<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Hmm. Now I object.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>That presupposes (yet again) that only well known OPs are of any
consequence.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>What SSL taught us is that what really matters is the a half
billion SSL domains that hardly anyone knows about (they are almost all wifi
routers, with a self-signed cert for https admin)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>All depends on what the mission of openid is. 10 giant megaOPs,
or the little guy (of which there are a lot).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
general-bounces@openid.net [mailto:general-bounces@openid.net] <b>On Behalf Of </b>Andrew
Arnott<br>
<b>Sent:</b> Tuesday, March 17, 2009 2:52 PM<br>
<b>To:</b> Allen Tom<br>
<b>Cc:</b> general@openid.net<br>
<b>Subject:</b> Re: [OpenID] Backwards Compatibility<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>Of course. But perhaps
the useful question could phrased "are there any OPs that don't support
HTTPS that people would cry about not working any more?"<br clear=all>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<br>
<br>
<o:p></o:p></p>
<div>
<p class=MsoNormal>On Tue, Mar 17, 2009 at 2:28 PM, Allen Tom <<a
href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>> wrote:<o:p></o:p></p>
<div>
<p class=MsoNormal>I'd like to remove the requirement for SSL enabled OPs to
support DH. Are there any OPs that don't support HTTPS?<br>
<span style='color:#888888'><br>
Allen</span><o:p></o:p></p>
<div>
<div>
<p class=MsoNormal><br>
<br>
<br>
Andrew Arnott wrote: <o:p></o:p></p>
<p class=MsoNormal>Why remove DH key exchange? Wouldn't the remove the
capability for <i>arbitrary </i>RPs and OPs to establish an association unless
the OP supported SSL? Key word is arbitrary. I'd hate to lose the ability
to securely exchange a secret with an OP that doesn't expose an SSL OP
endpoint. <o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>DNS poisoning attacks are possible without SSL, I know.
But sniffing a password in plaintext is so much easier than poisoning
someone's DNS server, especially if said DNS server has mitigations against
poisoning already. So it seems there are legitimate uses for OPs without SSL
support, but that goes completely away without DH.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br clear=all>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<br>
<br>
<o:p></o:p></p>
<div>
<p class=MsoNormal>On Mon, Mar 16, 2009 at 10:48 PM, Allen Tom <<a
href="mailto:atom@yahoo-inc.com" target="_blank">atom@yahoo-inc.com</a>>
wrote:<o:p></o:p></p>
<p class=MsoNormal>+1<br>
<br>
I'd be very happy to see 1.1 clearly deprecated, and in an ideal world,
existing 2.0 implementations would already 2.1 compliant.<br>
<br>
If anything, I'd like to see things removed from 2.0, such as the DH key
exchange.<br>
<br>
The 2.1 spec should mostly clarify ambiguous portions of the 2.0 spec,
especially wrt to delegation and directed identity.<br>
<span style='color:#888888'><br>
Allen</span> <o:p></o:p></p>
<div>
<div>
<p class=MsoNormal><br>
<br>
<br>
<br>
Martin Atkins wrote:<o:p></o:p></p>
<p class=MsoNormal>David Recordon wrote:<o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>Hey Carsten,<br>
I agree with you. It's time to make sure that 1.1 is clearly deprecated
and that everyone implements 2.1 once it is completed.<o:p></o:p></p>
<p class=MsoNormal><br>
Is there some compelling reason not to make 2.1 a superset of how 2.0 is
implemented today? (That is to say, not a superset of the spec as written, but
a superset of the parts of it that are implemented and the errata.)<br>
<br>
I think in an ideal world every existing, well-behaved 2.0 implementation would
already be a fully-compliant 2.1 implementation. This implies a research-driven
approach involving the studying of existing implementations; there should be a
high barrier to specifying anything that disagrees with an existing,
well-behaved implementation.<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><o:p></o:p></p>
<p class=MsoNormal><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><o:p></o:p></p>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</body>
</html>