[OpenID] Orange Telecom Plays the Game of Interopability - Post this New on the Home?

Peter Williams pwilliams at rapattoni.com
Mon Jul 28 17:10:13 UTC 2008 

I would be delighted to learn its not true: that blogger requies a google login by openid-authenticating commentators

If you review back a few months ago, I discussed here my trials of using openid on google blogger. They included xri and myopenid urls. An openid from myopenid would not work for me on my own and others blogger accounts, but it would work for another discussion party (which may have been you, John). I finally determined that if I first logged into my google account (back then) I could indeed then leave openid authenticated comments on my own and other's (blogger hosted) blogs.

I concluded that it was necessary to have a google session on  blogger before the openid feature would work.

This could well be a bug, from how it manifests. Without google login first, one can seen and almost use the openid commenting feature - however it always fails to either discover or connect with the op (i no longer recall which) and gave a constant "protocol error" type exception report to the user. Ths happened for at least 2 ops, including myopenid.

This is all I know. Eveything else is deduction from the "assumed" design policy of google (which I postulated on the list). I recall postulating that a major commercial rp would indeed want the subscriber bound to its legal rules before acting in reliance on an op, for example. To obtain that legal regime, one could indeed accomplish the policy goal by forcing an a priori google login and (legal) session. Furthermore, using that mechanim to enforce such a policy is not at all unreasonable, as uncontrolled reliance must drive any corporate lawyer in the us almost paranoid at the sheer uncontrolled risks being taken, absent some kind of enfocible subscriber or relying party agreement.

-----Original Message-----
From: John Panzer <jpanzer at acm.org>
Sent: Monday, July 28, 2008 9:18 AM
To: Peter Williams <pwilliams at rapattoni.com>
Cc: Snorri <snorri at snorri.eu>; general at openid.net <general at openid.net>
Subject: Re: [OpenID] Orange Telecom Plays the Game of Interopability - Post this New on the Home?


Peter Williams wrote:
> What does the rp service do?
>
> More importantly, what does it not do?
>
> What is the security model adopted by this major telco?
>
> For example, you can leave openid comments on google blogs supported by any op, but only if and when you are first logged into a google account.
Not true AFAIK.  If true, please provide reproducible test case and
we'll fix it.

More information about the general mailing list