<HTML dir=ltr><HEAD></HEAD>
<BODY style="WORD-WRAP: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space">
<DIV id=idOWAReplyText13106 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>I think its more important to fix the critical issue: follow through the intent and ensure the docs allow any (perhaps vendor-defined) extension (not only AX) to leverage a pre-existing OpenID Association without seeking an athentication Statement (or imply the processing of authenticaiton requests signals, by an OP).</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>One should formalize (and correct as approriate) the architecture that the OP is only one consumer of (a) an attribute store (b) an Association cache. An AX responder that happens not to be co-resident with the OP may leverage the association cache, for example. </FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>This implementation practice emulates what goes on in the modern SSL world, where the protocol engine for is distinct from the cache of sessions and associates keys. You see this done nicely in WS-SX, where the ws-trust tokens pass (binary) SSL3 handshake messages using XML bearers (rather than the Internet-era TLS record layer protocol) where the sessions and key stores are maintained by the WS-SX engine (rather than say "load balancer stored" SSL key caches and session stores, as is common in late-1990s era https). </FONT></DIV></DIV>
<DIV id=idSignature50680>
<DIV><FONT face=Arial color=#000000 size=2><SPAN style="FONT-SIZE: 7.5pt"></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#000000 size=2><SPAN style="FONT-SIZE: 7.5pt">_________________________<BR></SPAN><B>Peter Williams<BR></B></FONT><BR></DIV>
<DIV>
<HR tabIndex=-1>
</DIV>
<DIV><FONT face=Tahoma size=2><B>From:</B> Dick Hardt<BR><B>Sent:</B> Mon 5/26/2008 12:20 PM<BR><B>To:</B> Andrew Arnott; Johnny Bufu; Josh Hoyt<BR><B>Cc:</B> OpenID List<BR><B>Subject:</B> Re: [OpenID] Attribute Exchange without simultaneous authentication<BR></FONT><BR></DIV></DIV>
<DIV>A reasonable suggestion.
<DIV><BR></DIV>
<DIV>Johnny, Josh?</DIV>
<DIV><BR></DIV>
<DIV><BR>
<DIV>
<DIV>On 26-May-08, at 12:15 PM, Andrew Arnott wrote:</DIV><BR class=Apple-interchange-newline>
<BLOCKQUOTE type="cite">I would suggest an optional parameter be added to AX called "ax.subject_id" or something like that, that would be used only when openid.claimed_id and openid.identity is not specified.<BR><BR>
<DIV class=gmail_quote>On Mon, May 26, 2008 at 12:08 PM, Dick Hardt <<A href="mailto:dick@sxip.com" target=_blank>dick@sxip.com</A>> wrote:<BR>
<BLOCKQUOTE class=gmail_quote style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV>
<DIV>
<BLOCKQUOTE type="cite">
<DIV style="MARGIN: 0px"><BR></DIV></BLOCKQUOTE>
<DIV><BR></DIV>Not requiring a simultaneous authentication was intended to be possible. See the language from the OpenID 2.0 Authentication spec below that hints that things are possible without authenticating the user.</DIV>
<DIV><BR></DIV>
<DIV>In practice, no one has wanted to move attributes without authenticating ... so the exact mechanics for doing it may not be represented in the spec.</DIV>
<DIV><BR></DIV>
<DIV>Suggestions?</DIV>
<DIV><BR></DIV>
<DIV>-- Dick<BR><BR>
<BLOCKQUOTE type="cite">
<DIV style="MARGIN: 0px"># openid.claimed_id</DIV>
<DIV style="MIN-HEIGHT: 14px; MARGIN: 0px"><BR></DIV>
<DIV style="MARGIN: 0px"> Value: (optional) The Claimed Identifier.</DIV>
<DIV style="MIN-HEIGHT: 14px; MARGIN: 0px"><BR></DIV>
<DIV style="MARGIN: 0px"> "openid.claimed_id" and "openid.identity" SHALL be either both present or both absent. If neither value is present, the assertion is not about an identifier, and will contain other information in its payload, using extensions (Extensions).</DIV>
<DIV style="MIN-HEIGHT: 14px; MARGIN: 0px"><BR></DIV>
<DIV style="MARGIN: 0px"> It is RECOMMENDED that OPs accept XRI identifiers with or without the "xri://" prefix, as specified in the Normalization (Normalization) section.</DIV>
<DIV style="MIN-HEIGHT: 14px; MARGIN: 0px"><BR></DIV>
<DIV style="MARGIN: 0px"># openid.identity</DIV>
<DIV style="MIN-HEIGHT: 14px; MARGIN: 0px"><BR></DIV>
<DIV style="MARGIN: 0px"> Value: (optional) The OP-Local Identifier.</DIV>
<DIV style="MIN-HEIGHT: 14px; MARGIN: 0px"><BR></DIV>
<DIV style="MARGIN: 0px"> If a different OP-Local Identifier is not specified, the claimed identifier MUST be used as the value for openid.identity.</DIV>
<DIV style="MIN-HEIGHT: 14px; MARGIN: 0px"><BR></DIV>
<DIV style="MARGIN: 0px"> Note: If this is set to the special value "<A href="http://specs.openid.net/auth/2.0/identifier_select" target=_blank>http://specs.openid.net/auth/2.0/identifier_select</A>" then the OP SHOULD choose an Identifier that belongs to the end user. This parameter MAY be omitted if the request is not about an identifier (for instance if an extension is in use that makes the request meaningful without it; see openid.claimed_id above).</DIV>
<DIV style="MIN-HEIGHT: 14px; MARGIN: 0px"><BR></DIV></BLOCKQUOTE></DIV>
<DIV>
<DIV></DIV>
<DIV class=Wj3C7c>
<DIV><BR></DIV>
<DIV><BR></DIV><BR>
<DIV>
<DIV>On 26-May-08, at 11:56 AM, Andrew Arnott wrote:</DIV><BR>
<BLOCKQUOTE type="cite">I think a simultaneous authentication is necessary because without it, the openid.claimed_id and openid.identity parameters will be missing, and thus no way for the OP to determine what Identifier is being queried for attributes. <BR><BR>From the AX spec:<BR>
<H3 style="MARGIN-LEFT: 40px">3.1. Subject Identifier</H3>
<P style="MARGIN-LEFT: 40px">An identifier for a set of attributes. It MUST be a URI. <I>The subject identifier corresponds to the end-user identifier in the authentication portion of the messages</I>. In other words, the <I>subject of the identity attributes in the attribute exchange part of the message is the same as the end-user in the authentication part. The subject identifier is not included in the attribute exchange</I>. </P>It seems that the only way for an RP to send an OP an OpenID message with extensions for this purpose without actually requesting authentication is to leave off the claimed_id and identity parameters, which kills AX's use of them. At least that's how I unerstand the OpenID 2.0 spec. Perhaps I misunderstand it. If I do misunderstand it, how is an extension supposed to send a request without a simultaneous authentication request?<BR><BR>Thanks.<BR><BR>
<DIV class=gmail_quote>On Mon, May 26, 2008 at 11:43 AM, Dick Hardt <<A href="mailto:dick@sxip.com" target=_blank>dick@sxip.com</A>> wrote:<BR>
<BLOCKQUOTE class=gmail_quote style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV>The Subject Identifier is to let the OP and RP know which user is being referred to. An authentication request SHOULD not be needed.
<DIV><BR></DIV>
<DIV>In other words, you should be able to do what you want to do now ... why do you think you can't?</DIV>
<DIV><BR></DIV>
<DIV>-- Dick<BR>
<DIV><BR>
<DIV>
<DIV>
<DIV></DIV>
<DIV>
<DIV>On 25-May-08, at 7:43 AM, Andrew Arnott wrote:</DIV><BR></DIV></DIV>
<BLOCKQUOTE type="cite">
<DIV>
<DIV></DIV>
<DIV>Attribute Exchange seems to rely on being part of an authentication message as opposed to being able to work when in OpenID's no-authentication extension mode. I get this from section <A href="http://openid.net/specs/openid-attribute-exchange-1_0.html#identifier-definition" target=_blank>3.1</A> of the AX spec getting the subject identifier from the authentication part of the message.<BR><BR>My suggestion would be that if we can, in a subsequent version of AX, allow AX to stand alone without OpenID having to send an authentication request at the same time, then given an OpenID URL by itself, people can query against it. Now, most information would probably need to be kept private, but perhaps some information, like contact information, can be made available provided the requestor respond to a CAPTCHA or something like that. That would be up to the individual OPs and their users of course as to which information to be willing to disseminate, but the power of the feature is there.<BR><BR>What do you think?<BR clear=all><BR>-- <BR></DIV></DIV>Andrew Arnott _______________________________________________<BR>general mailing list<BR><A href="mailto:general@openid.net" target=_blank>general@openid.net</A><BR><A href="http://openid.net/mailman/listinfo/general" target=_blank>http://openid.net/mailman/listinfo/general</A><BR></BLOCKQUOTE></DIV><BR></DIV></DIV></DIV></BLOCKQUOTE></DIV><BR><BR clear=all><BR>-- <BR>Andrew Arnott</BLOCKQUOTE></DIV><BR></DIV></DIV></DIV></BLOCKQUOTE></DIV><BR><BR clear=all><BR>-- <BR>Andrew Arnott _______________________________________________<BR>general mailing list<BR><A href="mailto:general@openid.net" target=_blank>general@openid.net</A><BR>http://openid.net/mailman/listinfo/general<BR></BLOCKQUOTE></DIV><BR></DIV></DIV></BODY></HTML>