<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>This raises an interesting question of being able to list your
associations in an XRDS file (which support OpenID interface), but not to
designate them as your OpenID providers. This is consistent with my current (it
might still evolve) interpretation of the XRDS discovery flow: that each
resource should describe its own metadata, and its relationship to other linked
resources.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>For example, if my OpenID is provided by openid.example.com, but
I am also a member of corp.example.net, my XRDS file should look like this:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><XRDS><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> <XRD><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> <Service><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> <Type>http://specs.openid.net/auth/2.0/signon</Type><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> <URI>http://openid.example.com/endpoint</URI><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> <Service><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> <Service><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> <Type>http://xrdstype.net/association/member</Type><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> <URI>http://corp.example.net</URI><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> <Service><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </XRD><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'></XRDS><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>And the XRDS for <a href="http://corp.example.net">http://corp.example.net</a>
will look like:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><XRDS><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> <XRD><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> <Type>http://xrdstype.net/association/membership</Type><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> <Service><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> <Type>http://specs.openid.net/auth/2.0/server</Type><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> <URI>http://openid.example.com/endpoint</URI><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> <Service><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </XRD><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'></XRDS><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Of course, the xrdstype.net examples are made up. But the idea
is that the user’s XRDS defines to related resources, one for OpenID and
another for some association. Performing discovery on the association reveals
that it can be verified using OpenID. It is a different type of relationship to
the user which I think is what you are getting at with the 15 memberships
example. Also not that the user’s XRDS did not assign any OpenID
capabilities to the corp membership. That is because it has no authority to
define that related resource capabilities and that belongs in the second XRDS.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>EHL<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Andrew Arnott
[mailto:andrewarnott@gmail.com] <br>
<b>Sent:</b> Monday, September 15, 2008 5:40 PM<br>
<b>To:</b> Eran Hammer-Lahav<br>
<b>Cc:</b> general@openid.net<br>
<b>Subject:</b> Re: [OpenID] Too many providers... and here's one reason<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal>You're affirmative action example is well taken.
Obviously if an OP is the best solution we should go with it. But
just imagine what all these spoons of sugar are going to do to me...<o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Suppose I'm a member of 15 organizations (that's
conservative) between my professional, social, personal lives. Some RP
could be interested in providing specialized services if I am a member of Org
XYZ. Another RP may offer premium services if I am a member of Org ABC.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Now if every org I am a member of became an OP, then my
identity XRDS file now has at <span class=apple-style-span><i>least</i></span> 15
providers listed. Powerful, perhaps. Dangerous: yes!!! If
OpenID's weakness already was that if an OP was compromised then all
Identifiers that allow that OP's assertions are now compromised, then that
weakness is proportional to the number of OPs that are listed in my XRDS file.
I for one do NOT want 15 Providers listed in my XRDS file. There
was a time I thought more was better, and to date I have some 5-6 OPs listed,
but I've considered narrowing that down to just 2-3 to decrease my risk surface
area.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Using OAuth as a post-authentication step of confirming
membership is an interesting idea and should work. In the end, whether we
use OpenID or OAuth, it seems we're mixing authentication and membership, or
authorization and membership, in order to just get membership. Too bad
there's not just a way to get "membership".<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Yes, InfoCard managed cards solve this problem, although not
as implicitly as I'd like. I'm hoping OpenID can have a solution of its
own.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal>On Mon, Sep 15, 2008 at 5:12 PM, Eran Hammer-Lahav <<a
href="mailto:eran@hueniverse.com">eran@hueniverse.com</a>> wrote:<o:p></o:p></p>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>This
is like applying affirmative action to cooking. "This cake calls for two
spoons of sugar but we don't have enough people using lard in cakes, so I am
going to use it instead..."<br>
<br>
Looks like they want to use OpenID as an assertion verification protocol,
allowing them to confirm that a given user is in fact a member of their
organization. If all they want to do is assert the claim, they can use both
OAuth and OpenID, each with a different set of extra features. If they use
OpenID, a side-effect of this will turn them into an Identity Provider, but if
this is not their intention, they should not use that identifier internally,
but instead accept OpenID.<br>
<br>
In other words, they should be an OP for assertion verification, and RP for
site login.<br>
<span style='color:#888888'><br>
EHL</span><o:p></o:p></span></p>
<div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif"'><br>
<br>
<br>
On 9/15/08 4:45 PM, "Andrew Arnott" <<a
href="http://andrewarnott@gmail.com" target="_blank">andrewarnott@gmail.com</a>>
wrote:<o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif"'>I just spoke with an organization that
wants to become a Provider so that other RP web sites can specifically tell if
the logging in user is a member of this organization by whether their OpenID
Identifier was asserted by that org's OP. <br>
<br>
Ideally, I'd like this org to choose to be an RP instead of an OP because there
are already too many OPs out there and not enough RPs, IMO. <br>
<br>
How can an RP accept an OpenID Identifier from arbitrary OPs, but at each login
determine whether the Identifier represents a user who belongs to a particular
Organization? Basically the Organization needs to send an assertion about
the Identifier's membership, but only be willing to do so if that identifier is
confirmed as having logged in successfully to that RP. This would be easy
to do if that Org was an OP, but I'm trying to reduce the # of reasons to be an
OP.</span><o:p></o:p></p>
</blockquote>
</div>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</body>
</html>