[OpenID] unsubscribe

Joel Harris joelrharris at gmail.com
Mon Aug 10 19:18:27 UTC 2009 

unsubscribe

On Mon, Aug 10, 2009 at 12:07 PM,
<openid-general-request at lists.openid.net>wrote:

> Send general mailing list submissions to
>        openid-general at lists.openid.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://lists.openid.net/mailman/listinfo/openid-general
> or, via email, send a message with subject or body 'help' to
>        openid-general-request at lists.openid.net
>
> You can reach the person managing the list at
>        openid-general-owner at lists.openid.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of general digest..."
>
>
> Today's Topics:
>
>   1. Re:  Outsourcing headers - XRD(S), CSS? (Allen Tom)
>   2. Re:  Outsourcing headers - XRD(S), CSS? (Breno de Medeiros)
>   3. Re:  Outsourcing headers - XRD(S), CSS? (Allen Tom)
>   4. Re:  Outsourcing headers - XRD(S), CSS? (Breno de Medeiros)
>   5. Re:  Proxying (with OpenSocial) through
>      experimental.openid.net to promote OpenID (David Recordon)
>   6. Re:  Proxying (with OpenSocial) through
>      experimental.openid.net to promote OpenID (Allen Tom)
>   7. Re:  Proxying (with OpenSocial) through
>      experimental.openid.net to promote OpenID (SitG Admin)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 10 Aug 2009 10:12:09 -0700
> From: Allen Tom <atom at yahoo-inc.com>
> Subject: Re: [OpenID] Outsourcing headers - XRD(S), CSS?
> To: SitG Admin <sysadmin at shadowsinthegarden.com>
> Cc: openid-general at lists.openid.net
> Message-ID: <4A8054E9.4070408 at yahoo-inc.com>
> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
>
> Shade - are you asking about HTML based discovery?
>
> HTML based discovery definitely is great for usability, since the only
> requirement is that the user is able to edit the html on the OpenID
> page, rather than having to configure their webserver to return the
> special  X-XRDS-Location HTTP header. In a webhosting environment, the
> user might not have the ability or even the knowledge to configure their
> webserver.
>
> Unfortunately, from a security perspective, HTML based discovery has a
> lot of problems. If the content of the page is dynamically generated
> from untrusted inputs (for instance, the OpenID URL is a profile page
> with a Guestbook), an attacker might be able to insert OpenID discovery
> information into the page. Another problem is that the entire page needs
> to be downloaded in order to parse it, which is problematic since many
> pages are very heavyweight.
>
> Allen
>
> Nat Sakimura wrote:
> > That's actually host meta, I suppose.
> >
> > =nat
> >
> > On Mon, Aug 10, 2009 at 7:54 AM, SitG Admin
> > <sysadmin at shadowsinthegarden.com
> > <mailto:sysadmin at shadowsinthegarden.com>> wrote:
> >
> >     Not all sites allow users to fully customize their headers on the
> >     Profile page, but some do allow the user to specify other external
> >     files (such as CSS), containing expected data. This would be an
> >     awkward compatibility hack (and I'm not sure how many sites it
> >     would even help with), but what do you all think of an extension
> >     to the Discovery process allowing RP's to check other external
> >     files for comments containing OpenID declarations?
> >
> >     -Shade
> >     _______________________________________________
> >     general mailing list
> >     general at lists.openid.net <mailto:general at lists.openid.net>
> >     http://lists.openid.net/mailman/listinfo/openid-general
> >
> >
> >
> >
> > --
> > Nat Sakimura (=nat)
> > http://www.sakimura.org/en/
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > general mailing list
> > general at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-general
> >
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.openid.net/pipermail/openid-general/attachments/20090810/5b60a04c/attachment-0001.htm
> >
>
> ------------------------------
>
> Message: 2
> Date: Mon, 10 Aug 2009 10:19:34 -0700
> From: Breno de Medeiros <breno at google.com>
> Subject: Re: [OpenID] Outsourcing headers - XRD(S), CSS?
> To: Allen Tom <atom at yahoo-inc.com>
> Cc: openid-general at lists.openid.net
> Message-ID:
>        <29fb00360908101019x7af91183oae23166406bdf44d at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> This is not only a latency issue: Parsing HTML correctly is quite
> hard, because HTML code is often non-standard compliant. HTML
> discovery potentially hurts interoperability, since HTML clients are
> generally not interchangeable.
>
> On Mon, Aug 10, 2009 at 10:12 AM, Allen Tom<atom at yahoo-inc.com> wrote:
> > Another problem is that the entire page needs to be downloaded in order
> to
> > parse it, which is problematic since many pages are very heavyweight.
>
>
>
> --
> --Breno
>
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 10 Aug 2009 10:24:54 -0700
> From: Allen Tom <atom at yahoo-inc.com>
> Subject: Re: [OpenID] Outsourcing headers - XRD(S), CSS?
> To: Breno de Medeiros <breno at google.com>,
>        openid-general at lists.openid.net
> Message-ID: <4A8057E6.2070303 at yahoo-inc.com>
> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
>
> I think most implementations just use regexs to extract the discovery
> information, since parsing html is hard, especially when it's not valid.
>
> Allen
>
>
> Breno de Medeiros wrote:
> > This is not only a latency issue: Parsing HTML correctly is quite
> > hard, because HTML code is often non-standard compliant. HTML
> > discovery potentially hurts interoperability, since HTML clients are
> > generally not interchangeable.
> >
> > On Mon, Aug 10, 2009 at 10:12 AM, Allen Tom<atom at yahoo-inc.com> wrote:
> >
> >> Another problem is that the entire page needs to be downloaded in order
> to
> >> parse it, which is problematic since many pages are very heavyweight.
> >>
> >
> >
> >
> >
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.openid.net/pipermail/openid-general/attachments/20090810/36f0531c/attachment-0001.htm
> >
>
> ------------------------------
>
> Message: 4
> Date: Mon, 10 Aug 2009 10:27:16 -0700
> From: Breno de Medeiros <breno at google.com>
> Subject: Re: [OpenID] Outsourcing headers - XRD(S), CSS?
> To: Allen Tom <atom at yahoo-inc.com>
> Cc: openid-general at lists.openid.net
> Message-ID:
>        <29fb00360908101027r59fdbb39n112bdcd92c8086bd at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> :)
>
> On Mon, Aug 10, 2009 at 10:24 AM, Allen Tom<atom at yahoo-inc.com> wrote:
> > I think most implementations just use regexs to extract the discovery
> > information, since parsing html is hard, especially when it's not valid.
> >
>
>
>
> --
> --Breno
>
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 10 Aug 2009 10:31:11 -0700
> From: David Recordon <david at sixapart.com>
> Subject: Re: [OpenID] Proxying (with OpenSocial) through
>        experimental.openid.net to promote OpenID
> To: SitG Admin <sysadmin at shadowsinthegarden.com>
> Cc: openid-general at lists.openid.net
> Message-ID: <8DE72B74-1CDD-40C8-92CD-808131DC72D8 at sixapart.com>
> Content-Type: text/plain; charset=WINDOWS-1252; format=flowed;
>        delsp=yes
>
> While this idea isn't brand new ? Simon Willison ran idproxy.net for a
> few years that turned Yahoo! accounts into OpenIDs ? I don't think it
> is a viable long term solution.  Rather, usage of this sort of
> proxying shows a userbase's desire to have their accounts OpenID
> enabled to log in elsewhere.
>
> I would never want to see the OpenID Foundation run an OpenID Provider/
> Proxy for wide usage.  We should instead be creating a healthy
> ecosystem with plenty of providers and consumers.
>
> --David
>
> On Aug 9, 2009, at 9:55 PM, SitG Admin wrote:
>
> >> What don't you like?
> >
> > The centralization. It would make the OIDF's servers an appealing
> > target to those looking for Identity correlation.
> >
> > I've thought about it some more, though. It seems to me that the
> > opening here is only for OpenSocial sites where OpenID is impossible
> > (even by delegation), and the OIDF wouldn't be seeing the user's
> > activity from actual OP's, so attackers could only correlate
> > Identities from experimental sites the user was playing with (unless
> > they had logins with their own services, but that doesn't add much
> > to the OIDF's potential database). Furthermore,
> > experimental.openid.net really ought to be using SSL, so a savvy
> > user could easily bounce their (encrypted) connection around a proxy
> > or few before connecting, confusing even further the server's idea
> > of who a user was (and, its ability to associate them with any other
> > login). Relying on the average user to figure out proxies, though,
> > seems a bit much. Challenging them to follow a tutorial would chill
> > adoption, so perhaps just a warning (and maybe link to some stories
> > explaining what might happen).
> >
> > -Shade
> > _______________________________________________
> > general mailing list
> > general at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-general
>
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 10 Aug 2009 10:39:09 -0700
> From: Allen Tom <atom at yahoo-inc.com>
> Subject: Re: [OpenID] Proxying (with OpenSocial) through
>        experimental.openid.net to promote OpenID
> To: SitG Admin <sysadmin at shadowsinthegarden.com>,
>        openid-general at lists.openid.net
> Message-ID: <4A805B3D.2020605 at yahoo-inc.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Although we haven't quite released this yet, the Yahoo OP will soon be
> supporting OpenSocial's REST APIs, using the OpenID/OAuth Hybrid
> Extension for authorization.
>
>
> http://www.opensocial.org/Technical-Resources/opensocial-spec-v081/restful-protocol.html
>
> Allen
>
>
> SitG Admin wrote:
> > Disclaimer: though I like this idea - it would be *neat* if users of a
> > site that didn't even allow HTML headers to be inserted/set (but did
> > support OpenSocial),
>
>
>
> ------------------------------
>
> Message: 7
> Date: Mon, 10 Aug 2009 12:06:51 -0700
> From: SitG Admin <sysadmin at shadowsinthegarden.com>
> Subject: Re: [OpenID] Proxying (with OpenSocial) through
>        experimental.openid.net to promote OpenID
> To: David Recordon <david at sixapart.com>
> Cc: openid-general at lists.openid.net
> Message-ID: <f06110402c6a61d94990c@[192.168.0.2]>
> Content-Type: text/plain; charset="us-ascii" ; format="flowed"
>
> >Rather, usage of this sort of proxying shows a userbase's desire to
> >have their accounts OpenID enabled to log in elsewhere.
> >
> >I would never want to see the OpenID Foundation run an OpenID
> >Provider/Proxy for wide usage.  We should instead be creating a
> >healthy ecosystem with plenty of providers and consumers.
>
> Agreed. I was trying to come up with a way for users to subvert their
> social networking site's decision to ignore OpenID, then leverage
> their existing placement in the site's network to start a movement of
> long-time users bugging the admins for OpenID support. I don't think
> the first is really possible, though I am having some more thoughts
> on the second. It wouldn't have been very useful without attractive
> features on the RP's side, which we don't have much of yet - when
> there are a lot of things that can be done with OpenID (not just
> create an account elsewhere and use it to log in there, prefilling
> profile data, but intercommunication), it'll be easier for users to
> get excited.
>
> -Shade
>
>
> ------------------------------
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
> End of general Digest, Vol 36, Issue 4
> **************************************
>



-- 
Abraham Lincoln -
"Every man is said to have his peculiar ambition. Whether it be true or not,
I can say for one that I have no other so great as that of being truly
esteemed of my fellow men, by rendering myself worthy of their esteem. How
far I shall succeed in gratifying this ambition, is yet to be developed."

M.614.264.0286
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090810/a6fd76ce/attachment-0001.htm>

More information about the general mailing list