<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:D="DAV:" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:793209880;
mso-list-template-ids:578576898;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I’m not offended. As one the least capable technical
people here, it is a little strange that folks ask me what stuff means (as if I
know or use it, it has to be pretty standard stuff).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><a href="http://en.wikipedia.org/wiki/DOCSIS">DOCSIS</a> the
cable modem standard. It provisions hundreds of millions of cable modems in homes.
It’s particularly important for voice/voip to the home.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><a href="http://en.wikipedia.org/wiki/DSLAM">DSLAM</a> is the DSL
multiplexor that takes your local copper loop from your house, connects it to a
backbone ATM network of the phone company (usually), and routes cells to a
long-haul ISP - giving your home router reachability to the world of the internet.
<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>CO is the central office: the phone company building downtown
with lots of microwave dishes on top, typically. Its where your home phone line
terminates (and its where wiretaps are applied, typically). There is an
equivalent term for the cable modem termination office downtown, whose formal name
I’ve forgotten.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>When IPv6 really takes effect in 2010-2012 for consumers,
perhaps all that stuff will start to go away – as pure secure routing technologies
such as <a href="http://en.wikipedia.org/wiki/MPLS_VPN">MPLS-VPNs</a> come
built directly into a more intelligent layer 3 WAN – eventually making such
as openid irrelevant. The MPLS world of virtual circuits and trust networks
can scale with IPv6 - to support all the personal trust networks one could even
want within the core internet service. Meantime, since the stuff about DOCSIS/DSL/CO
stuff is today’s mainstream, we still need openid and websso to build our
personal trust networking spaces at layer 7.<o:p></o:p></span></p>
<div style='mso-element:para-border-div;border:none;border-bottom:solid windowtext 1.0pt;
padding:0in 0in 1.0pt 0in'>
<p class=MsoNormal style='border:none;padding:0in'><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p>
</div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Vanity sites for discovery and control over openid-delegation only
require RP server threads to trust subscriber certs and roots. Browsers (and
their TTP-centric trust models) are not involved. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Today, MyOpenid allows one to register’s one self-managed infocards
or an X.509 SSL client cert with one’s openid. A minor inversion of that principle
could allow an RP to register one’s vanity SSL-server self-signed cert ,
as one links one’s public openid to the RP account the first time. An helpful
OP focused on bootstrapping the UCI world might even facilitate that trust point
provisioning.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Andrew Arnott
[mailto:andrewarnott@gmail.com] <br>
<b>Sent:</b> Thursday, March 19, 2009 1:21 PM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> Allen Tom; OpenID List; Martin Atkins<br>
<b>Subject:</b> Re: [OpenID] D-H vs SSL<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Peter, no offense, and maybe it's just me, but you have a
strong tendency to snow with acronyms. What is DOCSIS/DSLAM and CO?
<o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>How in the world can you get a free HTTPS certificate that
nearly all RPs will accept for $0? It seems to me that there <span
class=apple-style-span><i>is</i></span> a price for SSL if you're hosting
your own OP or even vanity URL using SSL, since you need a cert that most
browsers and RPs trust.<o:p></o:p></p>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br clear=all>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<br>
<br>
<o:p></o:p></p>
<div>
<p class=MsoNormal>2009/3/19 Peter Williams <<a
href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>><o:p></o:p></p>
<div>
<div>
<p><span style='font-size:11.0pt;color:#1F497D'>What is that price?</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>Its zero, today. DDNS registers
the current DHCP address from the DOCSIS/DSLAM multiplexor at the CO, and one
uses the wifi router to define ones persistent domain suitable for https URI.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>I know folks are trained to
think in VeriSign mantra (that all CA work has to be a giant national
infrastructure- with entierprise corporate practices and trillion dollar
warranties. Bbut don’t fall into that trap - in a UCI space. Just think
like of home wifi router, as your OP (or the vanity discovery point).</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p><b><span style='font-size:10.0pt'>From:</span></b><span style='font-size:
10.0pt'> <a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>
[mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>]
<b>On Behalf Of </b>Allen Tom<br>
<b>Sent:</b> Thursday, March 19, 2009 11:57 AM<br>
<b>To:</b> Andrew Arnott; OpenID List<br>
<b>Cc:</b> Martin Atkins<o:p></o:p></span></p>
<div>
<p class=MsoNormal><span style='font-size:10.0pt'><br>
<b>Subject:</b> Re: [OpenID] D-H vs SSL<o:p></o:p></span></p>
</div>
</div>
</div>
<p> <o:p></o:p></p>
<p>The DIY ethic of OpenID is also one of its main strengths, as as Johannes
pointed out, there are plenty of scenarios where someone might want to run an
OP without HTTPS. For instance, I'm not willing to pay the price to support
HTTPS on my own personal domain.<o:p></o:p></p>
<div>
<div>
<p class=MsoNormal><br>
<br>
As I mentioned earlier, I only brought up DH because I felt that it could be
something that could be removed from the core spec, with the goal of making the
spec lighter. Given the discussion so far, it looks like there are good reasons
for keeping DH in the spec.<br>
<br>
Allen<br>
<br>
<br>
Andrew Arnott wrote: <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p>Well, the spec allows for session types to be implemented that are not
defined in the spec. If DH is ever removed from the OpenID spec, I hope
the spec can reference another DH spec that keeps it alive as a spec that
people can optionally implement. <o:p></o:p></p>
<div>
<p style='margin-bottom:12.0pt'><br clear=all>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<o:p></o:p></p>
<div>
<p>2009/3/19 Allen Tom <<a href="mailto:atom@yahoo-inc.com" target="_blank">atom@yahoo-inc.com</a>><o:p></o:p></p>
<div>
<p>If we consider OAuth's secret exchange mechanism for HMAC-SHA1 sigs,<o:p></o:p></p>
<ul type=disc>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>OAuth Service Providers usually issue a Consumer
Secret to the developer, without any input from the developer. (hopefully
via HTTPS)<o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>OAuth Request Token and Access Token secrets are
issued by the Service Provider to the Consumer (also, hopefully via
HTTPS), without any input from the Consumer<o:p></o:p></li>
</ul>
<p>Returning cleartext secrets via HTTPS would be consistent with OAuth.<br>
<br>
Although DH on top of SSL is safer than cleartext and SSL, is the overhead of
having the spec discuss DH worth it? If the OP is unable to generate a strong
secret on its own, or if the transport layer between the RP and OP cannot be
secured using HTTPS, then arguably the entire system has issues.<br>
<br>
I only mention DH, not because I have an issue with DH, but because one of
OpenID's most desirable traits is its relative simplicity. The spec is pretty
straightforward, and it's not all that hard to implement. Sites that want a
richer (and more complicated) SSO protocol standard have alternatives that are
already in production and are widely used.<br>
<span style='color:#888888'><br>
Allen</span> <o:p></o:p></p>
<div>
<p style='margin-bottom:12.0pt'><br>
<br>
Ben Laurie wrote:<o:p></o:p></p>
<pre>Ah. I see.<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>So, I am going to be lazy, because I have not checked the spec, but<o:p></o:p></pre><pre>its considered good practice when establishing a shared secret for<o:p></o:p></pre><pre>both sides to contribute to that secret. Is that true for the<o:p></o:p></pre><pre>cleartext secret?<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> <o:p></o:p></pre></div>
</div>
<p style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><o:p></o:p></p>
</div>
<p> <o:p></o:p></p>
</div>
<p> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</body>
</html>