<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">fyi Peter: this is too long of a rant for me read<div><br></div><div>If you are won't take the time to make your point quickly, I won't take the time to try and figure out what it might be.</div><div><br></div><div>Nothing personal -- just sharing. :-)</div><div><br></div><div>-- Dick<br><div><br><div><div>On 30-Dec-08, at 9:19 AM, Peter Williams wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div lang="EN-US" link="blue" vlink="purple"><div class="Section1"><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">The power of openid is that app developers don’t need to do oauth on the backflow (more core library code, more management, more control issues) or a web service (more core library code, more management, more control issues).<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">I know I’m stepping on toes here, but that’s the point! Merger with OAUTH has to make a functional difference, not just repeat what already exists in a different form. Don’t want two management and control frameworks.<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">We have the concept that (a) a websso flow between OP and SP involving the user has setup a persistent association, and (b) the SP and OP/AX agent can now freely ping each other using AX (with no visible experience), (c) no identity verification service need be requested (identity=openid=null) allowing a developer to use the AX extension with the core assertion protocol without worrying about claimedids (d) the nature of AX schema is such that there are an infinite number of attribute-based protocols that an app developers can now create. Multi-valued AX response can be sending back 1000 photos if it wants, or 7 .crt files (certificates) in a user’s chain. The attribute values may even be defined as ordered (since the schema is [properly] vendor-driven).<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Of course the security context for that AX-only flow is one of the OP (as user AGENT) is talking to SP (local session derived from an openid assertion). That is, the user is talking to the user, as represented by two agents. A better name for the OP in an AX-only flow would be AX authority, or similar. The AX authority is likely to be a proxy – a data service front ending ldap, or sql, or some data object library.<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Now we just have to be a little careful. In the culture of OpenID, the OP is operating under UCI rules (data ownership and release control are _<i>culturally</i>_ in the hands of the user, not the vendor/SAAS operating the OP site as in the more traditional FaceBook & VeriSign TTP cultures). However, the same is not true for the SP. As in the case of the Foundation itself, the SP can be operating under (published) rules that TAKE OWNERSHIP of information, once introduced into the SP site. A contract binding exists, under the trust model, agreeing to ownership issues, legal obligations of the parties, etc. And, as we now know, XDI envisions itself as playing the role of setup/management/control of such contract bindings (in the openid world).<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Whether the app developers uses the openid backflow or foreground flow seems to me to be a minor matter of engineering and practicality. The data flow is simply AX-only messages – with null identity verification fields – over an openid association that brings to the flow the benefits of the data origin authentication service of the respondent assertion’s signed mac. Just because AX-only flows over associations pass through the foreground channel does NOT mean the user’s focus has to be take away from the current task, in GUI terms. There does not HAVE to be a page referenced at the OP/AX server that says: do you give consent to the release of these 1000 pictures and contacts. If the trust model of the OP/SP (i.e. an XDI document) is such that consent is implied under the contract binding, there may be a background delta-based sync going on every 1m, in a hidden iframe. If the association lifetime expires, then I can there being a need for the app to force an full run of openid auth, to re-establish the claimedid by invoking the identity verification service, and thus attempt to give new life to the local sessions at SP and/or OP.<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="border-top-style: none; border-right-style: none; border-bottom-style: none; border-width: initial; border-color: initial; border-left-style: solid; border-left-color: blue; border-left-width: 1.5pt; padding-top: 0in; padding-right: 0in; padding-bottom: 0in; padding-left: 4pt; "><div><div style="border-right-style: none; border-bottom-style: none; border-left-style: none; border-width: initial; border-color: initial; border-top-style: solid; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding-top: 3pt; padding-right: 0in; padding-bottom: 0in; padding-left: 0in; "><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; ">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; "><span class="Apple-converted-space"> </span>larry drebes [<a href="mailto:ltd@janrain.com" style="color: blue; text-decoration: underline; ">mailto:ltd@janrain.com</a>]<span class="Apple-converted-space"> </span><br><b>Sent:</b><span class="Apple-converted-space"> </span>Tuesday, December 30, 2008 6:03 AM<br><b>To:</b><span class="Apple-converted-space"> </span>Pat Cappelaere<br><b>Cc:</b><span class="Apple-converted-space"> </span>Peter Williams;<span class="Apple-converted-space"> </span><a href="mailto:general@openid.net" style="color: blue; text-decoration: underline; ">general@openid.net</a><span class="Apple-converted-space"> </span>List<br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [OpenID] CheckIDRequest with Big AX<o:p></o:p></span></div></div></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">The use case is legit. The OpenID flow is through the user agent, the user is redirected to the OP, the OP redirects back to the RP. For backchannel access to data (where access has previously been granted), oauth or a callback url are much simpler flows than than going through the user agent redirect. larry-<o:p></o:p></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">On Tue, Dec 30, 2008 at 5:25 AM, Pat Cappelaere <<a href="mailto:pat@cappelaere.com" style="color: blue; text-decoration: underline; ">pat@cappelaere.com</a>> wrote:<o:p></o:p></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">I think that AX is used in its designed role here.<o:p></o:p></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">The user grants access to his information.<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">The SP ought to be free to access that information at anytime and update/store stuff at anytime, right?<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">This seems reasonable to me and very appropriate to leverage that capability at the enterprise level.<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Pat.<o:p></o:p></div></div><div><div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">On Dec 30, 2008, at 6:59 AM, Peter Williams wrote:<o:p></o:p></div></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><br><br><o:p></o:p></div><div><div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">This begs a wider question concerning AX. The underlying issue relates to my own confusion over the wider role of AX (expressed in a thread a week or two ago).</span><span style="color: black; "><o:p></o:p></span></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span><span style="color: black; "><o:p></o:p></span></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">For Dick, evidently AX is the extensible form of sreg – and is about a visible user-centric experience (e.g. a signup wizard). It's little more. There is a bit of stuff about AX update.</span><span style="color: black; "><o:p></o:p></span></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span><span style="color: black; "><o:p></o:p></span></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">For others, two websites may be exploiting an _<i>existing</i>_ openid pairwise security association to signal each other over that authenticated channel, using AX extensions for requests/response FOR PER-APPLICATION PURPOSES. This may be occurring OUTSIDE a visible user experience (such as signup form population). The user may have no interactive role. One might only set a config policy of "please sync me every 10m", and 10 AX transactions occur over 10 hidden iframes (every 10m).</span><span style="color: black; "><o:p></o:p></span></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span><span style="color: black; "><o:p></o:p></span></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Im with Pat on AX; doing the kind of thing he is doing is what it seemed to be saying it was for...</span><span style="color: black; "><o:p></o:p></span></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span><span style="color: black; "><o:p></o:p></span></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">As with XRI, the power of openid is its architecture and the enabling that XRI/XDI/AX/URls provide to app developers. It's not the particular GUI practice today – which at the end of the day is just another websso protocol that also ran. Since any and all websso is however a fundamental enabler (because it brings with it solutions to security associations, consent, and impersonated session management), its what now follows from and develops on the openid architecture that is the _<i>really</i>_ interesting stuff.</span><span style="color: black; "><o:p></o:p></span></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span><span style="color: black; "><o:p></o:p></span></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span><span style="color: black; "><o:p></o:p></span></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span><span style="color: black; "><o:p></o:p></span></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span><span style="color: black; "><o:p></o:p></span></div></div><div style="border-top-style: none; border-right-style: none; border-bottom-style: none; border-width: initial; border-color: initial; border-left-style: solid; padding-top: 0in; padding-right: 0in; padding-bottom: 0in; padding-left: 4pt; border-width: initial; border-color: initial; "><div><div style="border-right-style: none; border-bottom-style: none; border-left-style: none; border-width: initial; border-color: initial; border-top-style: solid; padding-top: 3pt; padding-right: 0in; padding-bottom: 0in; padding-left: 0in; border-width: initial; border-color: initial; "><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; color: black; ">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; color: black; "> <a href="mailto:general-bounces@openid.net" target="_blank" style="color: blue; text-decoration: underline; ">general-bounces@openid.net</a><span class="Apple-converted-space"> </span>[<a href="mailto:general-bounces@openid.net" target="_blank" style="color: blue; text-decoration: underline; ">mailto:general-bounces@openid.net</a>] <b>On Behalf Of </b>larry drebes<br><b>Sent:</b> Tuesday, December 30, 2008 3:19 AM<br><b>To:</b> Pat Cappelaere<br><b>Cc:</b> <a href="mailto:general@openid.net" target="_blank" style="color: blue; text-decoration: underline; ">general@openid.net</a> List<br><b>Subject:</b> Re: [OpenID] CheckIDRequest with Big AX</span><span style="color: black; "><o:p></o:p></span></div></div></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="color: black; "> <o:p></o:p></span></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="color: black; ">Hi Pat,<o:p></o:p></span></div></div><div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="color: black; ">The normal behavior for an OP is to assume the user is in the loop. With javascript enabled the form POST submit should happen automatically, for the vast majority of time this is not pestering the user.<o:p></o:p></span></div></div></div><div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="color: black; ">larry-<o:p></o:p></span></div></div><div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="color: black; ">On Mon, Dec 29, 2008 at 7:46 PM, Pat Cappelaere <<a href="mailto:pat@cappelaere.com" target="_blank" style="color: blue; text-decoration: underline; ">pat@cappelaere.com</a>> wrote:<o:p></o:p></span></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="color: black; ">I have an interesting problem.<br><br>I am trying to make a CheckIDRequest along with a few experimental AX.<br>Problem is that my attributes are fairly large and could overflow the<br>GET.<br>The Janrain Ruby library detects that and turns the response into a<br>secondary form. A user has to hit continue for the form to do a<br>post. This is fine if there is a user in the loop (although confusing<br>at best) but this is not my case. I do not have a user in the loop.<br>I am really trying to authenticate an application consumer that<br>happens to have an openid and trying to get its pubic key in order to<br>do the OAuth dance using AX... cool stuff...<br><br>My questions are:<br><br>Is this the normal behavior of an OP?<br><br>Should I try to patch the server library to return a directPOST?<br><br>Or get my consumer to break down the request in two parts? I am not<br>quite sure how the second part would look like though...<br><br>Any suggestions?<br><br>Thanks,<br><br>Pat.<br><br>_______________________________________________<br>general mailing list<br><a href="mailto:general@openid.net" target="_blank" style="color: blue; text-decoration: underline; ">general@openid.net</a><br><a href="http://openid.net/mailman/listinfo/general" target="_blank" style="color: blue; text-decoration: underline; ">http://openid.net/mailman/listinfo/general</a><o:p></o:p></span></div></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="color: black; "> <o:p></o:p></span></div></div></div></div></div></div></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div></div></div></div></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><br>_______________________________________________<br>general mailing list<br><a href="mailto:general@openid.net" style="color: blue; text-decoration: underline; ">general@openid.net</a><br><a href="http://openid.net/mailman/listinfo/general" target="_blank" style="color: blue; text-decoration: underline; ">http://openid.net/mailman/listinfo/general</a><o:p></o:p></div></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div></div>_______________________________________________<br>general mailing list<br><a href="mailto:general@openid.net" style="color: blue; text-decoration: underline; ">general@openid.net</a><br><a href="http://openid.net/mailman/listinfo/general" style="color: blue; text-decoration: underline; ">http://openid.net/mailman/listinfo/general</a><br></div></span></blockquote></div><br></div></div></body></html>