No subject


Fri Aug 15 23:49:43 UTC 2008 

"openid.claimed_id" and "openid.identity" SHALL be either both present or b=
oth absent. If neither value is present, the assertion is not about an iden=
tifier, and will contain other information in its payload, using extensions=
 (Extensions).So you can't include one without the other.  And having neith=
er doesn't provide any authentication at all.


--_000_BFBC0F17A99938458360C863B716FE46397CC4F56Fsimmbox01rapn_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p
	{mso-style-priority:99;
	mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
	{mso-style-priority:99;
	mso-style-link:"Balloon Text Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:8.0pt;
	font-family:"Tahoma","sans-serif";}
span.EmailStyle18
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.BalloonTextChar
	{mso-style-name:"Balloon Text Char";
	mso-style-priority:99;
	mso-style-link:"Balloon Text";
	font-family:"Tahoma","sans-serif";}
.MsoChpDefault
	{mso-style-type:export-only;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><span style=3D'font-size:10.0pt;font-family:"Arial","s=
ans-serif"'><br>
Resend, with intended addressing.<o:p></o:p></span></p>

<p class=3DMsoNormal><span style=3D'font-size:10.0pt;font-family:"Arial","s=
ans-serif"'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal><span style=3D'font-size:10.0pt;font-family:"Arial","s=
ans-serif"'>See
end. That claim is formally true, unless the extension is doing its own aut=
h.<br>
<br>
Id vote for an openid 2.1 doing openid2 model of delegation more forcefully=
 than
before (to prevent version conflicts, like TLS had/has to deal with). Perha=
ps
in an extension, let an openid2 RP interact with an openid1 OP, once its
learned (the hardway) to &quot;fallback&quot;. This design round, fallback =
should
be supported by an explicit security enforcing function crafted for the
fallback security control.<br>
<br>
One interesting &#8220;alternative&quot; extension &quot;doing auth&quot; w=
ould be
one that does the saml artifact resolver flow (over the extension, over the
openid association, given a saml url bearing the artifact value is a entire=
ly
conforming claimedid url). <o:p></o:p></span></p>

<p class=3DMsoNormal><span style=3D'font-size:10.0pt;font-family:"Arial","s=
ans-serif"'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal><span style=3D'font-size:10.0pt;font-family:"Arial","s=
ans-serif"'>This
would also be a nice act of protocol convergence, where the back channel
security that saml2 artifact resolution requires would get all that the cor=
e of
openid2 libraries bring: xrds metadata, https, discovery, dh associations (=
and
persistent sp-side state management for delegation), xri AND even xri trust=
ed
resolution (using saml tokens for communicating a namespace&#8217;s authori=
ty).<br>
<br>
.-----Original Message-----<br>
From: Andrew Arnott &lt;andrewarnott at gmail.com&gt;<br>
Sent: Friday, November 07, 2008 10:17 PM<br>
To: Breno de Medeiros &lt;breno at google.com&gt;<br>
Cc: OpenID List &lt;general at openid.net&gt;<br>
Subject: [LIKELY_SPAM]Re: [OpenID] Problems with delegation and directed
identity OPs<br>
<br>

More information about the general mailing list