[OpenID] Fwd: [dotnetopenid] DotNetOpenAuth announces support of the Government profile of OpenID

Markus Sabadello markus.sabadello at gmail.com
Thu Sep 10 07:12:52 UTC 2009 

FYI freexri.com (and fullxri.com) have partial support for this directed
identity (because I tried making HXRIs work with the Facebook OpenID
support).

If you make a request with
http://specs.openid.net/auth/2.0/identifier_select, the OP will ask you to
enter your i-name and PW instead of just your PW.

However the OP doesn't create a pairwise unique CanonicalID for the RP in
the manner you describe. Instead it simply returns your real i-number.

Markus

On Thu, Sep 10, 2009 at 3:11 AM, John Bradley <john.bradley at wingaa.com>wrote:

> I don't know if anyone is going to do this, but this is how it would work
> for the sake of discussion.
>
> It would be a directed identity flow with XRI discovery.
>
> The button at the RP would trigger discovery for something like @freexri.
>
> The resulting XRD would have the OP Identifier Element <Type>
> http://specs.openid.net/auth/2.0/server
>
> The RP would then initiate the request with
> http://specs.openid.net/auth/2.0/identifier_select as the claimed_id and
> identity.
>
> The OP after authentication would create a pairwise XRI canonicalID to
> return as the claimed_id.
>
> The RP performs XRI discovery on the claimedID as it normally would and
> retrieves the XRDS via XRI resolution of the claimed_id.
>
> The OP is going to have to programatically generate the XRDS for the
> iNumber in question.
>
> The OP needs to use a two or more subsegment iNumber so that it is
> authoritative for the last subsegment.
>
> I don't know of any OP doing this now and if they did, I don't know if any
> of the RP code is going to correctly resolve a XRI returned as a claimed_id.
>
> I expect Andrew to chime in that he has it done or it is in the next
> version.
>
> The community iNumber would not be portable between OP's as a top level
> iNumber is.
>
> There are other reasons you may want to do it with XRI, but I don't see a
> big advantage to it in this scenario.
>
> John B.
>
>
>
> On 2009-09-09, at 2:28 PM, Peter Williams wrote:
>
>  Can you describe a legal flow with an XRI, in the .gov profile for LOA1?
>>
>> In the beginning there was the button, in a nascar array of
>> federally-trusted providers, on plebs.gov.
>>
>> Let's start there.
>>
>>
>> -----Original Message-----
>> From: John Bradley [mailto:john.bradley at wingaa.com]
>> Sent: Wednesday, September 09, 2009 9:31 AM
>> To: Peter Williams
>> Cc: openid-general at lists.openid.net
>> Subject: Re: [OpenID] Fwd: [dotnetopenid] DotNetOpenAuth announces support
>> of the Government profile of OpenID
>>
>> We will see what happens as we move forward.
>>
>> SP-800-63 is not friendly to the idea of self assertion.
>>
>> I had to leave p-cards out of the initial info-card profile as well
>> for some of the same issues.
>>
>> I am hoping to address corilatable and other sorts of self asserted
>> identities where there is no IdP to certify in upcoming revisions to
>> the profiles.
>>
>> This is what we could get agreement on as a first step.
>>
>> There are a number of UX issues that will need to be addressed  as the
>> number of certified IdP grows.
>>
>> John B.
>> On 2009-09-09, at 12:14 PM, Peter Williams wrote:
>>
>>
>>>
>>>
>>> Don't worry about the uci evil label. I was never under any
>>> illusions that it was not viable. You guys marketted with it fine,
>>> and I got to use to overcome the over stodgy practices of the saml
>>> world. As always, things meet somewhere in the middle.
>>>
>>> I'm also glad to see live is not in the
>>>
>>> On Sep 9, 2009, at 9:08 AM, "John Bradley" n<john.bradley at wingaa.com
>>> <mailto:john.bradley at wingaa.com
>>>
>>>> wrote:
>>>>>
>>>>
>>> It was early I forgot to copy the general list.
>>>
>>> John B.
>>>
>>> Begin forwarded message:
>>>
>>> From: John Bradley <<mailto:ve7jtb at ve7jtb.com>ve7jtb at ve7jtb.com<mailto:
>>> ve7jtb at ve7jtb.com
>>>
>>>>
>>>>>  Date: September 9, 2009 10:03:44 AM GMT-04:00
>>> To: <mailto:dotnetopenid at googlegroups.com>
>>> dotnetopenid at googlegroups.com<mailto:dotnetopenid at googlegroups.com>
>>> Subject: Re: [dotnetopenid] DotNetOpenAuth announces support of the
>>> Government profile of OpenID
>>>
>>> I want to thank Andrew Arnott, Johnny Bufu and many others for there
>>> feedback during the process of developing the GSA profile for openID.
>>>
>>> Today we have Six OP announcing support for the profile and the GSA
>>> Pilot: AOL, Google, Yahoo, and Verisign, and Wave.
>>> <
>>> http://openid.net/2009/09/09/yahoo-paypal-google-equifax-aol-verisign-acxiom-citi-privo-wave-systems-pilot-open-identity-for-open-government/
>>>
>>>> http://openid.net/2009/09/09/yahoo-paypal-google-equifax-aol-
>>>>
>>> verisign-acxiom-citi-privo-wave-systems-pilot-open-identity-for-open-
>>> government/
>>>
>>> <
>>> http://openid.net/2009/09/09/yahoo-paypal-google-equifax-aol-verisign-acxiom-citi-privo-wave-systems-pilot-open-identity-for-open-government/
>>>
>>>> Andrew has helped build the test RP that is available at <
>>>> http://test-id.org/
>>>> http://test-id.org that we have been using for the last several
>>>>
>>> months to help the IdP conform to the profile.
>>>
>>> <http://www.idmanagement.gov/documents/
>>> ICAM_OpenID20Profile.pdf>http://www.idmanagement.gov/documents/
>>> ICAM_OpenID20Profile.pdf
>>>
>>> If other IdP are interested in participating they can contact the
>>> OIDF or myself for more information.
>>>
>>> Getting 5 OP's ready to go into this pilot has been a major challenge.
>>>
>>> I would like to thank all of the 5 OPs for there commitment to
>>> openID and to making this happen.
>>>
>>> This is a big day on the openID and federated identity adoption curve.
>>>
>>> Thanks
>>> John Bradley
>>>
>>> PS No delegation is not supported by the profile.  No you cannot
>>> enter a vanity URL or any other identifier for privacy and non
>>> correlation reasons.  Yes XRI is allowed,  but even I can't see why
>>> you would bother given the profile.  Yes I am an evil and loathsome
>>> person for violating the principals of UCI (Sorry about that)
>>>
>>>
>>> On 2009-09-09, at 9:34 AM, Andrew Arnott wrote:
>>>
>>> DotNetOpenAuth community:
>>>
>>> The government has just announced<
>>> http://www.idmanagement.gov/drilldown.cfm?action=openID_openGOV
>>>
>>>> that they are piloting accepting OpenID on several of their web
>>>>
>>> sites, and the major OpenID Providers (Google, Yahoo, AOL, PayPal,
>>> Verisign) will be supporting Providers<
>>> http://openid.net/u-s-government-openid-pilot-program-participants/
>>>
>>>> of this new Government profile for OpenID.
>>>>
>>>
>>> What is this "government profile<
>>> http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf
>>>
>>>> "?  Basically it's a set of rules that an OP and RP must follow.
>>>>
>>> These rules are more restrictive than, but nonetheless compliant
>>> with, the OpenID 2.0 spec.  For example, HTTPS must be used
>>> throughout the process, and shared associations must only last up to
>>> a given maximum length of time.
>>>
>>> I'm very pleased to announce that DotNetOpenAuth has support for
>>> this government profile, and in fact is the underlying library used
>>> by the NIH for its OpenID RP support.  Watch for a new release of
>>> DNOA (3.2.1) in the next day or two that actually includes the
>>> government profile in it.  (We could release it earlier than today's
>>> announcement).
>>>
>>> More in the news<
>>> http://www.techcrunch.com/2009/09/09/us-government-to-embrace-openid-courtesy-of-google-yahoo-paypal-et-al/
>>>
>>>>
>>>>
>>> --
>>> Andrew Arnott
>>> "I [may] not agree with what you have to say, but I'll defend to the
>>> death your right to say it." - S. G. Tallentyre
>>>
>>>
>>> _______________________________________________
>>> general mailing list
>>> general at lists.openid.net<mailto:general at lists.openid.net>
>>> http://lists.openid.net/mailman/listinfo/openid-general
>>>
>>
>>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090910/336d29bc/attachment-0001.htm>

More information about the general mailing list