<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I think this is the most important lesson (especially if UCI is
the actual vision, in contrast openid being a submarine reinvention of TTP
IDPs, a la Shib). <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I’ve felt for a long time that there have to be two services:
one aimed purely at the user (and not provided by OPs), and then one
provided by the OP. I kept experimenting with this distinction over and
over – but I always felt like the wacky weirdo – especially once the
directed identity service from the OPs came along.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>After all, “Real” users just subscribe to Yahoo, Google,
Myopenid OPs. But those who fall prey to the indoctrination of those portal mindshare
wars, are not really getting “openid”. They are just being drawn
into the typical hub-spoke networking model. Its EDI all over again. Your
free to send your business document anywhere, as long as they are a member
of the same hub.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>We just have to remember that, for business-class users, it’s
just not enough to have an OP account(s) with your favorite portal(s)
(google, live, pip), which provision you their various openids. You must have in
additional service, which is probably separate from that which any OP offers.
In that addition, you own and control the XRDS/HTML file – through which
you can express full control and get what the UCI in openid promises/promised.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Ok. Lets test the reality.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Is there a semi-commercial site out there, aimed at 50+ year old
users, that does little else other than allow such folks with pretty average IT
skills to maintain their (non-OP) identity page, featuring op selection (i.e. reinforces
the multiple-nyms concept) and delegation (allows control over https authentication
endpoints, and facilitate login portability)?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I know I can sell the portability benefit of openid (as they all
remember the analogous (pre-Neustar) days …when phone companies would not
let you move your phone number between national carriers). <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Then, is there any “major” OP (google, live, yahoo,
myspace?) that offers _<i>both</i>_ services?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>It doesn’t count as an “offer” if I, Jeanette
the Realtor, have to literally edit an XRDS or HTML file or even conceive
of tags, meta-anything, denotational semantics or anthropomorphic identifiers
with a polymorphic bent (or any other wonderfully inventive logic that we
computer scientists love to talk about).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>(<o:p></o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Andrew Arnott
[mailto:andrewarnott@gmail.com] <br>
<b>Sent:</b> Thursday, January 01, 2009 4:37 PM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> Eddy Nigg (StartCom Ltd.); OpenID List<br>
<b>Subject:</b> Re: [OpenID] Bug in OpenID RP implementations<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>Hi Peter,<br>
<br>
I (mostly) share your idealistic view of <a href="http://myopenid.com">myopenid.com</a>.
I use it as a frame of reference often. However, I don't agree with all
of their decisions (AX type URIs and non-https enforcement among them).<br>
<br>
It seems to me that http<b>s</b>://<a href="http://homepw.myopenid.com/">homepw.myopenid.com/</a>
results in <a href="http://myopenid.com">myopenid.com</a> referring to an HTTPS
OP endpoint, and the <a href="http://homepw.myopenid.com/">http://homepw.myopenid.com/</a>
referring to an HTTP OP endpoint. Fair enough. If you start your
discovery securely it makes sense to continue with secure authentication.
And if your discovery was insecure, well then the authentication isn't secure
whether it uses HTTPS or not since the discovery could have been hijacked and
authentication rerouted to another address. <br>
<br>
Ideally, <a href="http://myopenid.com">myopenid.com</a> and all other OPs would
redirect identity page requests that come in on HTTP to HTTPS so that all
claimed identifiers and authentication would occur over HTTPS to provide higher
security to users.<br>
<br>
Regarding whether mere users have the choice of HTTPS being used for auth, they
<i>may</i>. In your <a href="http://myopenid.com">myopenid.com</a>
claimed id example the user has no control since <a href="http://myopenid.com">myopenid.com</a>
hosts the claimed id page. However, if you take <a
href="http://blog.nerdbank.net">http://blog.nerdbank.net</a>, which is one of
my claimed identifiers which delegate to <a href="http://myopenid.com">myopenid.com</a>
(and others via XRDS), since I am the one to write the delegation tags I get to
decide whether to use an OP's HTTPS or HTTP endpoint. So yes, the user
may have a choice about using a HTTP(S) OP endpoint, but they likely will not
have that choice if they use an OP-hosted identity page.<br>
<br clear=all>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<br>
<br>
<o:p></o:p></p>
<div>
<p class=MsoNormal>On Thu, Jan 1, 2009 at 4:51 PM, Peter Williams <<a
href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p><span style='font-size:11.0pt;color:#1F497D'>Yes SP=RP. Remind me to use RP
only, here, and keep SP for OAUTH (since OAUTH and openid seem to have a
potential marriage ahead).</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>I'm now logged into my
classical OP site (<a href="http://homepw.myopenid.com" target="_blank">homepw.myopenid.com</a>).
I can't see how to control "my" metadata to allow
"authentication" only over https.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>Should I infer in the movement
that "really" OPs decide whether the https-class openid they
provision will or will not "authenticate" over https – and not
mere users?</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>For me, myopenid OP is/was the
"gold standard" of openid OP implementations – an expression of
the core use cases and the movement's management/control goals in their most
primitive form. If I keep that belief, evidently users/subscribers are not
"really" supposed to deciding whether https must be used during
authentication. RPs may decide so. OPs may decide so. But users cannot.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div style='border:none;border-left:solid windowtext 1.5pt;padding:0in 0in 0in 4.0pt;
border-color:-moz-use-text-color -moz-use-text-color -moz-use-text-color blue'>
<div>
<div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;
border-color:-moz-use-text-color -moz-use-text-color'>
<p><b><span style='font-size:10.0pt'>From:</span></b><span style='font-size:
10.0pt'> Andrew Arnott [mailto:<a href="mailto:andrewarnott@gmail.com"
target="_blank">andrewarnott@gmail.com</a>] <br>
<b>Sent:</b> Thursday, January 01, 2009 3:27 PM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> Eddy Nigg (StartCom Ltd.); OpenID List<o:p></o:p></span></p>
<div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt'><br>
<b>Subject:</b> Re: [OpenID] Bug in OpenID RP implementations<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<div>
<div>
<p> <o:p></o:p></p>
<p style='margin-bottom:12.0pt'>SP? Do you mean RP? SP is an
acronym that applies to OAuth. OpenID uses RP and OP. I assume by
SP you mean RP here...<br>
<br>
The <a
href="http://openid.net/specs/openid-authentication-2_0.html#security_considerations"
target="_blank">OpenID 2.0 spec section 15</a> calls out several opt-in
measures that an RP or OP can take to increase security for the authentication
process. But no, as has been stated an RP is not obliged per (my reading
of) the spec to require that if discovery is done using HTTPS that
authentication must also be done using HTTPS.<br clear=all>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<o:p></o:p></p>
<div>
<p>On Thu, Jan 1, 2009 at 4:07 PM, Peter Williams <<a
href="mailto:pwilliams@rapattoni.com" target="_blank">pwilliams@rapattoni.com</a>>
wrote:<o:p></o:p></p>
<div>
<div>
<p><span style='font-size:11.0pt;color:#1F497D'>Is the SP right or wrong to
redirect to an http OP endpoint, given an https openid, in your understanding
of the spec (and what it means to be a conforming implementation)?</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>Though operating in openid1
legacy mode, neither SP not OP objected – probably because the spec does call
out for code to raise an exception – presumably because it isn't one,
formally.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div style='border:none;border-left:solid windowtext 1.5pt;padding:0in 0in 0in 4.0pt;
border-color:-moz-use-text-color -moz-use-text-color -moz-use-text-color blue'>
<div>
<div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;
border-color:-moz-use-text-color'>
<p><b><span style='font-size:10.0pt'>From:</span></b><span style='font-size:
10.0pt'> <a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>
[mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>]
<b>On Behalf Of </b>Eddy Nigg (StartCom Ltd.)<br>
<b>Sent:</b> Thursday, January 01, 2009 3:00 PM<br>
<b>Cc:</b> OpenID List</span><o:p></o:p></p>
<div>
<p><span style='font-size:10.0pt'><br>
<b>Subject:</b> Re: [OpenID] Bug in OpenID RP implementations</span><o:p></o:p></p>
</div>
</div>
</div>
<p> <o:p></o:p></p>
<p> <o:p></o:p></p>
<div>
<div>
<p>On 01/02/2009 12:49 AM, Eric Norman: <o:p></o:p></p>
</div>
</div>
<div>
<div><pre>On Jan 1, 2009, at 4:28 PM, Peter Williams wrote:<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> <o:p></o:p></pre>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>The openid 2 spec says in section 15 (a non-normative must, note):<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>"In order to get protection from SSL, SSL must be used for all parts <o:p></o:p></pre><pre>of the interaction, including interaction with the end user through <o:p></o:p></pre><pre>the User-Agent."<o:p></o:p></pre><pre> <o:p></o:p></pre></blockquote>
<pre> <o:p></o:p></pre><pre>When I include "https:" in my OpenID, I'm saying that I<o:p></o:p></pre><pre>want protection by SSL, right?<o:p></o:p></pre><pre> <o:p></o:p></pre>
<p style='margin-bottom:12.0pt'><br>
Your OpenID is https:// then, it's not ncesseraly the same as http and the
other way around too. It has been many times already mentioned. <o:p></o:p></p>
<pre> <o:p></o:p></pre><pre>So if something elsewhere decides not to use SSL for<o:p></o:p></pre><pre>whatever reason, that would be incorrect behavior, right?<o:p></o:p></pre><pre> <o:p></o:p></pre>
<p style='margin-bottom:12.0pt'><br>
Correct. However an OP may return the claimed OpenID as https (there are for
example some OPs which don't do plain http, only https via redirect.<o:p></o:p></p>
<pre> <o:p></o:p></pre><pre>And let's not forget that the error message I quoted is<o:p></o:p></pre><pre>clearly inappropriate.<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> <o:p></o:p></pre><pre> <o:p></o:p></pre>
<p style='margin-bottom:12.0pt'> <o:p></o:p></p>
<div>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<p>Regards <o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<p> <o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p>Signer: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p>Eddy Nigg, <a href="http://www.startcom.org" target="_blank">StartCom Ltd.</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p>Jabber: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p><a href="mailto:startcom@startcom.org" target="_blank">startcom@startcom.org</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p>Blog: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p><a href="http://blog.startcom.org" target="_blank">Join the Revolution!</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p>Phone: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p>+1.213.341.0390<o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<p> <o:p></o:p></p>
</td>
</tr>
</table>
</div>
<p> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<p style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><o:p></o:p></p>
</div>
<p> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</body>
</html>