<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Ah. I agree with you: that’s a disreputable practice (in
the “openid/websso” sense). This is a least the second time I’ve
seen that, now, in this community. There is no shame in this world!<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I don’t mind RP proxying (and IDP proxying). I think both
are proxying models are legitimate, in a multi-protocol world. But you don’t
“proxy” by having the user’s own authentication credentials to
the email/address book provider. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Now your scenario for OAUTH during an RP provisioning an
account makes perfect sense. OAUTH allows an RP with an active user controlled session
to go pull data from some or other contact book provider, or magnolia as the
favorites provider.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Some variant of a user or SP nominating a “personalized openid”
(to use yahoo terminology) with limited scope can serve as the authorization
proxy authority from the user. If I’ve registered a particular
personalized yahoo openid at address book RP which is willing to act as an
OAUTH-SP, I could be giving that particular :secret: value as a
consumer-secret to Plaxo. If more control is required and more autonomy from
the OP, one can do what I suggested the other day: and exploit delegation to bind
a local secret (the finalized discovery url) to a common openid at the address
book maintainer, and release that alongside the Op-provisioned openid to Plaxo.
Then, one has a measure of immunity from OP misconduct, too.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Andrew Arnott
[mailto:andrewarnott@gmail.com] <br>
<b>Sent:</b> Wednesday, January 14, 2009 6:48 AM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> Martin Atkins; OpenID List<br>
<b>Subject:</b> Re: [OpenID] Is OpenID truly user-centric and OP-independent?
(WAS: Bug in OpenID RP implementations)<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Hi Peter,<o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>I think you missed the scenario I was saying should use
OAuth. The login process with Plaxo was fantastic. I didn't mind
that it sniffed my email address from my OP. That's convenience for me.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>But after login was completed, the first page I was taken to
was a page where they wanted to take some email address and password so they
could go download my address book. This has nothing to do with OpenID.
They wanted my email password (bad, bad, bad!) And yes, as you say,
this is actually fairly common practice. LinkedIn, Facebook, Lala, you
name it. Almost every social networking site wants your email password.
("cold dead fingers" comes to mind). The link I sent you in my
previous email explains why this is such a Very Bad Thing.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>What OAuth does is give Plaxo, et. al, a way to download my
address book without me ever giving them my email password. They still
need my permission, but not my password. With OAuth, they can only do
exactly what I authorize them to do (for instance, download my address book
once) and nothing more. Much much safer for the user. They don't
have to trust (usually blindly) the site they're at nearly as much.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Of course, then you get into the social question of how your
"friends" in your address book will feel about you after you
"sell" their contact info to some random site they have no interest
in being a part of just to get a little convenience. :)<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br clear=all>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<br>
<br>
<o:p></o:p></p>
<div>
<p class=MsoNormal>On Wed, Jan 14, 2009 at 6:28 AM, Peter Williams <<a
href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p><span style='font-size:11.0pt;color:#1F497D'>I have yet to understand why
people assert that type of OAuth comment. I jus don't understand OAUTH well
enough, yet.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>Given all I know (from the
OAUTH spec), data providers can share data with data consumers, once authorized
by the user. Though any act of authorization (or "delegated"
authorization) requires first an act of authentication (ideally with openid),
the two security services are usually designed to be independent.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>In the websso world I come
from, what Plaxo do is perfectly normal. They "confirm" using a
local procedure the authentication statement in the assertion. That is, they
declare that the assertion is not a bearer-class assertion, which would have
implicit confirmation. As a consequence of that confirmation model, they
confirm locally that the user controls the email identifier delivered via the
nice "form fill" function that openid/sreg just performed.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>In reality, Plaxo is perform
name-federation with the users email identifier to the plaxo account. The
verification model is really between the mail/phone provider and Plaxo, not OP
and RP. Even if the OP has already performed that very same email confirmation
(e.g. myopenid), the UCI model means that Plaxo have no assurance that it was
performed, or performed properly. Thus, they do it themselves.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>As plaxo is oft-cited as a
model openid RP by the protocol-designer class of folk here, I had assumed that
this RP-confirmation process was an INTENDED deployment behavior of
"model" RPs. I had ASSUMED that It was one of those tradeoffs derived
from the UCI mission – which gives the function of survivability on
the one hand, but takes away assurance on the other. One rebuilds assurance by
local confirmation, I guessed.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>During one-time name-federation
to plaxo during (n) openid registration(s() - and providing different openids
can introduce different email/phone accounts - I don't see this as a big
deal. If Plaxo as an RP were repeatedly confirming with the email/phone
provider, then Id agree – something user-centric is needed (perhaps
OAUTH); as then the email provider becomes a central control/authorization
authority - governing the user's ability to talk to plaxo.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p><b><span style='font-size:10.0pt'>From:</span></b><span style='font-size:
10.0pt'> Andrew Arnott [mailto:<a href="mailto:andrewarnott@gmail.com"
target="_blank">andrewarnott@gmail.com</a>] <br>
<b>Sent:</b> Wednesday, January 14, 2009 6:06 AM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> Martin Atkins; OpenID List<br>
<b>Subject:</b> Re: [OpenID] Is OpenID truly user-centric and OP-independent?
(WAS: Bug in OpenID RP implementations)</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p> <o:p></o:p></p>
<p>Yes, I wish everyone could follow that model at Plaxo.<o:p></o:p></p>
<div>
<p> <o:p></o:p></p>
</div>
<div>
<p style='margin-bottom:12.0pt'>But Plaxo would do well to adopt OAuth. I
noticed as soon as I created an account just now that they wanted to <a
href="http://blog.nerdbank.net/2008/10/why-oauth-can-be-ignored.html"
target="_blank">take my email password</a>. <br clear=all>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<o:p></o:p></p>
<div>
<p>On Wed, Jan 14, 2009 at 5:51 AM, Peter Williams <<a
href="mailto:pwilliams@rapattoni.com" target="_blank">pwilliams@rapattoni.com</a>>
wrote:<o:p></o:p></p>
<div>
<div>
<p><span style='font-size:11.0pt;color:#1F497D'>Add a plural s to the word
identity.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>IN policy language, the goal is
surely not attaining "independence" from the communications
infrastructure; but achieving "autonomy".</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>This is nicely seen in the
plaxo model for building RPs, where you can bind n openids to the plaxo
account. As a user, you can invoke any one of these identification paths. If
flicker suspends your account (which they are want to do), there is no downside
to you at Plaxo. Survivability is built in, with automatic, dynamic re-routing
around the congestion point.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p style='margin-bottom:12.0pt'><b><span style='font-size:10.0pt'>From:</span></b><span
style='font-size:10.0pt'> <a href="mailto:general-bounces@openid.net"
target="_blank">general-bounces@openid.net</a> [mailto:<a
href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>]
<b>On Behalf Of </b>Andrew Arnott<br>
<b>Sent:</b> Wednesday, January 14, 2009 5:35 AM<br>
<b>To:</b> Martin Atkins</span><o:p></o:p></p>
<div>
<p>In fact, I've become convinced that there is no way to allow a user to
maintain his own OpenID identity independent of any OP or ISP given the profile
of a common Internet user today.<o:p></o:p></p>
</div>
</div>
</div>
<div>
<p> <o:p></o:p></p>
</div>
<div>
<p> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<p> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>