<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Interesting,<div><br></div><div>However I suspect that there are more people on this list who think a openID RP should be able to be deployed in a virtual hosting environment without SSL or any access to that layer.</div><div><br></div><div>With the current state of openID SSL integration I have been having a challenge trying to get OPs not to negotiate the null cypher for associations.</div><div><br></div><div>Anything could be done, however would it still be openID?</div><div><br></div><div>John B.<br><div><div>On 31-Aug-09, at 2:44 PM, Peter Williams wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div lang="EN-US" link="blue" vlink="purple" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div class="Section1"><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div><div style="border-right-style: none; border-bottom-style: none; border-left-style: none; border-width: initial; border-color: initial; border-top-style: solid; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding-top: 3pt; padding-right: 0in; padding-bottom: 0in; padding-left: 0in; "><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; ">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; "><span class="Apple-converted-space"> </span>John Bradley [<a href="mailto:john.bradley@wingaa.com" style="color: blue; text-decoration: underline; ">mailto:john.bradley@wingaa.com</a>]<span class="Apple-converted-space"> </span><br><b>Sent:</b><span class="Apple-converted-space"> </span>Sunday, August 30, 2009 2:06 PM<br><b>To:</b><span class="Apple-converted-space"> </span>Peter Williams<br><b>Cc:</b><span class="Apple-converted-space"> </span>Story Henry;<span class="Apple-converted-space"> </span><a href="mailto:John@osuosl.org" style="color: blue; text-decoration: underline; ">John@osuosl.org</a>;<span class="Apple-converted-space"> </span><a href="mailto:openid-general@lists.openid.net" style="color: blue; text-decoration: underline; ">openid-general@lists.openid.net</a><br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [OpenID] Windows Live ID OpenID CTP Status Update (August 2009)<o:p></o:p></span></div></div></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; ">One thing we do lack is a consensus on what openID is other than a redirect based protocol with a symmetric shared secret between the OP and RP per the openID 2.0 spec.<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; ">So a good first question to tackle is should asymmetric cryptography RSA/ECDSA be a part of the core spec.<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; ">If the answer continues to be no then it takes a bunch of options off the table.<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; ">I think the answer for extensions like CX and secure discovery may well be different than for the core spec.<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; ">I am interested in what people thing openID is or should be going forward.<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="color: rgb(31, 73, 125); ">That which folks could not do to enhance SSL itself for websso (because of the way IETF works, and who runs/influences the contributors/editors of that forum), I see openid as having done through market forces. Openid is to me an enhanced session manager for ssl sessionids, with the added value of discovery and authorization controls – that allow multiple “SSL connections” to be proxied UNDER policy control (rather than ad-hoc http proxy/connects that just fashioned a MITM space).<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Now, the deployed SSL would need to be unhooked from the https-level de-facto policy of tying trust to the DNS – which is currently partially governing end-end connection policie (under ideas from 15 years ago (that have not moved forward one iota)).<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">So, just as facebook have treated openid as a hidden protocol under a UX flow (using only a slice of the protocol furthermore to do machine-machine signalling), so one can continue the trend, working towards openid supporting machine-machine authentication for web services, etc. This obviously leaves behind the restriction of openid as being ONLY a foreground protocol, addressing UCI, privacy, control and all the other in-your face issues.<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">So, the more the SSl handshake/event-handlers and openid state machines merge, the better. Then, a market will emerge for hardware that can do NAT/load-balancer offloading of https/openid today, just as the same switches now do multi-gigabit/s ssl offloading and proxing.<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">If the same trends were also to be incorporating the yet more powerful foaf+ssl ideas (which are admittedly 3-4 behind the adoption curve of openid2), those switches would able to set to do what many used to think of secure XML routers doing (the so-called AOS devices, from the likes of HP and Intel). But rather than do it with messages, one would be doing it with sessions – which we know has proven itself a scalable winner for fast hardware. But those sessions would now have inferecing based routing – which takes us above and beyond the dynamic routing regimes of the internet backbones and into true virtual routing.<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">If one goes with this trend analysis, yes public key is part of openid, but through an ever tighter association with the SSL handshake and event handlers, not because openid does an alternative( relatively crappy) job of repeating what SSL does so well.<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">There were attempts to add certain NR-features to openid, that unfortunately got caught up in patent issues. But, many folks see a need for SSL to ALSO allow the servers behind the loadbancer offloaders to retain a measured of crypto-level relationship to the client. Here, again, I suspect openid could be adding that something back to SSL (and be doing something useful without getting into the patented areas).<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">If one accepts any of the above, then yes CX and secure discovery are simply using this “new https” as a bearer, and openid “extensions” are to such an ssl+openid-bearer what https apps are to the SSL record layer today – consumers of generic session-oriented security services. But, the https layer has moved on a generation.<o:p></o:p></span></div></div></div></div></div></span></blockquote></div><br></div></body></html>