unsubscribe<br><br><div class="gmail_quote">On Mon, Aug 10, 2009 at 12:07 PM, <span dir="ltr"><<a href="mailto:openid-general-request@lists.openid.net">openid-general-request@lists.openid.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Send general mailing list submissions to<br>
<a href="mailto:openid-general@lists.openid.net">openid-general@lists.openid.net</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:openid-general-request@lists.openid.net">openid-general-request@lists.openid.net</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:openid-general-owner@lists.openid.net">openid-general-owner@lists.openid.net</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of general digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: Outsourcing headers - XRD(S), CSS? (Allen Tom)<br>
2. Re: Outsourcing headers - XRD(S), CSS? (Breno de Medeiros)<br>
3. Re: Outsourcing headers - XRD(S), CSS? (Allen Tom)<br>
4. Re: Outsourcing headers - XRD(S), CSS? (Breno de Medeiros)<br>
5. Re: Proxying (with OpenSocial) through<br>
<a href="http://experimental.openid.net" target="_blank">experimental.openid.net</a> to promote OpenID (David Recordon)<br>
6. Re: Proxying (with OpenSocial) through<br>
<a href="http://experimental.openid.net" target="_blank">experimental.openid.net</a> to promote OpenID (Allen Tom)<br>
7. Re: Proxying (with OpenSocial) through<br>
<a href="http://experimental.openid.net" target="_blank">experimental.openid.net</a> to promote OpenID (SitG Admin)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Mon, 10 Aug 2009 10:12:09 -0700<br>
From: Allen Tom <<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>><br>
Subject: Re: [OpenID] Outsourcing headers - XRD(S), CSS?<br>
To: SitG Admin <<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>><br>
Cc: <a href="mailto:openid-general@lists.openid.net">openid-general@lists.openid.net</a><br>
Message-ID: <<a href="mailto:4A8054E9.4070408@yahoo-inc.com">4A8054E9.4070408@yahoo-inc.com</a>><br>
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"<br>
<br>
Shade - are you asking about HTML based discovery?<br>
<br>
HTML based discovery definitely is great for usability, since the only<br>
requirement is that the user is able to edit the html on the OpenID<br>
page, rather than having to configure their webserver to return the<br>
special X-XRDS-Location HTTP header. In a webhosting environment, the<br>
user might not have the ability or even the knowledge to configure their<br>
webserver.<br>
<br>
Unfortunately, from a security perspective, HTML based discovery has a<br>
lot of problems. If the content of the page is dynamically generated<br>
from untrusted inputs (for instance, the OpenID URL is a profile page<br>
with a Guestbook), an attacker might be able to insert OpenID discovery<br>
information into the page. Another problem is that the entire page needs<br>
to be downloaded in order to parse it, which is problematic since many<br>
pages are very heavyweight.<br>
<br>
Allen<br>
<br>
Nat Sakimura wrote:<br>
> That's actually host meta, I suppose.<br>
><br>
> =nat<br>
><br>
> On Mon, Aug 10, 2009 at 7:54 AM, SitG Admin<br>
> <<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a><br>
> <mailto:<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>>> wrote:<br>
><br>
> Not all sites allow users to fully customize their headers on the<br>
> Profile page, but some do allow the user to specify other external<br>
> files (such as CSS), containing expected data. This would be an<br>
> awkward compatibility hack (and I'm not sure how many sites it<br>
> would even help with), but what do you all think of an extension<br>
> to the Discovery process allowing RP's to check other external<br>
> files for comments containing OpenID declarations?<br>
><br>
> -Shade<br>
> _______________________________________________<br>
> general mailing list<br>
> <a href="mailto:general@lists.openid.net">general@lists.openid.net</a> <mailto:<a href="mailto:general@lists.openid.net">general@lists.openid.net</a>><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
><br>
><br>
><br>
><br>
> --<br>
> Nat Sakimura (=nat)<br>
> <a href="http://www.sakimura.org/en/" target="_blank">http://www.sakimura.org/en/</a><br>
> ------------------------------------------------------------------------<br>
><br>
> _______________________________________________<br>
> general mailing list<br>
> <a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
><br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.openid.net/pipermail/openid-general/attachments/20090810/5b60a04c/attachment-0001.htm" target="_blank">http://lists.openid.net/pipermail/openid-general/attachments/20090810/5b60a04c/attachment-0001.htm</a>><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Mon, 10 Aug 2009 10:19:34 -0700<br>
From: Breno de Medeiros <<a href="mailto:breno@google.com">breno@google.com</a>><br>
Subject: Re: [OpenID] Outsourcing headers - XRD(S), CSS?<br>
To: Allen Tom <<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>><br>
Cc: <a href="mailto:openid-general@lists.openid.net">openid-general@lists.openid.net</a><br>
Message-ID:<br>
<<a href="mailto:29fb00360908101019x7af91183oae23166406bdf44d@mail.gmail.com">29fb00360908101019x7af91183oae23166406bdf44d@mail.gmail.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
This is not only a latency issue: Parsing HTML correctly is quite<br>
hard, because HTML code is often non-standard compliant. HTML<br>
discovery potentially hurts interoperability, since HTML clients are<br>
generally not interchangeable.<br>
<br>
On Mon, Aug 10, 2009 at 10:12 AM, Allen Tom<<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>> wrote:<br>
> Another problem is that the entire page needs to be downloaded in order to<br>
> parse it, which is problematic since many pages are very heavyweight.<br>
<br>
<br>
<br>
--<br>
--Breno<br>
<br>
+1 (650) 214-1007 desk<br>
+1 (408) 212-0135 (Grand Central)<br>
MTV-41-3 : 383-A<br>
PST (GMT-8) / PDT(GMT-7)<br>
<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Mon, 10 Aug 2009 10:24:54 -0700<br>
From: Allen Tom <<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>><br>
Subject: Re: [OpenID] Outsourcing headers - XRD(S), CSS?<br>
To: Breno de Medeiros <<a href="mailto:breno@google.com">breno@google.com</a>>,<br>
<a href="mailto:openid-general@lists.openid.net">openid-general@lists.openid.net</a><br>
Message-ID: <<a href="mailto:4A8057E6.2070303@yahoo-inc.com">4A8057E6.2070303@yahoo-inc.com</a>><br>
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"<br>
<br>
I think most implementations just use regexs to extract the discovery<br>
information, since parsing html is hard, especially when it's not valid.<br>
<br>
Allen<br>
<br>
<br>
Breno de Medeiros wrote:<br>
> This is not only a latency issue: Parsing HTML correctly is quite<br>
> hard, because HTML code is often non-standard compliant. HTML<br>
> discovery potentially hurts interoperability, since HTML clients are<br>
> generally not interchangeable.<br>
><br>
> On Mon, Aug 10, 2009 at 10:12 AM, Allen Tom<<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>> wrote:<br>
><br>
>> Another problem is that the entire page needs to be downloaded in order to<br>
>> parse it, which is problematic since many pages are very heavyweight.<br>
>><br>
><br>
><br>
><br>
><br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.openid.net/pipermail/openid-general/attachments/20090810/36f0531c/attachment-0001.htm" target="_blank">http://lists.openid.net/pipermail/openid-general/attachments/20090810/36f0531c/attachment-0001.htm</a>><br>
<br>
------------------------------<br>
<br>
Message: 4<br>
Date: Mon, 10 Aug 2009 10:27:16 -0700<br>
From: Breno de Medeiros <<a href="mailto:breno@google.com">breno@google.com</a>><br>
Subject: Re: [OpenID] Outsourcing headers - XRD(S), CSS?<br>
To: Allen Tom <<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>><br>
Cc: <a href="mailto:openid-general@lists.openid.net">openid-general@lists.openid.net</a><br>
Message-ID:<br>
<<a href="mailto:29fb00360908101027r59fdbb39n112bdcd92c8086bd@mail.gmail.com">29fb00360908101027r59fdbb39n112bdcd92c8086bd@mail.gmail.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
:)<br>
<br>
On Mon, Aug 10, 2009 at 10:24 AM, Allen Tom<<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>> wrote:<br>
> I think most implementations just use regexs to extract the discovery<br>
> information, since parsing html is hard, especially when it's not valid.<br>
><br>
<br>
<br>
<br>
--<br>
--Breno<br>
<br>
+1 (650) 214-1007 desk<br>
+1 (408) 212-0135 (Grand Central)<br>
MTV-41-3 : 383-A<br>
PST (GMT-8) / PDT(GMT-7)<br>
<br>
<br>
------------------------------<br>
<br>
Message: 5<br>
Date: Mon, 10 Aug 2009 10:31:11 -0700<br>
From: David Recordon <<a href="mailto:david@sixapart.com">david@sixapart.com</a>><br>
Subject: Re: [OpenID] Proxying (with OpenSocial) through<br>
<a href="http://experimental.openid.net" target="_blank">experimental.openid.net</a> to promote OpenID<br>
To: SitG Admin <<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>><br>
Cc: <a href="mailto:openid-general@lists.openid.net">openid-general@lists.openid.net</a><br>
Message-ID: <<a href="mailto:8DE72B74-1CDD-40C8-92CD-808131DC72D8@sixapart.com">8DE72B74-1CDD-40C8-92CD-808131DC72D8@sixapart.com</a>><br>
Content-Type: text/plain; charset=WINDOWS-1252; format=flowed;<br>
delsp=yes<br>
<br>
While this idea isn't brand new ? Simon Willison ran <a href="http://idproxy.net" target="_blank">idproxy.net</a> for a<br>
few years that turned Yahoo! accounts into OpenIDs ? I don't think it<br>
is a viable long term solution. Rather, usage of this sort of<br>
proxying shows a userbase's desire to have their accounts OpenID<br>
enabled to log in elsewhere.<br>
<br>
I would never want to see the OpenID Foundation run an OpenID Provider/<br>
Proxy for wide usage. We should instead be creating a healthy<br>
ecosystem with plenty of providers and consumers.<br>
<br>
--David<br>
<br>
On Aug 9, 2009, at 9:55 PM, SitG Admin wrote:<br>
<br>
>> What don't you like?<br>
><br>
> The centralization. It would make the OIDF's servers an appealing<br>
> target to those looking for Identity correlation.<br>
><br>
> I've thought about it some more, though. It seems to me that the<br>
> opening here is only for OpenSocial sites where OpenID is impossible<br>
> (even by delegation), and the OIDF wouldn't be seeing the user's<br>
> activity from actual OP's, so attackers could only correlate<br>
> Identities from experimental sites the user was playing with (unless<br>
> they had logins with their own services, but that doesn't add much<br>
> to the OIDF's potential database). Furthermore,<br>
> <a href="http://experimental.openid.net" target="_blank">experimental.openid.net</a> really ought to be using SSL, so a savvy<br>
> user could easily bounce their (encrypted) connection around a proxy<br>
> or few before connecting, confusing even further the server's idea<br>
> of who a user was (and, its ability to associate them with any other<br>
> login). Relying on the average user to figure out proxies, though,<br>
> seems a bit much. Challenging them to follow a tutorial would chill<br>
> adoption, so perhaps just a warning (and maybe link to some stories<br>
> explaining what might happen).<br>
><br>
> -Shade<br>
> _______________________________________________<br>
> general mailing list<br>
> <a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 6<br>
Date: Mon, 10 Aug 2009 10:39:09 -0700<br>
From: Allen Tom <<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>><br>
Subject: Re: [OpenID] Proxying (with OpenSocial) through<br>
<a href="http://experimental.openid.net" target="_blank">experimental.openid.net</a> to promote OpenID<br>
To: SitG Admin <<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>>,<br>
<a href="mailto:openid-general@lists.openid.net">openid-general@lists.openid.net</a><br>
Message-ID: <<a href="mailto:4A805B3D.2020605@yahoo-inc.com">4A805B3D.2020605@yahoo-inc.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed<br>
<br>
Although we haven't quite released this yet, the Yahoo OP will soon be<br>
supporting OpenSocial's REST APIs, using the OpenID/OAuth Hybrid<br>
Extension for authorization.<br>
<br>
<a href="http://www.opensocial.org/Technical-Resources/opensocial-spec-v081/restful-protocol.html" target="_blank">http://www.opensocial.org/Technical-Resources/opensocial-spec-v081/restful-protocol.html</a><br>
<br>
Allen<br>
<br>
<br>
SitG Admin wrote:<br>
> Disclaimer: though I like this idea - it would be *neat* if users of a<br>
> site that didn't even allow HTML headers to be inserted/set (but did<br>
> support OpenSocial),<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 7<br>
Date: Mon, 10 Aug 2009 12:06:51 -0700<br>
From: SitG Admin <<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>><br>
Subject: Re: [OpenID] Proxying (with OpenSocial) through<br>
<a href="http://experimental.openid.net" target="_blank">experimental.openid.net</a> to promote OpenID<br>
To: David Recordon <<a href="mailto:david@sixapart.com">david@sixapart.com</a>><br>
Cc: <a href="mailto:openid-general@lists.openid.net">openid-general@lists.openid.net</a><br>
Message-ID: <f06110402c6a61d94990c@[192.168.0.2]><br>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"<br>
<br>
>Rather, usage of this sort of proxying shows a userbase's desire to<br>
>have their accounts OpenID enabled to log in elsewhere.<br>
><br>
>I would never want to see the OpenID Foundation run an OpenID<br>
>Provider/Proxy for wide usage. We should instead be creating a<br>
>healthy ecosystem with plenty of providers and consumers.<br>
<br>
Agreed. I was trying to come up with a way for users to subvert their<br>
social networking site's decision to ignore OpenID, then leverage<br>
their existing placement in the site's network to start a movement of<br>
long-time users bugging the admins for OpenID support. I don't think<br>
the first is really possible, though I am having some more thoughts<br>
on the second. It wouldn't have been very useful without attractive<br>
features on the RP's side, which we don't have much of yet - when<br>
there are a lot of things that can be done with OpenID (not just<br>
create an account elsewhere and use it to log in there, prefilling<br>
profile data, but intercommunication), it'll be easier for users to<br>
get excited.<br>
<br>
-Shade<br>
<br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
<br>
<br>
End of general Digest, Vol 36, Issue 4<br>
**************************************<br>
</blockquote></div><br><br clear="all"><br>-- <br>Abraham Lincoln -<br>"Every man is said to have his peculiar ambition. Whether it be true or not, I can say for one that I have no other so great as that of being truly esteemed of my fellow men, by rendering myself worthy of their esteem. How far I shall succeed in gratifying this ambition, is yet to be developed."<br>
<br>M.614.264.0286 <br><br>