[OpenID] Fwd: [dotnetopenid] DotNetOpenAuth announces support of the Government profile of OpenID

Peter Williams pwilliams at rapattoni.com
Thu Sep 10 13:40:42 UTC 2009 

I guess that the attempt to twist around the final i-number in the list of segments is an attempt to have it act as the mandatory PPID: a value that can accountlink to the government cross-agency id (and thus implement the linking-semantics of SAML2's federated-name).

But in SAML2, the user (not the IDP) gets to control the federated-name (even for the PPID/persistent variant); unlinking it when appropriate. Furthermore, the user  gets to choose which of several IDP names can be account-linked (using PPIDs) to the common linking record at the RP. Perversely, the user has more control in the SAML2 model than in the now UCI-less openid profile.

This is the wrong thread to say this: but the profile is not surviving the early shakedown test. I see its goals, tradeoffs and compromises. They are articulated well enough and with enough personality and passion for even me to suspend my normal assumption of deception and double dealing at *anything* USG does in the security/private arena. But, my gut is telling me that this profile of openid really is sacrificing the soul of the entire movement to win adoption. But, I;m also convinced from watching 3 years worth of subtexts that this was always the end goal of the leadership: dethrone SAML, usurp the crown, and do the same thing essentially with lighterweight technology sold with UCI-themed badge on the front -- to placate the plebs.


From: Markus Sabadello [mailto:markus.sabadello at gmail.com]
Sent: Thursday, September 10, 2009 12:13 AM
To: John Bradley
Cc: Peter Williams; openid-general at lists.openid.net
Subject: Re: [OpenID] Fwd: [dotnetopenid] DotNetOpenAuth announces support of the Government profile of OpenID

FYI freexri.com<http://freexri.com> (and fullxri.com<http://fullxri.com>) have partial support for this directed identity (because I tried making HXRIs work with the Facebook OpenID support).

If you make a request with http://specs.openid.net/auth/2.0/identifier_select, the OP will ask you to enter your i-name and PW instead of just your PW.

However the OP doesn't create a pairwise unique CanonicalID for the RP in the manner you describe. Instead it simply returns your real i-number.

Markus
On Thu, Sep 10, 2009 at 3:11 AM, John Bradley <john.bradley at wingaa.com<mailto:john.bradley at wingaa.com>> wrote:
I don't know if anyone is going to do this, but this is how it would work for the sake of discussion.

It would be a directed identity flow with XRI discovery.

The button at the RP would trigger discovery for something like @freexri.

The resulting XRD would have the OP Identifier Element <Type> http://specs.openid.net/auth/2.0/server

The RP would then initiate the request with http://specs.openid.net/auth/2.0/identifier_select as the claimed_id and identity.

The OP after authentication would create a pairwise XRI canonicalID to return as the claimed_id.

The RP performs XRI discovery on the claimedID as it normally would and retrieves the XRDS via XRI resolution of the claimed_id.

The OP is going to have to programatically generate the XRDS for the iNumber in question.

The OP needs to use a two or more subsegment iNumber so that it is authoritative for the last subsegment.

I don't know of any OP doing this now and if they did, I don't know if any of the RP code is going to correctly resolve a XRI returned as a claimed_id.

I expect Andrew to chime in that he has it done or it is in the next version.

The community iNumber would not be portable between OP's as a top level iNumber is.

There are other reasons you may want to do it with XRI, but I don't see a big advantage to it in this scenario.

John B.



On 2009-09-09, at 2:28 PM, Peter Williams wrote:
Can you describe a legal flow with an XRI, in the .gov profile for LOA1?

In the beginning there was the button, in a nascar array of federally-trusted providers, on plebs.gov<http://plebs.gov>.

Let's start there.


-----Original Message-----
From: John Bradley [mailto:john.bradley at wingaa.com<mailto:john.bradley at wingaa.com>]
Sent: Wednesday, September 09, 2009 9:31 AM
To: Peter Williams
Cc: openid-general at lists.openid.net<mailto:openid-general at lists.openid.net>
Subject: Re: [OpenID] Fwd: [dotnetopenid] DotNetOpenAuth announces support of the Government profile of OpenID

We will see what happens as we move forward.

SP-800-63 is not friendly to the idea of self assertion.

I had to leave p-cards out of the initial info-card profile as well
for some of the same issues.

I am hoping to address corilatable and other sorts of self asserted
identities where there is no IdP to certify in upcoming revisions to
the profiles.

This is what we could get agreement on as a first step.

There are a number of UX issues that will need to be addressed  as the
number of certified IdP grows.

John B.
On 2009-09-09, at 12:14 PM, Peter Williams wrote:



Don't worry about the uci evil label. I was never under any
illusions that it was not viable. You guys marketted with it fine,
and I got to use to overcome the over stodgy practices of the saml
world. As always, things meet somewhere in the middle.

I'm also glad to see live is not in the

On Sep 9, 2009, at 9:08 AM, "John Bradley" n<john.bradley at wingaa.com<mailto:john.bradley at wingaa.com><mailto:john.bradley at wingaa.com<mailto:john.bradley at wingaa.com>
wrote:

It was early I forgot to copy the general list.

John B.

Begin forwarded message:

From: John Bradley <<mailto:ve7jtb at ve7jtb.com<mailto:ve7jtb at ve7jtb.com>>ve7jtb at ve7jtb.com<mailto:ve7jtb at ve7jtb.com><mailto:ve7jtb at ve7jtb.com<mailto:ve7jtb at ve7jtb.com>

Date: September 9, 2009 10:03:44 AM GMT-04:00
To: <mailto:dotnetopenid at googlegroups.com<mailto:dotnetopenid at googlegroups.com>>
dotnetopenid at googlegroups.com<mailto:dotnetopenid at googlegroups.com><mailto:dotnetopenid at googlegroups.com<mailto:dotnetopenid at googlegroups.com>>
Subject: Re: [dotnetopenid] DotNetOpenAuth announces support of the
Government profile of OpenID

I want to thank Andrew Arnott, Johnny Bufu and many others for there
feedback during the process of developing the GSA profile for openID.

Today we have Six OP announcing support for the profile and the GSA
Pilot: AOL, Google, Yahoo, and Verisign, and Wave.
<http://openid.net/2009/09/09/yahoo-paypal-google-equifax-aol-verisign-acxiom-citi-privo-wave-systems-pilot-open-identity-for-open-government/
http://openid.net/2009/09/09/yahoo-paypal-google-equifax-aol-
verisign-acxiom-citi-privo-wave-systems-pilot-open-identity-for-open-
government/

<http://openid.net/2009/09/09/yahoo-paypal-google-equifax-aol-verisign-acxiom-citi-privo-wave-systems-pilot-open-identity-for-open-government/
Andrew has helped build the test RP that is available at <http://test-id.org/
http://test-id.org that we have been using for the last several
months to help the IdP conform to the profile.

<http://www.idmanagement.gov/documents/
ICAM_OpenID20Profile.pdf>http://www.idmanagement.gov/documents/
ICAM_OpenID20Profile.pdf

If other IdP are interested in participating they can contact the
OIDF or myself for more information.

Getting 5 OP's ready to go into this pilot has been a major challenge.

I would like to thank all of the 5 OPs for there commitment to
openID and to making this happen.

This is a big day on the openID and federated identity adoption curve.

Thanks
John Bradley

PS No delegation is not supported by the profile.  No you cannot
enter a vanity URL or any other identifier for privacy and non
correlation reasons.  Yes XRI is allowed,  but even I can't see why
you would bother given the profile.  Yes I am an evil and loathsome
person for violating the principals of UCI (Sorry about that)


On 2009-09-09, at 9:34 AM, Andrew Arnott wrote:

DotNetOpenAuth community:

The government has just announced<http://www.idmanagement.gov/drilldown.cfm?action=openID_openGOV
that they are piloting accepting OpenID on several of their web
sites, and the major OpenID Providers (Google, Yahoo, AOL, PayPal,
Verisign) will be supporting Providers<http://openid.net/u-s-government-openid-pilot-program-participants/
of this new Government profile for OpenID.

What is this "government profile<http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf
"?  Basically it's a set of rules that an OP and RP must follow.
These rules are more restrictive than, but nonetheless compliant
with, the OpenID 2.0 spec.  For example, HTTPS must be used
throughout the process, and shared associations must only last up to
a given maximum length of time.

I'm very pleased to announce that DotNetOpenAuth has support for
this government profile, and in fact is the underlying library used
by the NIH for its OpenID RP support.  Watch for a new release of
DNOA (3.2.1) in the next day or two that actually includes the
government profile in it.  (We could release it earlier than today's
announcement).

More in the news<http://www.techcrunch.com/2009/09/09/us-government-to-embrace-openid-courtesy-of-google-yahoo-paypal-et-al/


--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the
death your right to say it." - S. G. Tallentyre


_______________________________________________
general mailing list
general at lists.openid.net<mailto:general at lists.openid.net><mailto:general at lists.openid.net<mailto:general at lists.openid.net>>
http://lists.openid.net/mailman/listinfo/openid-general


_______________________________________________
general mailing list
general at lists.openid.net<mailto:general at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090910/5f0db9c0/attachment.htm>

More information about the general mailing list