[OpenID] OpenID in SMTP/IMAP/XMPP/etc

Lewis Adam-CAL022 Adam.Lewis at motorolasolutions.com
Thu Apr 5 01:58:07 UTC 2012 

Hi Simon, are you working on this within the context of the abfab working group?

-adam

-----Original Message-----
From: openid-general-bounces at lists.openid.net [mailto:openid-general-bounces at lists.openid.net] On Behalf Of Simon Josefsson
Sent: Tuesday, April 03, 2012 7:17 AM
To: Peter Williams
Cc: general at openid.net
Subject: Re: [OpenID] OpenID in SMTP/IMAP/XMPP/etc

The "why" is indeed to get rid of the password exchange in
SMTP/IMAP/XMPP/etc.  There is nothing more or less to it than that.  I
strongly believe that if we want to make it easy to use OpenID (or SAML,
or any authentication technology) it must support non-web technology.

/Simon

Peter Williams <home_pw at msn.com> writes:

> You stated is what it does (alongside lots of other GSS API methods wrapped by SASL, to do the same GSS defined mechanism/service). It said nothing more than the original annoucement (SASL now does openid auth, too, wrapped in GSS API constructs)
>
>  
>
> But why does it need to exist?
>
>  
>
> What is the distinguishing feature?
>
>  
>
> is it assurance, perhaps (since GSS is a gatekeeper on OS-mediated asurance for security mechanisms, typically).
>
>  
>
> For example, webby openid did something better than SAML2, properly using discovery of metadata to drive such as openid delegation, allow for failover or renaming of IDP endpoint domains, etc etc. And, it all used webby expression of such metadata (rel headers, or an XML file on an https or XRI resolver endpoint). This was "why" it did something distinct from SAML2's authReq protocol as delivered in practice (with which openid is functionally identical "at the GSS level"). The openid/oauth went a bit further, for API access to IDP followup-services (post-authn)
>
>  
>
>  
>
> The thing that originally attracted me to openid (in its webby incarnation) was the "vitality" of the infrastructure vision (not the bits on the wire protocol). This came from the merger of interests, in the XRI and YADIS come-together. Pre-semantic web, blogging looked to get us quite some distance along machine-readable, self-healing infrastructure - with a user-centric twinge even - at low cost (no long w3c arguments, on the nature of life or the imposition of a common reference model due to some German philosopher who died in 1850 before the phone was invented).
>
>  
>
>  
>
> Now what is the opeind "auth protocol" bringing to the SASL world?
>
>  
>
>
> perhaps its just that one password challenge at an IDP now ALSO address accessing the IMAP mailbox (and that is the "why"). If so... fine. Is there any more to it "in the vision"?
>
>  
>
> we heard that much of the going-forward openid activity is focussed on the "device-centric" web (vs the browser-centric web). And... architecture was evolving to address this new focus. Perhaps the GSS/SASL is a part of that "vision" where not only are we/you accomodating new client-access devices, but non-webby services too (the IMAP mailbox, etc).
>
>  
>
> (I cannot help feeling that openid - the technology - would really benefit from merging properly with SSL - defining a fourth "openid" certificate-type and/or sub-protocol on the SSL bearer - designed to tied two tunnels together in a 3-corner model. Thus would be so much better than all this endless glueware)
>
>  
>
>  
>
>  
>
>
> ----------------------------------------
> > From: simon@josefsson.org
> To: home_pw@msn.com
> CC: sakimura@gmail.com; general@openid.net
> Subject: Re: OpenID in SMTP/IMAP/XMPP/etc
> Date: Sat, 31 Mar 2012 09:44:01 +0200
>
> It allows clients to authenticate against servers using OpenID for
> protocols that uses SASL. That includes SMTP, IMAP, XMPP and so on. So
> far OpenID has been for web login only, but this changes that.
>
> /Simon
>
> Peter Williams <home_pw@msn.com> writes:
>
> > Why does it need to exist?
> >
> > What does it do
>   that 156 other gss methods do not do?
> >
> > Sent from my iPhone
> >
> > On Mar 29, 2012, at 11:17 PM, "Nat 
>  Sakimura" <sakimura@gmail.com> wrote:
> >
> >> Great news!
> >>
> >> I will have a look at it.
> >>
> >> Cheers,
> >>
> >> Nat
> >>
> >> On Thu, Mar 29, 2012 at 4:29 AM, Simon Josefsson <simon@josefsson.org> wrote:
> >> Hi folks!
> >>
> >> I have been working on the IETF draft for OpenID in SASL:
> >>
> >> https://tools.ietf.org/html/draft-ietf-kitten-sasl-openid-08
> >>
> >> and now als
>  o implemented it in GNU SASL, see this writeup:
> >>
> >> https://lists.gnu.org/archive/html/help-gsasl/2012-03/msg00004.html
>
>   >>
> >> I wanted to reach out to the OpenID community to find people who want to
> >> work on implementing/deploying this. If you have some interest in
> >> implementing OpenID support for your SASL-based application (SMTP, IMAP,
> >> XMPP, etc) let me know and I will try to help.
> >>
> >> If anyone else has implemented the OPENID20 mechanism, I would also love
> >> to do interop testing.
> >>
> >> Cheers,
> >> /Simon
> >> _______________________________________________
> >> general mailing list
> >> ge
>  neral@lists.openid.net
> >> http://lists.openid.net/mailman/listinfo/openid-general
> >>
> >>
> >>
>  
> >> --
> >> Nat Sakimura (=nat)
> >> Chairman, OpenID Foundation
> >> http://nat.sakimura.org/
> >> @_nat_en
> >>
> >> _______________________________________________
> >> general mailing list
> >> general@lists.openid.net
> >> http://lists.openid.net/mailman/listinfo/openid-general
 		 	   		  
_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general

More information about the general mailing list