[OpenID] Fwd: [dotnetopenid] DotNetOpenAuth announces support of the Government profile of OpenID

John Bradley john.bradley at wingaa.com
Thu Sep 10 01:11:45 UTC 2009 

I don't know if anyone is going to do this, but this is how it would  
work for the sake of discussion.

It would be a directed identity flow with XRI discovery.

The button at the RP would trigger discovery for something like  
@freexri.

The resulting XRD would have the OP Identifier Element <Type> http://specs.openid.net/auth/2.0/server

The RP would then initiate the request with http://specs.openid.net/auth/2.0/identifier_select 
  as the claimed_id and identity.

The OP after authentication would create a pairwise XRI canonicalID to  
return as the claimed_id.

The RP performs XRI discovery on the claimedID as it normally would  
and retrieves the XRDS via XRI resolution of the claimed_id.

The OP is going to have to programatically generate the XRDS for the  
iNumber in question.

The OP needs to use a two or more subsegment iNumber so that it is  
authoritative for the last subsegment.

I don't know of any OP doing this now and if they did, I don't know if  
any of the RP code is going to correctly resolve a XRI returned as a  
claimed_id.

I expect Andrew to chime in that he has it done or it is in the next  
version.

The community iNumber would not be portable between OP's as a top  
level iNumber is.

There are other reasons you may want to do it with XRI, but I don't  
see a big advantage to it in this scenario.

John B.


On 2009-09-09, at 2:28 PM, Peter Williams wrote:

> Can you describe a legal flow with an XRI, in the .gov profile for  
> LOA1?
>
> In the beginning there was the button, in a nascar array of  
> federally-trusted providers, on plebs.gov.
>
> Let's start there.
>
>
> -----Original Message-----
> From: John Bradley [mailto:john.bradley at wingaa.com]
> Sent: Wednesday, September 09, 2009 9:31 AM
> To: Peter Williams
> Cc: openid-general at lists.openid.net
> Subject: Re: [OpenID] Fwd: [dotnetopenid] DotNetOpenAuth announces  
> support of the Government profile of OpenID
>
> We will see what happens as we move forward.
>
> SP-800-63 is not friendly to the idea of self assertion.
>
> I had to leave p-cards out of the initial info-card profile as well
> for some of the same issues.
>
> I am hoping to address corilatable and other sorts of self asserted
> identities where there is no IdP to certify in upcoming revisions to
> the profiles.
>
> This is what we could get agreement on as a first step.
>
> There are a number of UX issues that will need to be addressed  as the
> number of certified IdP grows.
>
> John B.
> On 2009-09-09, at 12:14 PM, Peter Williams wrote:
>
>>
>>
>>
>> Don't worry about the uci evil label. I was never under any
>> illusions that it was not viable. You guys marketted with it fine,
>> and I got to use to overcome the over stodgy practices of the saml
>> world. As always, things meet somewhere in the middle.
>>
>> I'm also glad to see live is not in the
>>
>> On Sep 9, 2009, at 9:08 AM, "John Bradley"  
>> n<john.bradley at wingaa.com<mailto:john.bradley at wingaa.com
>>>> wrote:
>>
>> It was early I forgot to copy the general list.
>>
>> John B.
>>
>> Begin forwarded message:
>>
>> From: John Bradley <<mailto:ve7jtb at ve7jtb.com>ve7jtb at ve7jtb.com<mailto:ve7jtb at ve7jtb.com
>>>>
>> Date: September 9, 2009 10:03:44 AM GMT-04:00
>> To: <mailto:dotnetopenid at googlegroups.com>
>> dotnetopenid at googlegroups.com<mailto:dotnetopenid at googlegroups.com>
>> Subject: Re: [dotnetopenid] DotNetOpenAuth announces support of the
>> Government profile of OpenID
>>
>> I want to thank Andrew Arnott, Johnny Bufu and many others for there
>> feedback during the process of developing the GSA profile for openID.
>>
>> Today we have Six OP announcing support for the profile and the GSA
>> Pilot: AOL, Google, Yahoo, and Verisign, and Wave.
>> <http://openid.net/2009/09/09/yahoo-paypal-google-equifax-aol-verisign-acxiom-citi-privo-wave-systems-pilot-open-identity-for-open-government/
>>> http://openid.net/2009/09/09/yahoo-paypal-google-equifax-aol-
>> verisign-acxiom-citi-privo-wave-systems-pilot-open-identity-for-open-
>> government/
>>
>> <http://openid.net/2009/09/09/yahoo-paypal-google-equifax-aol-verisign-acxiom-citi-privo-wave-systems-pilot-open-identity-for-open-government/
>>> Andrew has helped build the test RP that is available at <http://test-id.org/
>>> http://test-id.org that we have been using for the last several
>> months to help the IdP conform to the profile.
>>
>> <http://www.idmanagement.gov/documents/
>> ICAM_OpenID20Profile.pdf>http://www.idmanagement.gov/documents/
>> ICAM_OpenID20Profile.pdf
>>
>> If other IdP are interested in participating they can contact the
>> OIDF or myself for more information.
>>
>> Getting 5 OP's ready to go into this pilot has been a major  
>> challenge.
>>
>> I would like to thank all of the 5 OPs for there commitment to
>> openID and to making this happen.
>>
>> This is a big day on the openID and federated identity adoption  
>> curve.
>>
>> Thanks
>> John Bradley
>>
>> PS No delegation is not supported by the profile.  No you cannot
>> enter a vanity URL or any other identifier for privacy and non
>> correlation reasons.  Yes XRI is allowed,  but even I can't see why
>> you would bother given the profile.  Yes I am an evil and loathsome
>> person for violating the principals of UCI (Sorry about that)
>>
>>
>> On 2009-09-09, at 9:34 AM, Andrew Arnott wrote:
>>
>> DotNetOpenAuth community:
>>
>> The government has just announced<http://www.idmanagement.gov/drilldown.cfm?action=openID_openGOV
>>> that they are piloting accepting OpenID on several of their web
>> sites, and the major OpenID Providers (Google, Yahoo, AOL, PayPal,
>> Verisign) will be supporting Providers<http://openid.net/u-s-government-openid-pilot-program-participants/
>>> of this new Government profile for OpenID.
>>
>> What is this "government profile<http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf
>>> "?  Basically it's a set of rules that an OP and RP must follow.
>> These rules are more restrictive than, but nonetheless compliant
>> with, the OpenID 2.0 spec.  For example, HTTPS must be used
>> throughout the process, and shared associations must only last up to
>> a given maximum length of time.
>>
>> I'm very pleased to announce that DotNetOpenAuth has support for
>> this government profile, and in fact is the underlying library used
>> by the NIH for its OpenID RP support.  Watch for a new release of
>> DNOA (3.2.1) in the next day or two that actually includes the
>> government profile in it.  (We could release it earlier than today's
>> announcement).
>>
>> More in the news<http://www.techcrunch.com/2009/09/09/us-government-to-embrace-openid-courtesy-of-google-yahoo-paypal-et-al/
>>>
>>
>> --
>> Andrew Arnott
>> "I [may] not agree with what you have to say, but I'll defend to the
>> death your right to say it." - S. G. Tallentyre
>>
>>
>> _______________________________________________
>> general mailing list
>> general at lists.openid.net<mailto:general at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-general
>

More information about the general mailing list