<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple style='word-wrap: break-word;
-webkit-nbsp-mode: space;-webkit-line-break: after-white-space'>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Is there a forum where the issues are being argued in the manner
the openid community is used to?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I don’t mind vendors advocating and initiating – or using
forums like the Foundation to orchestrate the world they view as applicable to
their business (e.g. address patent face-offs). But, in a UCI culture there
needs to be a forum where the user can be involved too, before its all “sewn
up”.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I like UCI as a dogma, if only because its generic in its
definition and puts an constantly redefinable limit on the power of the OP.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Its seems obvious that is an OAUTH AC happens to be an openid
RP, the RP can expect to leverage its security context with an OP to
securely communicate with the SP.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The question is, does the governance control of the OP over the
RP project to the SP?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>That’s where I start to question. In a UCI environment, I
would say that the user MUST decide that issue. A user May decide that OP1 is
replaced by OP2, once Op1 has bootstrapped a secure channel between RP and OAUTH-SP.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Pat Cappelaere
[mailto:pat@cappelaere.com] <br>
<b>Sent:</b> Thursday, January 08, 2009 8:32 AM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> Steven Livingstone-Perez; general@openid.net<br>
<b>Subject:</b> Re: [OpenID] The OpenID and OAuth Flow: Playing with UX<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Peter,<o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>OpenID and OAUTH
are completely independent protocols.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>OAuth "classic" is a point-to-point solution
between an application consumer (AC) and a service provider(SP).<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>There is no OpenID + OAuth specification yet (or best
practice).<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Google/Yahoo is pushing for a OP/SP integrated hybrid
solution spec.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>We would like to keep them separate to support federated
OP's and variety of SP's out there. Of course, there is no browser in the
loop requirement when an AC and SP need to communicate. However, they
could use RSA-SHAI with the keys they have published at the OP and follow OAUTH
two-legged protocol.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Pat.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>However, there are efforts <o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<div>
<p class=MsoNormal>On Jan 8, 2009, at 11:11 AM, Peter Williams wrote:<o:p></o:p></p>
</div>
<p class=MsoNormal><br>
<br>
<o:p></o:p></p>
<div>
<div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I’m not sure about this being the “ultimate”
solution: but the thread and its links were definitely very valuable to me.</span><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:black'><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I learned a lot about the doctrine of OAUTH (and
“FireEagle”) that was just not apparent in the technical spec. he
spec focused on the free and fun world of SPs –data sources supporting
OpenID RPs. If these control ideas are part and parcel of OAUTH culture, I
think I’m starting to understand why Eran seemed to distraught during the
election process. There may well be a cultural disconnect, over the issue of OP
control. This disconnect contrasts with the obvious and apparently easy
opportunity to harmonize the bits and bytes of the two protocols</span><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:black'><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>To make software, in the interests of “security and
safety of users” (always a dodgy introduction in a control culture)
developers used to be commonly subject a distributor’s certification of
their PC app’s code. In particular, one may remember that app designers
targeting the Apple platform had to ensure the app’s look was consistent
with the platform’s goals. (Originally, this used to include even being
required to submitting your business plan to Apple).</span><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:black'><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>For OAUTH, this seems to translate: “portals” acting
as OPs will not certify third-party apps as consumers of the assertion (i.e.
will refuse to issue backchannel passwords or will revoke an existing
credential) if the app fails to continually demonstrate that it adopts certain
design patterns that promote the browser (vs. the PC or PKI) as the trust
system. If a third party site uses an embedded browser control, for example,
the app not be certified (as it compromises user identity protection boundary).
The argument is that any website design practice that doesn’t advocate
using the “browser as a trust platform” fails to counter phishing
attacks by fraudulent websites).</span><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:black'><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:black'><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Have I correctly captured the social issue? I note the advocacy
of certain folks who want the Foundation to promote and certify
“UX”, too.</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:black'><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:black'><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:black'><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:black'><o:p></o:p></span></p>
</div>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt;
border-width:initial;border-color:initial'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in;
border-width:initial;border-color:initial'>
<div>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:black'>From:</span></b><span class=apple-converted-space><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'> </span></span><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><a
href="mailto:general-bounces@openid.net">general-bounces@openid.net</a> [<a
href="mailto:general-bounces@openid.net">mailto:general-bounces@openid.net</a>]<span
class=apple-converted-space> </span><b>On Behalf Of<span
class=apple-converted-space> </span></b>Steven Livingstone-Perez<br>
<b>Sent:</b><span class=apple-converted-space> </span>Thursday, January
08, 2009 5:04 AM<br>
<b>To:</b><span class=apple-converted-space> </span><a
href="mailto:general@openid.net">general@openid.net</a><br>
<b>Subject:</b><span class=apple-converted-space> </span>[OpenID] The
OpenID and OAuth Flow: Playing with UX</span><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:black'><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:black'> <o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:black'>This is an excellent piece and discussion OpenID as part of the
article. Should be a kick off to design (at least on paper) the
“ultimate” solution I’d think.<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:black'> <o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:black'><a href="http://ben-ward.co.uk/blog/oauth-flow/">http://ben-ward.co.uk/blog/oauth-flow/</a><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:black'> <o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:black'>steven<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:black'>http://<a href="http://friendfeed.com/rooms/openidstream">friendfeed.com/rooms/openidstream</a><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:black'><a href="http://livz.org">http://livz.org</a><o:p></o:p></span></p>
</div>
</div>
</div>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Helvetica","sans-serif";
color:black'>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</body>
</html>