[OpenID] Building on the OpenID PAPE specification

David Recordon drecordon at sixapart.com
Tue Oct 14 15:53:37 UTC 2008 

We need to better document this process both to make it easier for  
other groups to get started, but also for it to become easier to  
understand (it is all in http://openid.net/ipr/OpenID_Process_Document_(Final_Clean_20071221).pdf) 
.  What Dick said is 90% correct though I actually believe it is the  
following:

1) A group of people decide they want to create a spec.
2) They write up a charter and send it to specs at openid.net for  
discussion driving toward consensus on the proposal.
3) After discussion they send it to the specs council to approve.
4) Once the specs council has approved it a new mailing list is  
created and you must have signed the IPR Contribution Agreement to  
post to the list.
5) The working group does their work driving to consensus on drafts  
and ultimately to an implementor's draft which triggers an IPR review  
period.
6) Once the working group is done (final implementors draft, IP review  
done by contributors, some interoperable implementations) they submit  
it to the OIDF membership for final approval as a completed OpenID spec.

--David

On Oct 8, 2008, at 9:08 AM, Krall, Gary wrote:

> Dick:
>
> And correct me if I'm wrong but is my understanding that all  
> participants and members of the WG/mailist must have also executed a  
> Contribution Agreement found on this page:  http://openid.net/foundation/intellectual-property/
>
> Gary.
>
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net]On
> Behalf Of Dick Hardt
> Sent: Wednesday, October 08, 2008 9:00 AM
> To: Nat
> Cc: general at openid.net
> Subject: Re: [OpenID] Building on the OpenID PAPE specification
>
>
> Sure Nat, here is how *I* understand it is supposed to work
>
> David Recordon was the architect of the process, so hopefully he will
> chime in to clarify anything I have wrong below.
>
> 1) A group of people decide they want to create a spec.
> 2) They write up a charter and submit it to the specifications  
> council.
> 3) The specs council reviews it and approves based on being complete.
> 4) The charter is then put to the OIDF membership for creation of a  
> WG.
> 5) WG creates private mailing list for creating spec
> 6) WG submits spec to OIDF membership for approval
>
> In the case of PAPE (4) was done by mail I believe. Note that there
> had been significant discussion about PAPE on one of the mailing lists
> prior to the creation of the specifications process.
>
> As a community, if there is consensus that the process above is flawed
> and there is a better alternative, we can change it.
>
> -- Dick
>
> On 7-Oct-08, at 4:32 PM, Nat wrote:
>
>> Dick,
>>
>> Perhaps you can clarify to the list
>>
>> a) How the charter is submit for the public review and how long
>> b) How the charter gets approved
>>
>> so that the community has a better idea of OpenID process.
>>
>> The normative document is not perticularly easy to read so I believe
>> that this will help the community.
>>
>> =nat at TOKYO via iPhone
>>
>> On 2008/10/08, at 7:00, Dick Hardt <dick.hardt at gmail.com> wrote:
>>
>>> OMG!  I was stating that it is too late to set the charter for the
>>> WG.
>>> Clearly the charter was set and approved.
>>>
>>> Hopefully we can go back to talk about the technology and move
>>> forward.
>>>
>>> -- Dick
>>>
>>> On 7-Oct-08, at 12:41 PM, Peter Williams wrote:
>>>
>>>> Not sure about that "deal is done". Id expect a community call for
>>>> comments. What the steering group can do is consider all comments
>>>> and reject them, on their merits. That issue based rejection  
>>>> becomes
>>>> part of the record, then. We thrn get passed the "anonymous
>>>> designers made (uncitable)  low assurance tradeoff decisions
>>>> concerning protocol security, therefore a high nist authn assurance
>>>> is necessarily degraded by the very nature of openid to low/no
>>>> assurance" style IA-/evaluation-time claims.
>>>>
>>>> Its clear that wider discussion is warranted and merited, as your
>>>> own post seeks to argue a case.
>>>>
>>>> -----Original Message-----
>>>> From: Dick Hardt <dick.hardt at gmail.com>
>>>> Sent: Tuesday, October 07, 2008 12:03 PM
>>>> To: Brian Kelly <brian.kelly at trustbearer.com>
>>>> Cc: general at openid.net <general at openid.net>
>>>> Subject: Re: [OpenID] Building on the OpenID PAPE specification
>>>>
>>>>
>>>> Brian
>>>>
>>>> I can understand why the WG would reject something that was not
>>>> within
>>>> the charter. The time for you to have gotten involved would have
>>>> been
>>>> at the creation of the charter. Water under the bridge now.
>>>>
>>>> I read over your blog post, but I'm unclear on why an RP *needs* to
>>>> understand the kind of authentication that was used?  There is a
>>>> tendency for entities to *want* as much control as possible --  
>>>> but I
>>>> don't follow the logic for why  they *need* it. Would you  
>>>> elaborate?
>>>>
>>>> -- Dick
>>>>
>>>> On 7-Oct-08, at 6:39 AM, Brian Kelly wrote:
>>>>
>>>>> Dick,
>>>>>
>>>>> When we completed the first draft of PAPE-AM, we sent it to the
>>>>> PAPE
>>>>> specs working group list for input. It was promptly dismissed  
>>>>> since
>>>>> it went against the PAPE WG charter, which states that only high-
>>>>> level policies should be included in the spec.
>>>>>
>>>>> At that point the PAPE-AM team decided that it would be a good  
>>>>> idea
>>>>> to open the discussion up to the broader OpenID community to seek
>>>>> guidance on next-steps. I encourage the PAPE WG folks to comment  
>>>>> on
>>>>> this as well.
>>>>>
>>>>> To your second point about how the RP should not care about how  
>>>>> the
>>>>> user was authenticated, I agree that the trust needs to start at
>>>>> the
>>>>> OP. The main issue we were trying to address in PAPE-AM is that
>>>>> there is too much ambiguity in the high level policies as stated  
>>>>> in
>>>>> PAPE today. This ambiguity makes it difficult for both OPs and RPs
>>>>> to understand what kind of authentication was actually used.
>>>>>
>>>>> Brian
>>>>>
>>>>> On Oct 6, 2008, at 7:12 PM, Dick Hardt wrote:
>>>>>
>>>>>>
>>>>>> Brian: did you participate in the PAPE spec? That would have been
>>>>>> the place to have brought up this issue.
>>>>>>
>>>>>> Although I did not participate in the PAPE specification (only so
>>>>>> much time) -- I was supportive of the high level policies vs
>>>>>> specific technologies. The RP really does not (well, *should*  
>>>>>> not)
>>>>>> care about how the user was authenticated, just about how much
>>>>>> certainty the OP has that it is the user. It is the OP making the
>>>>>> assertion after all. Keep in mind I can have an OP that says that
>>>>>> all the factors were used, even if they were not.
>>>>>>
>>>>>> -- Dick
>>>>>>
>>>>>>
>>>>>> On 6-Oct-08, at 2:28 PM, Brian Kelly wrote:
>>>>>>
>>>>>>> A few months ago, some members from the OATH community and I got
>>>>>>> together to take a fresh look at the PAPE spec, what it was
>>>>>>> trying
>>>>>>> to
>>>>>>> accomplish, and how well it could be implemented. We started
>>>>>>> holding
>>>>>>> semi-weekly conference calls and over the period of a couple
>>>>>>> months we
>>>>>>> drafted up a slightly new take on PAPE.
>>>>>>>
>>>>>>> The main difference is that we defined a specific set of
>>>>>>> authentication methods, rather than only using high-level
>>>>>>> policies.
>>>>>>> After long discussions we found that there was too much  
>>>>>>> ambiguity
>>>>>>> in
>>>>>>> the high-level policies as defined today in PAPE. We created a
>>>>>>> draft
>>>>>>> of our modified specification, termed PAPE-Authentication
>>>>>>> Mechanisms
>>>>>>> (PAPE-AM), and we are beginning to socialize the concepts in  
>>>>>>> that
>>>>>>> draft.
>>>>>>>
>>>>>>> I published a blog post summarizing our motivations, and wanted
>>>>>>> to
>>>>>>> share it with the greater OpenID mailing list.
>>>>>>>
>>>>>>> http://openidtrustbearer.wordpress.com/2008/10/06/building-on-the-openid-pape-specification/
>>>>>>>
>>>>>>> I would appreciate hearing the thoughts of the readers on this
>>>>>>> mailing
>>>>>>> list. Please respond publicly, or feel free to contact me
>>>>>>> directly.
>>>>>>>
>>>>>>> Thank you,
>>>>>>> Brian
>>>>>>>
>>>>>>> --
>>>>>>> Brian Kelly
>>>>>>> TrustBearer Labs
>>>>>>> http://trustbearer.com
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> general mailing list
>>>>>>> general at openid.net
>>>>>>> http://openid.net/mailman/listinfo/general
>>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> general mailing list
>>>> general at openid.net
>>>> http://openid.net/mailman/listinfo/general
>>>
>>> _______________________________________________
>>> general mailing list
>>> general at openid.net
>>> http://openid.net/mailman/listinfo/general
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list