[OpenID] Weighing In on TechCrunch's "Is OpenID Being Exploited By The Big Internet Companies?"

Wed Mar 26 18:33:49 UTC 2008

1. At plaxo webapp, @blog*lockbox works. Nice experience
https://www.plaxo.com/signin

2. At Rapattoni linking-consumer, @blog*lockbox we have a nice.
http://rapattoni.trustbearer.com/consumer/?user_openid=@blog*lockbox&title=SWMR%20LOGIN%20PAGE%20SIMULATION&redirect=http://swmrsso.rapmlsstg.com/idp/startSSO.ping?PARTNER=rapattoni:mlsstgswmichigan:entityId
3. At skip email-replicator webapp, @blog*lockbox is rejected - because something about my XRI or the XRI infrastructure is "unauthoritative". I - the user - just know it doesnt work.

4. At Blogger, @blog*lockbox doesnt work because blogger doesn't (yet) support openid2, and thus directed-id...Yahoo interaction, etc. When it does work, we will see if one can leave authenticated comments as (authoritative) XRIs identities, without having to be signed in to the GooglePlex.
5. At plaxo webapp, @freeid*lockbox works. Nice experience. Unfortuantely, I cannot ever manage to authenticate myself to the OP at freeid, due to password provisioning issues. Email login only get one very limited management rights on the OP, not including openid setup , account linking of infocards, etc
https://www.plaxo.com/signin

6 At Rapattoni linking-consumer, @freeid*lockbox gets relayed to a horrid OP user login page (showing canonical IDs). A review of hints from John, JanRain notes about possible library bugs and trying again to the spec (about what must happen in id_req with cliamed_id and identity) left us confounded about what is and is not compliant behaviour concerning the openid.identity field, particularly when distinguishing various XRI resolution cases: (i) forwarding i-services (ii) multiple authoritative aliases for an i-number (iii) canonical i-number resolution.

Now,  given all that, If I had power over time and space, Id have NIST come in and create a uniform test case spec, enumerating the classical cases of XRI usage and publishing the test vectors - so we have a consistent operating standard by which to judge operational compliance. But, I dont have that power! 

Peter.

From: Johnny Bufu
Sent: Tue 3/25/2008 7:25 PM
To: Peter Williams
Cc: Dick Hardt; openid-general List
Subject: Re: [OpenID] Weighing In on TechCrunch's "Is OpenID Being Exploited By The Big Internet Companies?"

On 24-Mar-08, at 4:16 PM, Peter Williams wrote:

> At https://verify.sxip.com/email/auth/request  @blog*lockbox  
> doesn't resolve.
>
> Can you move the site up to OpenID2 compliance?

It actually is; the error that I see in the logs (which should be  
better exposed in the interface) is "ProviderID is not authoritative  
for the CanonicalID".

OpenID4Java performs this (quite important) verification step, while  
the underlying openxri library and xri.net were not (at least the  
last time I talked to the people in charge there).

Johnny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080326/bcbc8521/attachment-0001.htm>