<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I have yet to understand why people assert that type of OAuth
comment. I jus don’t understand OAUTH well enough, yet.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Given all I know (from the OAUTH spec), data providers can share
data with data consumers, once authorized by the user. Though any act of
authorization (or “delegated” authorization) requires first an act
of authentication (ideally with openid), the two security services are usually
designed to be independent.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>In the websso world I come from, what Plaxo do is perfectly
normal. They “confirm” using a local procedure the authentication
statement in the assertion. That is, they declare that the assertion is not a
bearer-class assertion, which would have implicit confirmation. As a consequence
of that confirmation model, they confirm locally that the user controls the
email identifier delivered via the nice “form fill” function that
openid/sreg just performed.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>In reality, Plaxo is perform name-federation with the users email
identifier to the plaxo account. The verification model is really between the
mail/phone provider and Plaxo, not OP and RP. Even if the OP has already
performed that very same email confirmation (e.g. myopenid), the UCI model
means that Plaxo have no assurance that it was performed, or performed properly.
Thus, they do it themselves.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>As plaxo is oft-cited as a model openid RP by the protocol-designer
class of folk here, I had assumed that this RP-confirmation process was an INTENDED
deployment behavior of “model” RPs. I had ASSUMED that It was one
of those tradeoffs derived from the UCI mission – which gives the function
of survivability on the one hand, but takes away assurance on the other. One
rebuilds assurance by local confirmation, I guessed.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>During one-time name-federation to plaxo during (n) openid
registration(s() - and providing different openids can introduce different
email/phone accounts - I don’t see this as a big deal. If Plaxo as
an RP were repeatedly confirming with the email/phone provider, then Id agree –
something user-centric is needed (perhaps OAUTH); as then the email
provider becomes a central control/authorization authority - governing the user’s
ability to talk to plaxo.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Andrew Arnott
[mailto:andrewarnott@gmail.com] <br>
<b>Sent:</b> Wednesday, January 14, 2009 6:06 AM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> Martin Atkins; OpenID List<br>
<b>Subject:</b> Re: [OpenID] Is OpenID truly user-centric and OP-independent?
(WAS: Bug in OpenID RP implementations)<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Yes, I wish everyone could follow that model at Plaxo.<o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'>But Plaxo would do well to
adopt OAuth. I noticed as soon as I created an account just now that they
wanted to <a
href="http://blog.nerdbank.net/2008/10/why-oauth-can-be-ignored.html">take my
email password</a>. <br clear=all>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<br>
<br>
<o:p></o:p></p>
<div>
<p class=MsoNormal>On Wed, Jan 14, 2009 at 5:51 AM, Peter Williams <<a
href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p><span style='font-size:11.0pt;color:#1F497D'>Add a plural s to the word
identity.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>IN policy language, the goal is
surely not attaining "independence" from the communications
infrastructure; but achieving "autonomy".</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>This is nicely seen in the
plaxo model for building RPs, where you can bind n openids to the plaxo
account. As a user, you can invoke any one of these identification paths. If
flicker suspends your account (which they are want to do), there is no downside
to you at Plaxo. Survivability is built in, with automatic, dynamic re-routing
around the congestion point.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p style='margin-bottom:12.0pt'><b><span style='font-size:10.0pt'>From:</span></b><span
style='font-size:10.0pt'> <a href="mailto:general-bounces@openid.net"
target="_blank">general-bounces@openid.net</a> [mailto:<a
href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>]
<b>On Behalf Of </b>Andrew Arnott<br>
<b>Sent:</b> Wednesday, January 14, 2009 5:35 AM<br>
<b>To:</b> Martin Atkins</span><o:p></o:p></p>
<div>
<p>In fact, I've become convinced that there is no way to allow a user to
maintain his own OpenID identity independent of any OP or ISP given the profile
of a common Internet user today.<o:p></o:p></p>
</div>
</div>
</div>
<div>
<p> <o:p></o:p></p>
</div>
<div>
<p> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>