<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Peter,<div><br></div><div>OpenID and OAUTH are completely independent protocols.</div><div>OAuth "classic" is a point-to-point solution between an application consumer (AC) and a service provider(SP).</div><div><br></div><div>There is no OpenID + OAuth specification yet (or best practice).</div><div><br></div><div>Google/Yahoo is pushing for a OP/SP integrated hybrid solution spec.</div><div><br></div><div>We would like to keep them separate to support federated OP's and variety of SP's out there. Of course, there is no browser in the loop requirement when an AC and SP need to communicate. However, they could use RSA-SHAI with the keys they have published at the OP and follow OAUTH two-legged protocol.</div><div><br></div><div>Pat.</div><div><br></div><div><br></div><div><br></div><div>However, there are efforts <br><div><br><div><div>On Jan 8, 2009, at 11:11 AM, Peter Williams wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div lang="EN-US" link="blue" vlink="purple"><div class="Section1"><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); ">I’m not sure about this being the “ultimate” solution: but the thread and its links were definitely very valuable to me.<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); ">I learned a lot about the doctrine of OAUTH (and “FireEagle”) that was just not apparent in the technical spec. he spec focused on the free and fun world of SPs –data sources supporting OpenID RPs. If these control ideas are part and parcel of OAUTH culture, I think I’m starting to understand why Eran seemed to distraught during the election process. There may well be a cultural disconnect, over the issue of OP control. This disconnect contrasts with the obvious and apparently easy opportunity to harmonize the bits and bytes of the two protocols<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); ">To make software, in the interests of “security and safety of users” (always a dodgy introduction in a control culture) developers used to be commonly subject a distributor’s certification of their PC app’s code. In particular, one may remember that app designers targeting the Apple platform had to ensure the app’s look was consistent with the platform’s goals. (Originally, this used to include even being required to submitting your business plan to Apple).<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); ">For OAUTH, this seems to translate: “portals” acting as OPs will not certify third-party apps as consumers of the assertion (i.e. will refuse to issue backchannel passwords or will revoke an existing credential) if the app fails to continually demonstrate that it adopts certain design patterns that promote the browser (vs. the PC or PKI) as the trust system. If a third party site uses an embedded browser control, for example, the app not be certified (as it compromises user identity protection boundary). The argument is that any website design practice that doesn’t advocate using the “browser as a trust platform” fails to counter phishing attacks by fraudulent websites).<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); ">Have I correctly captured the social issue? I note the advocacy of certain folks who want the Foundation to promote and certify “UX”, too.<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="border-top-style: none; border-right-style: none; border-bottom-style: none; border-width: initial; border-color: initial; border-left-style: solid; border-left-color: blue; border-left-width: 1.5pt; padding-top: 0in; padding-right: 0in; padding-bottom: 0in; padding-left: 4pt; "><div><div style="border-right-style: none; border-bottom-style: none; border-left-style: none; border-width: initial; border-color: initial; border-top-style: solid; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding-top: 3pt; padding-right: 0in; padding-bottom: 0in; padding-left: 0in; "><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; ">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; "><span class="Apple-converted-space"> </span><a href="mailto:general-bounces@openid.net">general-bounces@openid.net</a> [<a href="mailto:general-bounces@openid.net" style="color: blue; text-decoration: underline; ">mailto:general-bounces@openid.net</a>]<span class="Apple-converted-space"> </span><b>On Behalf Of<span class="Apple-converted-space"> </span></b>Steven Livingstone-Perez<br><b>Sent:</b><span class="Apple-converted-space"> </span>Thursday, January 08, 2009 5:04 AM<br><b>To:</b><span class="Apple-converted-space"> </span><a href="mailto:general@openid.net" style="color: blue; text-decoration: underline; ">general@openid.net</a><br><b>Subject:</b><span class="Apple-converted-space"> </span>[OpenID] The OpenID and OAuth Flow: Playing with UX<o:p></o:p></span></div></div></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">This is an excellent piece and discussion OpenID as part of the article. Should be a kick off to design (at least on paper) the “ultimate” solution I’d think.<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><a href="http://ben-ward.co.uk/blog/oauth-flow/" style="color: blue; text-decoration: underline; ">http://ben-ward.co.uk/blog/oauth-flow/</a><o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">steven<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">http://<a href="http://friendfeed.com/rooms/openidstream" style="color: blue; text-decoration: underline; ">friendfeed.com/rooms/openidstream</a><o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><a href="http://livz.org" style="color: blue; text-decoration: underline; ">http://livz.org</a><o:p></o:p></div></div></div>_______________________________________________<br>general mailing list<br><a href="mailto:general@openid.net" style="color: blue; text-decoration: underline; ">general@openid.net</a><br><a href="http://openid.net/mailman/listinfo/general" style="color: blue; text-decoration: underline; ">http://openid.net/mailman/listinfo/general</a><br></div></span></blockquote></div><br></div></div></body></html>