[OpenID] Configuration file for OpenID libraries?
Nat Sakimura
sakimura at gmail.com
Thu May 15 18:29:14 UTC 2008
Actually, that is a good point. In fact, we have done this kind of
thing to OpenID4Java so that we can plug in Reputation Service later
when it comes up. Right now, it just calls a dummy url and returns 1
or 0 by just reading a config file instead of making a real query to a
Reputation Service and making judgement based on it.
=nat
On Fri, May 16, 2008 at 2:24 AM, Martin Paljak <martin at paljak.pri.ee> wrote:
> Hi Nat,
>
> Handling reputation in open and extensible way via OpenID is definitely the
> thing to work on. At the same time the config file proposal tries to
> introduce a new concept to the existing OpenID software stack - a
> configuration file (in contrast to 'it is up to the calling application to
> make interesting decisions from the data provided by OpenID libraries') and
> thus also change the API a bit.
>
> If we add a configurability step to the libraries now (php, python and java
> cross my mind), it will be easier for RP-s to introduce new extensions
> (think - reputation: <serviceurl> configuration file line) to RP-s once the
> extension is ready.
>
> Whitelisting and blacklisting has been discussed heavily before and there
> are folks doing it right now in application level over and over again (to
> restrict to OP-s that provide certain certified data).
>
> SSL certificate fingerprint checking would be necessary to make any sensible
> PAPE based decisions in the first place. I personally trust more explicit
> trust relationships and dislike 'trusted root server' lists. With the latest
> Debian OpenSSL crash certificate hashes are of course not THE final step but
> useful nevertheless ;)
>
> If we added a protocol extension, we would still need to configure it
> somehow. Instead of changing all the PHP plugins for open source software
> when the extension is created, all packaged RP installations could instantly
> benefit from the 'configurable to human beings' feature :)
>
> regards,
>
> m.
>
>
>
> On May 15, 2008, at 12:10 PM, Nat Sakimura wrote:
>
>> I agree that these would be useful. At the same time however, I feel
>> that creating something like "Reputation Service Extension" to the
>> OpenID spec. so that sites are able to filter dynamically is better
>> than ad hoc static filtering using white and black list. I think it
>> fits the "Openness" philosophy of OpenID better as well.
>>
>>
>>
>> On Thu, May 15, 2008 at 2:11 PM, Martin Paljak <martin at paljak.pri.ee>
>> wrote:
>>>
>>> Hi.
>>>
>>> Currently OpenID libraries (for RP-s) seem to provide language
>>> bindings for low level openid protocol handling and all 'interesting
>>> stuff' is done by the programmer doing the integration. As OpenID gets
>>> merged into more opensource webapp packages, it might be useful to
>>> provide a configuration file that is common across implementations and
>>> allows to declare some "common" authorization bits:
>>>
>>> * whitelist: <regexp>
>>> * blacklist: <regexp>
>>> * fingerprint: <OP domain>:<OP SSL cert fingerprint>
>>>
>>> I'd like to know what the community thinks about the overall idea and
>>> the given authorization steps.
>>>
>>> m.
>>> --
>>> Martin Paljak
>>> http://martin.paljak.pri.ee
>>> GSM: +3725156495
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> general mailing list
>>> general at openid.net
>>> http://openid.net/mailman/listinfo/general
>>>
>>
>>
>>
>> --
>> Nat Sakimura (=nat)
>> http://www.sakimura.org/en/
>
> --
> Martin Paljak
> http://martin.paljak.pri.ee
> GSM: +3725156495
>
>
>
>
>
--
Nat Sakimura (=nat)
http://www.sakimura.org/en/
More information about the general
mailing list