<div>A few folks asked me for a printable list of the potential OpenID sessions to have on hand when the scheduling process starts at IIW. I have posted that here and I'll bring a few printouts with me:</div><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;">
<a href="http://sites.google.com/site/oauthgoog/Home/iiwopenid">http://sites.google.com/site/oauthgoog/Home/iiwopenid</a><br></blockquote><div><br></div>p.s. George, you might see if you can combine sessions with Luke Shepard because he wanted to talk about Facebook's experience becoming a 2.0 RP, both from a security perspective, though also in terms of usability (and he is hoping to do a quick demo).<br>
<br><div class="gmail_quote">On Fri, May 15, 2009 at 9:13 AM, George Fletcher <span dir="ltr"><<a href="mailto:gffletch@aol.com">gffletch@aol.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
I've been planning on doing a session around "Issues of becoming an 2.0 RP". Don't know if others are interested in sharing their experiences. It's lead me to believe that we need some changes in spec language and capabilities to make it a little easier (even with all the open source libraries:) If this was covered at the last IIW (which I missed) let me know.<br>
<br>
Thanks,<br>
George<br>
<br>
Eric Sachs wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
All of the "volunteers" I suggested for the 7 OpenID sessions have agreed to lead them, and looks like Allen can lead and 8th. Most of the "volunteers" will only be at IIW on Tuesday and Wednesday, so I suggest we try to schedule the majority of the sessions on those two days.<br>
<br></div><div class="im">
On Tue, May 12, 2009 at 4:27 PM, Allen Tom <<a href="mailto:atom@yahoo-inc.com" target="_blank">atom@yahoo-inc.com</a> <mailto:<a href="mailto:atom@yahoo-inc.com" target="_blank">atom@yahoo-inc.com</a>>> wrote:<br>
<br>
I'd like to give a Usability session where the OpenID UI Work<br>
Group can present the OpenID UI Extension, as well as an official<br>
kickoff for the OpenID UI Committee. I'll be able to contribute<br>
the results of a (very modest) study that Yahoo did recently on<br>
the effectiveness of a Popup UI, and we'll have some wireframes<br>
documenting RP and OP best practices.<br>
<br>
Allen<br>
<br>
Eric Sachs wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
At the last IIW confernece, the OpenID community came up with a<br>
suggested list of sessions ahead of time. While we changed it a<br>
bit during the IIW event, it still helped us coordinate an OpenID<br>
"track" that led to a lot of important discussions. In the hope<br>
of doing something similar, I thought I would throw out an<br>
initial list of 7 potential sessions (and potential leaders)<br>
based on some of the discussions on the list. I would love to<br>
get feedback on whether people think these are the right<br>
sessions, or have other ideas. And for the "leaders" that I<br>
volunteered, I'd like to see if they would really be willing to<br>
lead some of these topics.<br>
<br>
Title: Evolution of Discovery & OpenID<br>
Leaders: "Dirk Balfanz" <<a href="mailto:balfanz@google.com" target="_blank">balfanz@google.com</a><br></div>
<mailto:<a href="mailto:balfanz@google.com" target="_blank">balfanz@google.com</a>>>, "Eran Hammer-Lahav"<br>
<<a href="mailto:blade@yahoo-inc.com" target="_blank">blade@yahoo-inc.com</a> <mailto:<a href="mailto:blade@yahoo-inc.com" target="_blank">blade@yahoo-inc.com</a>>><div class="im"><br>
Topic: Have Eran give an update on the evolution of discovery<br>
standards. Then have Dirk Balfanz give a specific example of how<br>
Google is using those standards to help RPs support scenarios<br>
where an enterprise has outsourced their IDP to a<br>
service-provider such as Google Apps. Also discuss the reverse<br>
where a website has outsourced their RP to a service-provider<br>
such as Janrain's RPX.<br>
<br>
Title: Best practices for very-secure RP/IDP interaction<br></div>
Leader: "John Bradley" <<a href="mailto:jbradley@mac.com" target="_blank">jbradley@mac.com</a> <mailto:<a href="mailto:jbradley@mac.com" target="_blank">jbradley@mac.com</a>>>,<div class="im"><br>
Topic: Describe some of the current suggested best practices for<br>
increasing the security of RP/IDP interaction, and then try to<br>
create a community document of best practices. Look at NIST &<br>
PCI compliance as example targets.<br>
<br>
Title: How RPs can handle phishing of a user's IDP account<br>
Leader: "Breno de Medeiros" <<a href="mailto:breno@google.com" target="_blank">breno@google.com</a><br></div>
<mailto:<a href="mailto:breno@google.com" target="_blank">breno@google.com</a>>>, "Luke Shepard" <<a href="mailto:lshepard@facebook.com" target="_blank">lshepard@facebook.com</a><br>
<mailto:<a href="mailto:lshepard@facebook.com" target="_blank">lshepard@facebook.com</a>>><div class="im"><br>
Topic: Many websites that are not RPs have mechanisms to detect<br>
that a user might have been phished, and if so they try to help<br>
the actual user recover their account just as by requiring that<br>
the password on the account be changed. Once a website becomes<br>
an RP, its recovery mechanisms have to change. Breno/Dirk will<br>
discuss how to address this need using some OpenID extensions<br>
that can allow the RP to detect things such as the last time the<br>
user changed their password, or entered it on the computer, as<br>
well as more advanced methods to enable the RP to redirect the<br>
user to the IDP to automatically route the user into the change<br>
password flow (or re-enter password, or require the user to<br>
manually re-approve the identity assertion)<br>
<br>
Title: Best practices for using CAPTCHAs, such as to meet<br>
NIST/PCI type compliance<br></div>
Leader: "Eric Sachs" <<a href="mailto:sachse@google.com" target="_blank">sachse@google.com</a> <mailto:<a href="mailto:sachse@google.com" target="_blank">sachse@google.com</a>>><div class="im"><br>
Topic: Some RPs require that IDPs comply with guidelines such as<br>
NIST/PCI, and in particular the sections about reducing hackers<br>
ability to do online attacks to guess a user's password. Many<br>
major consumer oriented websites protect against those types of<br>
attacks using CAPTCHAs as well as temporary time-out mechanisms. Eric will describe some of the current suggested best practices<br>
for preventing these attacks, and then try to create a community<br>
document of best practices.<br>
<br>
Title: RPs who DONT want any PII (personally identifiable<br>
information)<br>
Leader: "John Bradley" <<a href="mailto:jbradley@mac.com" target="_blank">jbradley@mac.com</a><br></div>
<mailto:<a href="mailto:jbradley@mac.com" target="_blank">jbradley@mac.com</a>>>, "Dirk Balfanz" <<a href="mailto:balfanz@google.com" target="_blank">balfanz@google.com</a><br>
<mailto:<a href="mailto:balfanz@google.com" target="_blank">balfanz@google.com</a>>><div class="im"><br>
Topic: Some websites are especially privacy sensistive and would<br>
like to avoid collecting any PII from user's, including global<br>
IDs such as Email address, blog URLs, or OpenID URLs that are<br>
sent to multiple RPs. John will lead a discussion about<br>
potential best practices for how an RP/IDP can interact without<br>
exchanging PII, and then try to create a community document of<br>
best practices. Dirk will then lead a discussion about how an RP<br>
can indicate what type of URL (or URLs) it wants such as these<br>
non-PII URLs, or a blog/profile URL, or a global URL which won't<br>
necessarily have any interesting information about the user.<br>
<br>
Title: Invisible detection by RP of user's login state at IDPs<br>
Leader: "Luke Shepard" <<a href="mailto:lshepard@facebook.com" target="_blank">lshepard@facebook.com</a><br></div>
<mailto:<a href="mailto:lshepard@facebook.com" target="_blank">lshepard@facebook.com</a>>>, "Brian Eaton" <<a href="mailto:beaton@google.com" target="_blank">beaton@google.com</a><br>
<mailto:<a href="mailto:beaton@google.com" target="_blank">beaton@google.com</a>>>,<div class="im"><br>
Topic: The OpenID community still does not have a solid best<br>
practice for how RPs can determine a user's IDP without the<br>
usability problems of lots of buttons or a raw URL entry box. Another possible option is for the RP to try to invisibly detect<br>
whether the user is logged into an IDP, and then promote that IDP<br>
option to the user. Luke will discuss his ideas on how an RP<br>
might do this with an IDP today. Brian will discuss how we might<br>
build upon that model to let the RP check the login state at a<br>
few shared-domains that could return a list of IDPs where the<br>
user is logged in. For example, Google hosts many<br>
enterprise/school's E-mail, and could potentially provide a way<br>
for an RP to get a list of which such domain(s) a user is<br>
currently logged into.<br>
<br>
Title: Bronze/Silver certifications for OpenID IDPs<br></div>
Leader: "John Bradley" <<a href="mailto:jbradley@mac.com" target="_blank">jbradley@mac.com</a> <mailto:<a href="mailto:jbradley@mac.com" target="_blank">jbradley@mac.com</a>>><div class="im"><br>
Topic: Some identity communities such as InCommon have defined<br>
some optional mechanisms for IDPs to show they meet specific<br>
requirements, especially around security. For example, InCommon<br>
has their Bronze/Silver certification as described at<br>
<a href="http://www.incommonfederation.org/assurance" target="_blank">http://www.incommonfederation.org/assurance</a>. How might we<br>
package some of the OpenID communitie's best practices into some<br>
levels like this, and if we did so, what form might certification<br>
take against those levels?<br>
<br>
<br>
<br>
------------------------------------------------------------------------<br>
_______________________________________________<br>
general mailing list<br></div>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a> <mailto:<a href="mailto:general@openid.net" target="_blank">general@openid.net</a>><div class="im"><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br>
</div></blockquote>
<br>
<br>
------------------------------------------------------------------------<div class="im"><br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br>
</div></blockquote>
</blockquote></div><br>