[OpenID] JOID Question

Peter Williams pwilliams at rapattoni.com
Thu Aug 16 17:09:11 UTC 2007 

Operationally, we (surely!) cannot expect a million provider deployments (wanting to talk to JOID) to each look at the JOID source code first!  A million is obviously an under-estimate, since browser-users can "self-provide" in OpenID.
 
My very obvious suggestion was... could the same info as in the JOID README be put in a (signed) FOAF file stored on the JOID operational Consumer website... with the same info, in some relationship-based format?
 
Though OpenID Auth 2.0 draft.11 protocol allow the user-centric optional XRDS file to state what the claimant constrains a flow to be, this is not the finding out what the robot actually supports, through metadata.
 
Though FAOAF might be thought of as applying only to social networks of 'human girl has friend who is human other girl, who has boy friend -- who first girl states she really fancies" ...the same relationship pattern and search queries on the RDF graph can surely be exploited address OpenID robot agents. 
 
I.E. IDP Proxy chain (of several SAML handoffs) inverse-reliance-relates to OpenID Provider, which inverse-reliance-relates to OpenID Consumer. The network needs formalization. And, in terms of (US) national initiatives , wasn't the ActiveNetwork investment that DARPA made in RDF intended to produce exactly this kind of application ...to metadata-driven robot-agent activities?
 
----------
 
The trust in JOID to reverse the "delegation" is a technical one, not one unique to JOID's operator.. The nature of the technical OpenID handshake puts the burden to "reverse the delegation" on any and all Consumers. The question is, operationally, how does the user applying informed consent at the provide know the consumer does it right? And, how will it treat both OpenIDs that it have in their possession (in the delegated OPenID model).
 
As the JanRain demo-server CLEARLY indicates to uses, JOID (or any other consumer) is providing a "trust point" - in OpenID terminology. Now, how do we set a reliance relationship in metadata so its trustworthiness in operating a trust-point is denoted?
 
(Hopefully, I got my use  of denotational semantics, right; it was back in 1988 when I went on that computer science course of study.)
 
 
 


________________________________

From: Hans Granqvist [mailto:hans at yubico.com]
Sent: Thu 8/16/2007 9:43 AM
To: Peter Williams
Cc: general at openid.net
Subject: Re: [OpenID] JOID Question




On 8/16/07, Peter Williams <pwilliams at rapattoni.com> wrote: 

	Almost about to try my own SAML-gateway provider with JOID in practice, I realized I don't know its compliance level (auth 1.0, auth1.1, open 2.0 draft 10, draft 11...). I've also no 


OpenID 1.1 as well as 2.0 #11 is covered (see http://joid.googlecode.com/svn/trunk/README.txt. I could have been clearer in stating #11, you're right) 


	clue whether I really trust JOID technically in any case, concerning its obligations to reverse the delegation on the JOID end of the critical security handshake.


Not sure what this means, could you explain? 


Thanks,
Hans




-- 
Hans Granqvist
http://www.yubico.com/

More information about the general mailing list