[OpenID] Google custom discovery

Peter Williams pwilliams at rapattoni.com
Fri Jul 10 18:14:03 UTC 2009 

I recognize that openid discovery is inadequate for delegation management : of relying parties offloading to google service bus, to op parties offloading to google service bus, or users delegating their names in the spirit of uci. We all know that this is what the xri architecture facilitates.

If an openid extension is the means used to distinguish between the discovery process built into openid auth (a partial xri discovery approach that is somewhat ambiguous and incomplete) and the "full" xri-based discovery, then I don't mind the use of an extension artifact. Its bascially distinguishing between two versions of the same discovery model.

If the use of a new discovery artifact is the foil to introduce a non xri model, I worry. If its a foil to introduce even xri-based "exclusionary" trust federations (hub/spoke) based on mr oath's mantra expressed during the board election process (privacy is dead; get used to having none, sucker) I worry. I worry mostly in all that that we have passport "attitudes", and that means using the same means to break those attitudes as were used to break passport. I don't want to see folks subject to that process, as it has a sideeffect: it sets back mass adoption.

________________________________
From: Eric Sachs <esachs at google.com>
Sent: Friday, July 10, 2009 10:35 AM
To: Peter Williams <pwilliams at rapattoni.com>
Cc: Andrew Arnott <andrewarnott at gmail.com>; general at openid.net <general at openid.net>
Subject: Re: [OpenID] Google custom discovery

The feature in this area that we get more requests for is to support OpenID validation for the relatively new Google Profiles service, i.e. profiles.google.com<http://profiles.google.com>, which is also a more memorable endpoint for users to type :-).  That support is not yet available, but its definitely on the list.

On Fri, Jul 10, 2009 at 10:16 AM, Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>> wrote:
Lets hope it prompts google to do much better: http://op. google.com<http://google.com>: forming the eminently typable "op.google.com<http://op.google.com>".

They might even have that redirect to http://google.com/op which they might make an xri mount point to the I-brokered authority that serves the op xrd/s. If their op is a real xri-labelled authority, a ref field in the sep can even properly provide for delgated authorization of xrd files by user authorities (which openid auth hacks up as openid delegation, when abusing the semantics of the op local id field per jonny bufu's recent message).

I dont think its hard to meet professional security engineering standards within openid: just be complete about xri semantics (even when using http identifiers). We dont need custom extensions for discovery, particularly if they project idp-centric vs user centric identity models.

But lets wait and see how they are signing the xrd files (the way the openxri server does it (per the standard), or "otherwise"). The validity logic for verifying that signature will tell us what class of trust semantics they are working towards: google as ttp for attribute sharing, or uci.

________________________________
From: Andrew Arnott <andrewarnott at gmail.com<mailto:andrewarnott at gmail.com>>
Sent: Thursday, July 09, 2009 8:30 PM
To: Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>>
Cc: Eric Sachs <esachs at google.com<mailto:esachs at google.com>>; general at openid.net<mailto:general at openid.net> <general at openid.net<mailto:general at openid.net>>; Paul Johnston <paj at pajhome.org.uk<mailto:paj at pajhome.org.uk>>
Subject: Re: [OpenID] What is my Google OpenID URL?

Wow.  I'm going to have to use that tinyurl everywhere now. :-p

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre


On Thu, Jul 9, 2009 at 8:24 PM, Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com><mailto:pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>>> wrote:
come  on google, it takes you 10s to have a redirector URL (op.google.com<http://op.google.com><http://op.google.com>, perhaps?) redirect to the https://www.google.com/accounts/o8/id. Conforming RPs are require to follow the redirect, before detecting that the XRD at that address is an law#4-capable OP, vs a user.


http://tinyurl.com/googop now produces
<?xml version="1.0" encoding="UTF-8" ?>
-<file:///C:/Documents%20and%20Settings/peter/Desktop/id.xml#> <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
-<file:///C:/Documents%20and%20Settings/peter/Desktop/id.xml#> <XRD>
-<file:///C:/Documents%20and%20Settings/peter/Desktop/id.xml#> <Service priority="0">
 <Type>http://specs.openid.net/auth/2.0/server</Type>
 <Type>http://openid.net/srv/ax/1.0</Type>
 <Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type>
 <Type>http://specs.openid.net/extensions/ui/1.0/icon</Type>
 <Type>http://specs.openid.net/extensions/pape/1.0</Type>
 <URI>https://www.google.com/accounts/o8/ud</URI>
 </Service>
 </XRD>

im sure google can do better than tinyurl.com<http://tinyurl.com><http://tinyurl.com>!

How about op.google.com<http://op.google.com><http://op.google.com>?!

________________________________
From: general-bounces at openid.net<mailto:general-bounces at openid.net><mailto:general-bounces at openid.net<mailto:general-bounces at openid.net>> [general-bounces at openid.net<mailto:general-bounces at openid.net><mailto:general-bounces at openid.net<mailto:general-bounces at openid.net>>] On Behalf Of Andrew Arnott [andrewarnott at gmail.com<mailto:andrewarnott at gmail.com><mailto:andrewarnott at gmail.com<mailto:andrewarnott at gmail.com>>]
Sent: Thursday, July 09, 2009 7:16 PM
To: Eric Sachs
Cc: general at openid.net<mailto:general at openid.net><mailto:general at openid.net<mailto:general at openid.net>>; Paul Johnston
Subject: Re: [OpenID] What is my Google OpenID URL?

Note that using your Blogger blog URL is not equivalent to using https://www.google.com/accounts/o8/id.  Besides the user interface of the login experience being completely different, Blogger's Provider is only an OpenID 1.1 provider, whereas Google's https://www.google.com/accounts/o8/id OpenID Provider is a more secure OpenID 2.0 provider.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre


On Thu, Jul 9, 2009 at 6:38 PM, Eric Sachs <esachs at google.com<mailto:esachs at google.com><mailto:esachs at google.com<mailto:esachs at google.com>><mailto:esachs at google.com<mailto:esachs at google.com><mailto:esachs at google.com<mailto:esachs at google.com>>>> wrote:
If you create a blog on Google's blogger service, then you can type the name of that blog into OpenID login boxes.

If you are willing to be really geeky, type in https://www.google.com/accounts/o8/id.  That points to the generic Google identity provider, and you will be redirected back with an opaque identifier.  But we don't actually expect anyone to know to do that which is why a lot of OpenID relying parties are supporting other user interfaces with buttons for Google.  For example, see http://uservoice.com/session/new

Similarly a lot of blogs allow you to comment and identify you with an OpenID URL, and while you can try one of the tricks above, many of the blog commenting interfaces also include buttons (or the NASCAR style UI as the community likes to call it) to help users navigate their way through.

On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston <paj at pajhome.org.uk<mailto:paj at pajhome.org.uk><mailto:paj at pajhome.org.uk<mailto:paj at pajhome.org.uk>><mailto:paj at pajhome.org.uk<mailto:paj at pajhome.org.uk><mailto:paj at pajhome.org.uk<mailto:paj at pajhome.org.uk>>>> wrote:
Hi,

I'm sorry for asking such an obvious question, but after considerable
time spent searching for this I am unable to figure this out.

My google account name is paul.paj. I would like to login to
bitbucket.org<http://bitbucket.org><http://bitbucket.org><http://bitbucket.org> using OpenID. How do I do it?

Paul
_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net><mailto:general at openid.net<mailto:general at openid.net>><mailto:general at openid.net<mailto:general at openid.net><mailto:general at openid.net<mailto:general at openid.net>>>
http://openid.net/mailman/listinfo/general


_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net><mailto:general at openid.net<mailto:general at openid.net>><mailto:general at openid.net<mailto:general at openid.net><mailto:general at openid.net<mailto:general at openid.net>>>
http://openid.net/mailman/listinfo/general



_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general

More information about the general mailing list