Gathering requirements for in-browser OpenID support

Wed Oct 18 01:19:59 UTC 2006

Sorry about that -- sure.

Keychain is very much like PasswordSafe... a repository of various
kinds of secure data -- passwords and the like -- that any Mac app can
pull passwords from (should you give the app access to your Keychain).

Here's what Apple marketing-speak has about it [1]:

"To make it easy to manage the daunting number of passwords and
permissions intrinsic to network computing, Mac OS X includes a
Keychain. The Keychain stores all your information to use encrypted
disk images and to log onto file servers, FTP servers and Web servers.
Mac OS X automatically adds your .Mac account information to your
Keychain. When you log in to Mac OS X, the system opens your Keychain.
You don't have to enter your user name and passwords to access this
data. You can set Mac OS X to lock your Keychain when the system
sleeps or is inactive for a time. The system will ask you for your
password the next time you try to access secure data. Other users on
the system cannot access your Keychain or its data."

My suggestions about integrating OpenID (which could be done with
PasswordSafe as well) is that you'd login to your OpenID provider
using the Keychain app. This app would be able to pull down all the
services that you've authenticated against or have a relationship with
-- so that you have a convenient interface for managing those
connections. On the Mac, this is convenient, since it would operate
cross-browser and cross-application (for example, I have many
applications built on webkit that only load one web app -- and I treat
them like full-fledge apps [2] -- that Keychain stores the
authentication for).

If the browser afforded this kind of utility for managing all of my
accounts in one place, similar to how BBAuth works in Flickr, where I
can disallow or allow outside services tiered access to my data, we'd
be making OpenID a very valuable proposition of browsers.

Chris

[1] http://www.apple.com/macosx/features/security/
[2] http://webkit.pbwiki.com

On 10/17/06, Gabe Wachob <gabe.wachob at amsoft.net> wrote:
> Can you summarize what keychain actually does for those of us who are not
> mac people? Is it like PasswordSafe (http://passwordsafe.sourceforge.net/)?
>
> It looks like a password manager - in which case, openid wouldn't really be
> directly involved. How you authenticate to an IDP (or whatever it will be
> called) is outside the scope of openid. That's between you and your IDP...
> So if they can somehow induce keychain to cough up credentials to the IDP,
> then sure, openid works seamless with keychain..
>
> But of course, I'm basing this on my perhaps incorrect understanding of
> keychain.
>
>    -Gabe
>
>
>
> > -----Original Message-----
> > From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> > Behalf Of Chris Messina
> > Sent: Tuesday, October 17, 2006 5:22 PM
> > To: general at openid.net
> > Subject: Re: Re: Gathering requirements for in-browser OpenID support
> >
> > More generally, we need to see integration of OpenID and Apple's Keychain:
> >
> > http://dig.csail.mit.edu/breadcrumbs/node/55
> >
> > Imagine logging into your user account, which itself is an OpenID, and
> > being able to be authenticated against all the web services you
> > typically use. This is probably a reality in most enterprise
> > environments, but for the lay-consumer (read: me) this is light years
> > away.
> >
> > OpenID + the MacOSX Keychain would be a very positive step in that
> > direction, especially if Mozilla and others could leverage it
> > generally, as Camino and Safari do.
> >
> > Chris
> >
> > On 10/17/06, Jaco Aizenman <skorpio at gmail.com> wrote:
> > > +1
> > >
> > >
> > > On 10/16/06, Drummond Reed <drummond.reed at cordance.net> wrote:
> > > > +1 for building ooTao's ph-off into the browser. It's a great utility
> > -- I
> > > > use it every day. As Brad says, it's dramatically easier to maintain a
> > > short
> > > > whitelist of real IdPs rather than an infinite blacklist of fake ones.
> > > >
> > > > =Drummond
> > > >
> > > > -----Original Message-----
> > > > From: general-bounces at openid.net [mailto:general-bounces at openid.net]
> > On
> > > > Behalf Of Brad Topliff
> > > > Sent: Monday, October 16, 2006 1:29 PM
> > > > To: general at openid.net
> > > > Subject: RE: Gathering requirements for in-browser OpenID support
> > > >
> > > > We (and when I say we, I mean Andy Dale) did some work on this
> > > >
> > > (http://xditao.blogspot.com/2006/09/you-should-ph-off.html)
> > > as a proof of
> > > > concept.  It is alpha code, but it addresses some of the thoughts and
> > > > requirements that should go into this.
> > > >
> > > > To Scott's final comment, one of the big issues to be considered is
> > the
> > > > logistical difference between showing something obviously POSITIVE
> > when
> > > you
> > > > are at one of your few "trusted" IdPs as opposed to something NEGATIVE
> > > when
> > > > you are someplace "untrusted" (which is everywhere else).
> > > >
> > > > -Brad
> > > >
> > > > -----Original Message-----
> > > > From: general-bounces at openid.net [mailto: general-bounces at openid.net]
> > On
> > > > Behalf Of Scott Kveton
> > > > Sent: Monday, October 16, 2006 12:32 PM
> > > > To: general at openid.net
> > > > Subject: Re: Gathering requirements for in-browser OpenID support
> > > >
> > > > Hey Rob,
> > > >
> > > > > I'm trying to gather requirements for OpenID support. I think I have
> > a
> > > > > reasonable understanding of the draft, but part of the appeal of
> > OpenID
> > > > > is that it doesn't necessarily require browser vendors to do
> > anything :)
> > > > >
> > > > > I've seen the proposed 2617-style HTTP authentication scheme on the
> > > > > wiki. What else could browser vendors do to make OpenID a smoother
> > > > > experience for users?
> > > >
> > > > As I posted on the Mozilla wiki:
> > > >
> > > >
> > > http://wiki.mozilla.org/Firefox/Feature_Brainstorming#Identity
> > > >
> > > > I'd love to see some anti-phishing mojo baked into the browser.  If
> > the
> > > user
> > > > could set their trusted IdP (or multiple as the case may be) in the
> > > browser
> > > > and then have the browser do something obvious when the users is
> > presented
> > > > with an "untrusted" page asking for their password that would be great
> > > IMHO.
> > > >
> > > > - Scott
> > > >
> > > > _______________________________________________
> > > > general mailing list
> > > > general at openid.net
> > > > http://openid.net/mailman/listinfo/general
> > > >
> > > >
> > > > _______________________________________________
> > > > general mailing list
> > > > general at openid.net
> > > > http://openid.net/mailman/listinfo/general
> > > >
> > > > _______________________________________________
> > > > general mailing list
> > > > general at openid.net
> > > > http://openid.net/mailman/listinfo/general
> > > >
> > >
> > >
> > >
> > > --
> > > Jaco Aizenman L.
> > > My iname is =jaco (http://xri.net/=jaco)
> > > Founder                - www.virtualrights.org
> > > XDI Board member - www.xdi.org
> > > Cofounder CEO     - costarricense.com
> > > Tel/Voicemail: 506-3461570
> > > Costa Rica
> > >
> > > What is an i-name?
> > > http://en.wikipedia.org/wiki/I-name
> > > _______________________________________________
> > > general mailing list
> > > general at openid.net
> > > http://openid.net/mailman/listinfo/general
> > >
> > >
> > >
> >
> >
> > --
> > Chris Messina
> > Citizen Provocateur &
> >   Open Source Ambassador-at-Large
> > Work: http://citizenagency.com
> > Blog: http://factoryjoe.com/blog
> > Cell: 412 225-1051
> > Skype: factoryjoe
> > This email is:   [ ] bloggable    [X] ask first   [ ] private
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general
>
>

-- 
Chris Messina
Citizen Provocateur &
  Open Source Ambassador-at-Large
Work: http://citizenagency.com
Blog: http://factoryjoe.com/blog
Cell: 412 225-1051
Skype: factoryjoe
This email is:   [ ] bloggable    [X] ask first   [ ] private