
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">


<head>

<meta http-equiv=Content-Type content="text/html; charset=us-ascii">

<meta name=Generator content="Microsoft Word 12 (filtered medium)">

<title>Re: [OpenID] HTML-Based Discovery incompatibilities</title>

<style>

<!--

 /* Font Definitions */

 @font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:Tahoma;

        panose-1:2 11 6 4 3 5 4 4 2 4;}

 /* Style Definitions */

 p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman","serif";}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:purple;

        text-decoration:underline;}

p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph

        {mso-style-priority:34;

        margin-top:0in;

        margin-right:0in;

        margin-bottom:0in;

        margin-left:.5in;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman","serif";}

span.EmailStyle17

        {mso-style-type:personal-reply;

        font-family:"Calibri","sans-serif";

        color:#1F497D;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-size:10.0pt;}

@page Section1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.Section1

        {page:Section1;}

 /* List Definitions */

 @list l0

        {mso-list-id:1995059128;

        mso-list-type:hybrid;

        mso-list-template-ids:-632622956 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}

@list l0:level1

        {mso-level-tab-stop:none;

        mso-level-number-position:left;

        text-indent:-.25in;}

ol

        {margin-bottom:0in;}

ul

        {margin-bottom:0in;}

-->

</style>

<!--[if gte mso 9]><xml>

 <o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

 <o:shapelayout v:ext="edit">

  <o:idmap v:ext="edit" data="1" />

 </o:shapelayout></xml><![endif]-->

</head>


<body lang=EN-US link=blue vlink=purple>


<div class=Section1>


<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";

color:#1F497D'>If you had a magic wand to wave in the OAUTH + OpenID

integration (which I hope happens), <o:p></o:p></span></p>


<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";

color:#1F497D'><o:p>&nbsp;</o:p></span></p>


<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span

style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span

style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

</span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";

color:#1F497D'>would you eliminate the concept of end-user controlled delegation?<o:p></o:p></span></p>


<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";

color:#1F497D'><br>

Today, the ONLY way a user can express the requirement to have myopenid invoke

https between the user&#8217;s browser and myopenid for user authentication is

through the user-controlled metadata used also for delegation.<o:p></o:p></span></p>


<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";

color:#1F497D'><o:p>&nbsp;</o:p></span></p>


<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span

style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span

style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

</span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";

color:#1F497D'>Would you eliminate the concept of a user being able to require an

OP to authentication the user over https?<o:p></o:p></span></p>


<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";

color:#1F497D'><o:p>&nbsp;</o:p></span></p>


<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";

color:#1F497D'>I ask these particular questions as many folk in more traditional

TTP IDP community cultures feel end-users really ought to have NO say and NO control

over those issues. They would typically argue that only &#8220;authorities&#8221;

have a &#8220;proper&#8221; role in those areas, whether the authority is the RP,

the OP or the vanity openid provider (i-broker/ISP).<o:p></o:p></span></p>


<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";

color:#1F497D'><o:p>&nbsp;</o:p></span></p>


<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";

color:#1F497D'>They would argue that the end-user is NEVER an authority. Rather,

the user has only one role: to be a subscriber to one of other authorities

policies. Only if the authority can continually trust and verify the end-user against

the policy would such an authority authorize the user to participate in the

community. Without an explicit authorization, access to the interworking community

will be denied by default.<o:p></o:p></span></p>


<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";

color:#1F497D'><o:p>&nbsp;</o:p></span></p>


<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>


<div>


<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>


<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span

style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>

general-bounces@openid.net [mailto:general-bounces@openid.net] <b>On Behalf Of </b>Eran

Hammer-Lahav<br>

<b>Sent:</b> Thursday, January 08, 2009 1:32 PM<br>

<b>To:</b> Martin Atkins<br>

<b>Cc:</b> general@openid.net<br>

<b>Subject:</b> Re: [OpenID] HTML-Based Discovery incompatibilities<o:p></o:p></span></p>


</div>


</div>


<p class=MsoNormal><o:p>&nbsp;</o:p></p>


<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:11.0pt;

font-family:"Calibri","sans-serif"'>problem with OpenID, unlike most other

protocols in this space is that it is too close to the end-user surface. <span

style='color:#1F497D'><o:p></o:p></span></span></p>


<p class=MsoNormal style='margin-bottom:12.0pt'><b><i><span style='font-size:

11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></i></b></p>


<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:11.0pt;

font-family:"Calibri","sans-serif"'>So if this feature is not widely adopted,

it leads directly to breaking the faith the end-user has in the entire

protocol. <span style='color:#1F497D'><o:p></o:p></span></span></p>


<p class=MsoNormal style='margin-bottom:12.0pt'><o:p>&nbsp;</o:p></p>


</div>


</div>


</body>


</html>