<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:D="DAV:" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='color:#1F497D'>For 6 and 7, as long as the
Provider maintains the OpenID Authentication request through the login
redirects then it shouldn't be a problem. It just needs to maintain the
state so once the user logs in they can proceed, allow the OpenID request, and
then have the Provider redirect them back to the RP.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>--David<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Peter Williams
[mailto:pwilliams@rapattoni.com] <br>
<b>Sent:</b> Sunday, July 08, 2007 2:53 PM<br>
<b>To:</b> Recordon, David; general@openid.net<br>
<b>Subject:</b> RE: [OpenID] canonical Identifier URL,without using delegated
authentication<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoPlainText>The only amendment Id make concerns 6 and 7.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>Hey Peter,<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>I think I'm following you...<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>1) The End User provides<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>https://login.rapmlsstg.com/IdpSsoHandler2.aspx?Target=https%3a%2f%2fsso<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>.rapmlsstg.com%3a12030%2fidp%2fstartSSO.ping%3fPartnerSpId%3drapattoni:s<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>tg:customer%26IdpAdapterId=STGIdp%26TargetResource%3dhttps%3a%2f%2petera<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>ccount.rapdata.com/&Contract=2
to the RP.<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText style='margin-left:.5in'>2) The RP fetches the Claimed
Identifier which has a series of 302<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>Redirects (to a logged out
user-agent...the RP) which end at<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>https://peteraccount.rapdata.com/.<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>3) https://peteraccount.rapdata.com/
is now the canonicalized Claimed<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>Identifier.<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>4) The RP performs discovery on
the Claimed Identifier resulting in an<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>HTML-Based Discovery
openid.server tag with the value of<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>https://login.rapmlsstg.com/sp/SsoHandler.aspx.<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>5) The RP redirects the user to<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>https://login.rapmlsstg.com/sp/SsoHandler.aspx
with the appropriate<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>OpenID Authentication request.<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>6) The user authenticates
however they need to, or is already<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>authenticated.<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>7) The user allows the
transaction at their Provider which responds to<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>the RP.<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText style='margin-left:.5in'>--David<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText><span style='color:black'>6) the sp/SsoHandler.aspx
redirects the browser with 302 responses one or more times, to some remote
login-site where the user authenticates however they need to, or is already
authenticated.<o:p></o:p></span></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText><span style='color:black'>7) after user authentication,
the login site redirects the browser one or more times back to
sp/SsoHandler.aspx, whereupon the user allows the transaction at their Provider
which responds to the RP.<o:p></o:p></span></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText><span style='color:black'>If we can agree that this is
generally consistent with the intent and model of OpenID, I'll go and build it.
It would be merely an extension of the OpenID experiment we already performed,
with folks at www.scardsoft.com.<o:p></o:p></span></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText><span style='color:black'>FYI: <o:p></o:p></span></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText><span style='color:black'>The redirects on the front and
back ends provide me with great added value. They will allow me resolve such as
XRIs without using a proxy architecture. An XRI form of Claimed Identity (<a
href="https://mls.com/=Peter.Williams">https://mls.com/=Peter.Williams</a>) can
now be resolved as a side effect of OP provider discovery. Similarly, a
protocol of “trusted redirects” can secure the discovery process
itself, automatically deliver name-federation-based name resolution, and
optionally automatically use pseudonyms to enforce privacy firewalls during a
discovery run that the discovery subsystem recognizes as crossing security
domain boundaries.<o:p></o:p></span></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText>-----Original Message-----<o:p></o:p></p>
<p class=MsoPlainText>From: general-bounces@openid.net
[mailto:general-bounces@openid.net] On<o:p></o:p></p>
<p class=MsoPlainText>Behalf Of Peter Williams<o:p></o:p></p>
<p class=MsoPlainText>Sent: Friday, July 06, 2007 11:39 PM<o:p></o:p></p>
<p class=MsoPlainText>To: general@openid.net<o:p></o:p></p>
<p class=MsoPlainText>Subject: [OpenID] canonical Identifier URL,without using
delegated<o:p></o:p></p>
<p class=MsoPlainText>authentication<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Let's test an edge case of the following "Note"
in the specification:<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>
"The End User is NOT REQUIRED to prefix their Identifier<o:p></o:p></p>
<p class=MsoPlainText>URL with "http://" or postfix it with a trailing
slash. Consumers MUST<o:p></o:p></p>
<p class=MsoPlainText>canonicalize the Identifier URL, following redirects, and
note the final<o:p></o:p></p>
<p class=MsoPlainText>URL. The final, canonicalized URL is the End User's
Identifier. "<o:p></o:p></p>
<p class=MsoPlainText>[http://openid.net/specs/openid-authentication-1_1.html]<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>This seems to imply that if the Consumer gets a series of
302 HTTP<o:p></o:p></p>
<p class=MsoPlainText>redirects it must follow the location headers in the
response(s) till it<o:p></o:p></p>
<p class=MsoPlainText>receives a 200 response which also delivers an HTML
resource (with at<o:p></o:p></p>
<p class=MsoPlainText>least markup for the openid.server link value).<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Ok. Lets now pick a silly (but legal) edge case of this
rule. Lets make<o:p></o:p></p>
<p class=MsoPlainText>the "Identifier URL" typed into the Login field
[s3.2]:<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>https://login.rapmlsstg.com/IdpSsoHandler2.aspx?Target=https%3a%2f%2fsso<o:p></o:p></p>
<p class=MsoPlainText>.rapmlsstg.com%3a12030%2fidp%2fstartSSO.ping%3fPartnerSpId%3drapattoni:s<o:p></o:p></p>
<p class=MsoPlainText>tg:customer%26IdpAdapterId=STGIdp%26TargetResource%3dhttps%3a%2f%2petera<o:p></o:p></p>
<p class=MsoPlainText>ccount.rapdata.com/&Contract=2<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Ugh! You might say. But, such a convoluted value is
really NOT beyond<o:p></o:p></p>
<p class=MsoPlainText>the realm of possibility for machine-based logon . We
have all seen what<o:p></o:p></p>
<p class=MsoPlainText>Microsoft Word conversion to HTML did to the use of HTML
markup, making<o:p></o:p></p>
<p class=MsoPlainText>it unreadable by humans!<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Now, if we follow the Important Note in the spec, the
Consumer shall<o:p></o:p></p>
<p class=MsoPlainText>apparently follow the redirects caused by that URL's
resolution. As the<o:p></o:p></p>
<p class=MsoPlainText>resource at the URL happens to cause (for authorized
users) an<o:p></o:p></p>
<p class=MsoPlainText>IDP-initiated SAML flow (via, say, the REDIRECT binding),
a series of<o:p></o:p></p>
<p class=MsoPlainText>redirects will occur eventually landing on a site for the
URL<o:p></o:p></p>
<p class=MsoPlainText>peteraccount.rapdata.com
<http://www.peteraccount.crsdata.com> etc (if<o:p></o:p></p>
<p class=MsoPlainText>the DNS registrations and SAML trust relations all hold
up, at<o:p></o:p></p>
<p class=MsoPlainText>evaluation time).<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>From what I can determine, once https delivers the HTML
document<o:p></o:p></p>
<p class=MsoPlainText>(according to and satisfying the Consumer's SSL key
management policy)<o:p></o:p></p>
<p class=MsoPlainText>the "final URL" is https://peteraccount.rapdata.com/
. This string,<o:p></o:p></p>
<p class=MsoPlainText>furthermore, is the "final, canonicalized URL"
( in the absence of an<o:p></o:p></p>
<p class=MsoPlainText>openid.delegated link field value in the HTML document
delivered over<o:p></o:p></p>
<p class=MsoPlainText>https). This is thus the "End User's
Identifier".<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>------------<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Lets continue the thought experiment:-<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Lets say the that openid.server link value is<o:p></o:p></p>
<p class=MsoPlainText>https://login.rapmlsstg.com/sp/SsoHandler.aspx. We can
note that this<o:p></o:p></p>
<p class=MsoPlainText>URL has little formal relationship to the End User's
Identifier<o:p></o:p></p>
<p class=MsoPlainText>https://peteraccount.rapdata.com/ <o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Nevertheless, the consumer can now expect to find an OP
Provider<o:p></o:p></p>
<p class=MsoPlainText>listener at that link value URL. If this is true, the
consumer agent and<o:p></o:p></p>
<p class=MsoPlainText>provider agent then engage in the "OpenID
Authentication Protocol".<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>In the course of completing the protocol, the provider
agent will<o:p></o:p></p>
<p class=MsoPlainText>normally be required to perform BY MEANS BEYOND THE SCOPE
OF OPENID AUTH<o:p></o:p></p>
<p class=MsoPlainText>SPEC, user authentication - before it supplies the
"cryptographic proof"<o:p></o:p></p>
<p class=MsoPlainText>that a user controls the End User's Identifier. After
following some<o:p></o:p></p>
<p class=MsoPlainText>series of locally-defined redirects to a form-login page,
users might<o:p></o:p></p>
<p class=MsoPlainText>perform this by completing the action of typing in a
correct<o:p></o:p></p>
<p class=MsoPlainText>username/password combination.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Is there any flaw in my understanding, in any of the
above? <o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Are the example's "complying"?<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText> <o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>_______________________________________________<o:p></o:p></p>
<p class=MsoPlainText>general mailing list<o:p></o:p></p>
<p class=MsoPlainText>general@openid.net<o:p></o:p></p>
<p class=MsoPlainText>http://openid.net/mailman/listinfo/general<o:p></o:p></p>
</div>
</body>
</html>