[OpenID] OpenID in SMTP/IMAP/XMPP/etc

Tue Apr 3 22:31:37 UTC 2012

+1

On Tue, Apr 3, 2012 at 9:17 PM, Simon Josefsson <simon at josefsson.org> wrote:

> The "why" is indeed to get rid of the password exchange in
> SMTP/IMAP/XMPP/etc.  There is nothing more or less to it than that.  I
> strongly believe that if we want to make it easy to use OpenID (or SAML,
> or any authentication technology) it must support non-web technology.
>
> /Simon
>
> Peter Williams <home_pw at msn.com> writes:
>
> > You stated is what it does (alongside lots of other GSS API methods
> wrapped by SASL, to do the same GSS defined mechanism/service). It said
> nothing more than the original annoucement (SASL now does openid auth, too,
> wrapped in GSS API constructs)
> >
> >
> >
> > But why does it need to exist?
> >
> >
> >
> > What is the distinguishing feature?
> >
> >
> >
> > is it assurance, perhaps (since GSS is a gatekeeper on OS-mediated
> asurance for security mechanisms, typically).
> >
> >
> >
> > For example, webby openid did something better than SAML2, properly
> using discovery of metadata to drive such as openid delegation, allow for
> failover or renaming of IDP endpoint domains, etc etc. And, it all used
> webby expression of such metadata (rel headers, or an XML file on an https
> or XRI resolver endpoint). This was "why" it did something distinct from
> SAML2's authReq protocol as delivered in practice (with which openid is
> functionally identical "at the GSS level"). The openid/oauth went a bit
> further, for API access to IDP followup-services (post-authn)
> >
> >
> >
> >
> >
> > The thing that originally attracted me to openid (in its webby
> incarnation) was the "vitality" of the infrastructure vision (not the bits
> on the wire protocol). This came from the merger of interests, in the XRI
> and YADIS come-together. Pre-semantic web, blogging looked to get us quite
> some distance along machine-readable, self-healing infrastructure - with a
> user-centric twinge even - at low cost (no long w3c arguments, on the
> nature of life or the imposition of a common reference model due to some
> German philosopher who died in 1850 before the phone was invented).
> >
> >
> >
> >
> >
> > Now what is the opeind "auth protocol" bringing to the SASL world?
> >
> >
> >
> >
> > perhaps its just that one password challenge at an IDP now ALSO address
> accessing the IMAP mailbox (and that is the "why"). If so... fine. Is there
> any more to it "in the vision"?
> >
> >
> >
> > we heard that much of the going-forward openid activity is focussed on
> the "device-centric" web (vs the browser-centric web). And... architecture
> was evolving to address this new focus. Perhaps the GSS/SASL is a part of
> that "vision" where not only are we/you accomodating new client-access
> devices, but non-webby services too (the IMAP mailbox, etc).
> >
> >
> >
> > (I cannot help feeling that openid - the technology - would really
> benefit from merging properly with SSL - defining a fourth "openid"
> certificate-type and/or sub-protocol on the SSL bearer - designed to tied
> two tunnels together in a 3-corner model. Thus would be so much better than
> all this endless glueware)
> >
> >
> >
> >
> >
> >
> >
> >
> > ----------------------------------------
> > > From: simon@josefsson.org
> To:
> home_pw@msn.com
> CC: sakimura@gmail.com;
> general@openid.net
> Subject: Re: OpenID in
> SMTP/IMAP/XMPP/etc
> Date: Sat, 31 Mar 2012
> 09:44:01 +0200
>
> It allows clients
> to authenticate against servers using OpenID for
> protocols
> that uses SASL. That includes SMTP, IMAP, XMPP and so on. So
>
> far OpenID has been for web login only, but this changes
> that.
>
> /Simon
>
>
> Peter Williams <home_pw@msn.com>
> writes:
>
> > Why does it need to
> exist?
> >
> > What does it do
> >   that 156 other gss methods do not do?
>
> >
> > Sent from my iPhone
>
> >
> > On Mar 29, 2012, at 11:17 PM, "Nat
> >  Sakimura" <sakimura@gmail.com>
> wrote:
> >
> >> Great
> news!
> >>
> >> I will have a
> look at it.
> >>
> >>
> Cheers,
> >>
> >>
> Nat
> >>
> >> On Thu, Mar 29,
> 2012 at 4:29 AM, Simon Josefsson <simon@josefsson.org>
> wrote:
> >> Hi folks!
>
> >>
> >> I have been working on the IETF draft
> for OpenID in SASL:
> >>
> >>
> https://
> tools.ietf.org/html/draft-ietf-kitten-sasl-openid-08
>
> >>
> >> and now als
> >  o implemented it in GNU SASL, see this writeup:
>
> >>
> >> https://
> lists.gnu.org/archive/html/help-gsasl/2012-03/msg00004.html
>
> >   >>
> >> I wanted to reach out to the
> OpenID community to find people who want to
> >> work
> on implementing/deploying this. If you have some interest in
>
> >> implementing OpenID support for your SASL-based application
> (SMTP, IMAP,
> >> XMPP, etc) let me know and I
> will try to help.
> >>
> >> If
> anyone else has implemented the OPENID20 mechanism, I would also
> love
> >> to do interop testing.
>
> >>
> >> Cheers,
> >>
> /Simon
> >>
> _______________________________________________
> >>
> general mailing list
> >> ge
> >  neral@lists.openid.net
> >> http://
> lists.openid.net/mailman/listinfo/openid-general
>
> >>
> >>
> >>
> >  
> >> --
> >> Nat Sakimura
> (=nat)
> >> Chairman, OpenID
> Foundation
> >> http://
> nat.sakimura.org/
> >> @_nat_en
>
> >>
> >>
> _______________________________________________
> >>
> general mailing list
> >> general@
> lists.openid.net
> >> http://
> lists.openid.net/mailman/listinfo/openid-general

> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>

-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20120404/6316ac26/attachment.html>