with
> the question "hey, which OPs is the user logged into?"
> >From a UI standpoint, even if it were possible for the RP to
> meaningfully ask the question (of someone) "what are all the OPs the
> user is logged into?", I'm dubious about the value of an RP doing so.
> It wouldn't pass the "my mom can login" test if she revisited an RP,
> and couldn't login because her "Google" button was missing.  It
> wouldn't occur to her that she has to go to Google herself and log in
> there before she can log into the RP.  Some OPs do that today (like
> Verisign), by refusing to log a user in as part of the OpenID flow,
> but it's not very user-friendly -- and that's when Verisign appears at
> the RP in the first place.
> Just my 2 cents.
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the
> death your right to say it." - S. G. Tallentyre
> 
> 
> On Mon, Dec 14, 2009 at 7:09 AM, Santosh Rajan <santrajan at gmail.com> wrote:
> >
> > I agree with Andrew, and I think every OP must do the same. Or maybe we add that to the protocol.
> >
> > On Mon, Dec 14, 2009 at 8:17 PM, Andrew Arnott <andrewarnott at gmail.com> wrote:
> >>
> >> Nope, that's not it either.  What I'm thinking of is an aid to pure login UI -- nothing to do with OAuth.  And again, Google is supplying the list of Google Apps domains the user is logged into -- not the RP asking for each specific domain.
> >> --
> >> Andrew Arnott
> >> "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
> >>
> >>
> >> On Mon, Dec 14, 2009 at 6:32 AM, Chris Obdam <chris.obdam at holder.nl> wrote:
> >>>
> >>> > The solution Dirk/Breno spoke of (as I recall) was a single URL that would return all google apps for domains the user is logged into.
> >>> Ok, clear.  Is this the one?
> >>> > openid.ext2.scope - (required) List of URLs identifying the Google service(s) to be accessed. See documentation for the services of interest to get scopes must be space-delimited and properly escaped. This parameter is not defined in the OAuth standards; it is a Google-specific parameter.
> >>>
> >>> Cheers,
> >>>
> >>> Chris Obdam
> >>> Stichting OpenID NL (Dutch OpenID foundation)
> >>>
> >>> > --
> >>> > Andrew Arnott
> >>> > "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
> >>> >
> >>> >
> >>> > On Mon, Dec 14, 2009 at 6:14 AM, Chris Obdam <chris.obdam at holder.nl> wrote:
> >>> > Andrew,
> >>> >
> >>> > That sounds a lot like de openid.ui.x-has-session variable David mentioned earlier today?
> >>> >
> >>> > More info on http://svn.openid.net/repos/specifications/user_interface/1.0/trunk/openid-user-interface-extension-1_0.html and
> >>> > http://code.google.com/intl/nl-NL/apis/accounts/docs/OpenID.html
> >>> >
> >>> > Cheers,
> >>> >
> >>> > Chris Obdam
> >>> > Stichting OpenID NL (Dutch OpenID foundation)
> >>> >
> >>> > Op 14 dec 2009, om 14:54 heeft Andrew Arnott het volgende geschreven:
> >>> >
> >>> > > At IIW, Google mentioned that they are trying out a way for Google Apps domains to advertise to RPs that the user is logged into them so that RPs can show a "log into puffypoodles.com" option.  Where can we find documentation on how that works?
> >>> > >
> >>> > > Thanks.
> >>> > > --
> >>> > > Andrew Arnott
> >>> > > "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
> >>> > > _______________________________________________
> >>> > > specs mailing list
> >>> > > specs at lists.openid.net
> >>> > > http://lists.openid.net/mailman/listinfo/openid-specs
> >>> >
> >>> >
> >>>
> >>
> >>
> >> _______________________________________________
> >> specs mailing list
> >> specs at lists.openid.net
> >> http://lists.openid.net/mailman/listinfo/openid-specs
> >>
> >
> >
> >
> > --
> > http://hi.im/santosh
> >
> >
> 
> 
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
> 
> 
> 
> 
> --
> --Breno
> 
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
> 
> 
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
> 
> 
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20091214/269f905c/attachment-0001.htm>


More information about the specs mailing list