[OpenID] Configuration file for OpenID libraries?

Martin Paljak martin at paljak.pri.ee
Thu May 15 17:24:26 UTC 2008 

Hi Nat,

Handling reputation in open and extensible way via OpenID is  
definitely the thing to work on. At the same time the config file  
proposal tries to introduce a new concept to the existing OpenID  
software stack - a configuration file (in contrast to 'it is up to the  
calling application to make interesting decisions from the data  
provided by OpenID libraries') and thus also change the API a bit.

If we add a configurability step to the libraries now (php, python and  
java cross my mind), it will be easier for RP-s to introduce new  
extensions (think - reputation: <serviceurl> configuration file line)  
to RP-s once the extension is ready.

Whitelisting and blacklisting has been discussed heavily before and  
there are folks doing it right now in application level over and over  
again (to restrict to OP-s that provide certain certified data).

SSL certificate fingerprint checking would be necessary to make any  
sensible PAPE based decisions in the first place. I personally trust  
more explicit trust relationships and dislike 'trusted root server'  
lists. With the latest Debian OpenSSL crash certificate hashes are of  
course not THE final step but useful nevertheless ;)

If we added a protocol extension, we would still need to configure it  
somehow. Instead of changing all the PHP plugins for open source  
software when the extension is created, all packaged RP installations  
could instantly benefit from the 'configurable to human beings'  
feature :)

regards,

m.



On May 15, 2008, at 12:10 PM, Nat Sakimura wrote:

> I agree that these would be useful. At the same time however, I feel
> that creating something like "Reputation Service Extension" to the
> OpenID spec. so that sites are able to filter dynamically is better
> than ad hoc static filtering using white and black list. I think it
> fits the "Openness" philosophy of OpenID better as well.
>
>
>
> On Thu, May 15, 2008 at 2:11 PM, Martin Paljak  
> <martin at paljak.pri.ee> wrote:
>> Hi.
>>
>> Currently OpenID libraries (for RP-s) seem to provide language
>> bindings for low level openid protocol handling and all 'interesting
>> stuff' is done by the programmer doing the integration. As OpenID  
>> gets
>> merged into more opensource webapp packages, it might be useful to
>> provide a configuration file that is common across implementations  
>> and
>> allows to declare some "common" authorization bits:
>>
>> * whitelist: <regexp>
>> * blacklist: <regexp>
>> * fingerprint: <OP domain>:<OP SSL cert fingerprint>
>>
>> I'd like to know what the community thinks about the overall idea and
>> the given authorization steps.
>>
>> m.
>> --
>> Martin Paljak
>> http://martin.paljak.pri.ee
>> GSM: +3725156495
>>
>>
>>
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>
>
>
> -- 
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/

-- 
Martin Paljak
http://martin.paljak.pri.ee
GSM: +3725156495

More information about the general mailing list