RP library authors
Tatsuki Sakushima
tatsuki at nri.com
Fri Sep 11 23:15:43 UTC 2009
Hi John,
The document misses a reference to the PAPE spec in Appendix D.
Is that done on purpose until some errors in the spec will be fixed?
Tatsuki
Tatsuki Sakushima
NRI Pacific - Nomura Research Institute America, Inc.
(9/11/09 8:49 AM), John Bradley wrote:
> The GSA profile for openID is available at:
>
> http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf
>
> Many things that are SHOULD in the openID 2.0 spec are now MUST in the
> profile.
>
> There are new PAPE URI and other modifications.
>
> Most of the OP's supporting the profile will not be restricting it to
> only Gov RP's.
>
> Any RP may elect to use all or parts of this new profile for any purpose
> they choose.
>
> Also any OP is free to support it wether or not they are on the GSA
> whitelist.
>
> To get on the GSA white-list OP's must support the profile and be
> audited against a Trust Framework. The OIDF has information available
> an applying through it's program.
>
> There are quite a number of requirements on the RP side, that need to be
> met.
>
> The sooner these features are in libraries the sooner government
> agencies can move ahead with deployments.
>
> If there is interest we can set up a google group where developers can
> get there questions on implementing the profile answered.
>
> If I can get to IIW in Nov, I would like to organize a session on this
> for people.
>
> There will be revisions to the profile in the future as we all gain
> experience.
>
> The people who worked on the profile tried to profile only the existing
> specifications as written without inventing anything incompatible with
> existing implementations.
>
> The GSA's goal is to enable as many existing identities as possible to
> have access to govenment resources without making people create new
> username and password accounts at each of the thousands of potential RP
> sites.
>
> Extra attention was taken to allow openID to be used without divulging
> ANY PII to the government.
> This includes the use of a Pseudonymous openID identifier to allow sites
> that can take no PII or do any correlation to still use openID.
>
> The regulation on this is quite strict. We could not convert the ID to
> a pseudonym on the RP side and adhere to the regulation.
>
> We hope that the profile maximizes participation of OP's and RPs alike,
> while not placing insurmountable burdens on developers.
>
> RP's and OP's that don't intend to make use of the profile need to make
> no changes at all.
>
> I regret bot being able to share more of this with you sooner. The OIDF
> and the other foundations were requested not to discuss this publicly
> until after the government announcements.
>
> Regards
> John Bradley
>
>
>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>
More information about the specs
mailing list