FYI <a href="http://freexri.com">freexri.com</a> (and <a href="http://fullxri.com">fullxri.com</a>) have partial support for this directed identity (because I tried making HXRIs work with the Facebook OpenID support).<br><br>
If you make a request with <a href="http://specs.openid.net/auth/2.0/identifier_select">http://specs.openid.net/auth/2.0/identifier_select</a>, the OP will ask you to enter your i-name and PW instead of just your PW.<br><br>
However the OP doesn't create a pairwise unique CanonicalID for the RP in the manner you describe. Instead it simply returns your real i-number.<br><br>Markus<br><br><div class="gmail_quote">On Thu, Sep 10, 2009 at 3:11 AM, John Bradley <span dir="ltr"><<a href="mailto:john.bradley@wingaa.com">john.bradley@wingaa.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">I don't know if anyone is going to do this, but this is how it would work for the sake of discussion.<br>
<br>
It would be a directed identity flow with XRI discovery.<br>
<br>
The button at the RP would trigger discovery for something like @freexri.<br>
<br>
The resulting XRD would have the OP Identifier Element <Type> <a href="http://specs.openid.net/auth/2.0/server" target="_blank">http://specs.openid.net/auth/2.0/server</a><br>
<br>
The RP would then initiate the request with <a href="http://specs.openid.net/auth/2.0/identifier_select" target="_blank">http://specs.openid.net/auth/2.0/identifier_select</a> as the claimed_id and identity.<br>
<br>
The OP after authentication would create a pairwise XRI canonicalID to return as the claimed_id.<br>
<br>
The RP performs XRI discovery on the claimedID as it normally would and retrieves the XRDS via XRI resolution of the claimed_id.<br>
<br>
The OP is going to have to programatically generate the XRDS for the iNumber in question.<br>
<br>
The OP needs to use a two or more subsegment iNumber so that it is authoritative for the last subsegment.<br>
<br>
I don't know of any OP doing this now and if they did, I don't know if any of the RP code is going to correctly resolve a XRI returned as a claimed_id.<br>
<br>
I expect Andrew to chime in that he has it done or it is in the next version.<br>
<br>
The community iNumber would not be portable between OP's as a top level iNumber is.<br>
<br>
There are other reasons you may want to do it with XRI, but I don't see a big advantage to it in this scenario.<br>
<br>
John B.<div><div></div><div class="h5"><br>
<br>
<br>
On 2009-09-09, at 2:28 PM, Peter Williams wrote:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Can you describe a legal flow with an XRI, in the .gov profile for LOA1?<br>
<br>
In the beginning there was the button, in a nascar array of federally-trusted providers, on <a href="http://plebs.gov" target="_blank">plebs.gov</a>.<br>
<br>
Let's start there.<br>
<br>
<br>
-----Original Message-----<br>
From: John Bradley [mailto:<a href="mailto:john.bradley@wingaa.com" target="_blank">john.bradley@wingaa.com</a>]<br>
Sent: Wednesday, September 09, 2009 9:31 AM<br>
To: Peter Williams<br>
Cc: <a href="mailto:openid-general@lists.openid.net" target="_blank">openid-general@lists.openid.net</a><br>
Subject: Re: [OpenID] Fwd: [dotnetopenid] DotNetOpenAuth announces support of the Government profile of OpenID<br>
<br>
We will see what happens as we move forward.<br>
<br>
SP-800-63 is not friendly to the idea of self assertion.<br>
<br>
I had to leave p-cards out of the initial info-card profile as well<br>
for some of the same issues.<br>
<br>
I am hoping to address corilatable and other sorts of self asserted<br>
identities where there is no IdP to certify in upcoming revisions to<br>
the profiles.<br>
<br>
This is what we could get agreement on as a first step.<br>
<br>
There are a number of UX issues that will need to be addressed as the<br>
number of certified IdP grows.<br>
<br>
John B.<br>
On 2009-09-09, at 12:14 PM, Peter Williams wrote:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
<br>
<br>
Don't worry about the uci evil label. I was never under any<br>
illusions that it was not viable. You guys marketted with it fine,<br>
and I got to use to overcome the over stodgy practices of the saml<br>
world. As always, things meet somewhere in the middle.<br>
<br>
I'm also glad to see live is not in the<br>
<br>
On Sep 9, 2009, at 9:08 AM, "John Bradley" n<<a href="mailto:john.bradley@wingaa.com" target="_blank">john.bradley@wingaa.com</a><mailto:<a href="mailto:john.bradley@wingaa.com" target="_blank">john.bradley@wingaa.com</a><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
wrote:<br>
</blockquote></blockquote>
<br>
It was early I forgot to copy the general list.<br>
<br>
John B.<br>
<br>
Begin forwarded message:<br>
<br>
From: John Bradley <<mailto:<a href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>><a href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a><mailto:<a href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
</blockquote></blockquote>
Date: September 9, 2009 10:03:44 AM GMT-04:00<br>
To: <mailto:<a href="mailto:dotnetopenid@googlegroups.com" target="_blank">dotnetopenid@googlegroups.com</a>><br>
<a href="mailto:dotnetopenid@googlegroups.com" target="_blank">dotnetopenid@googlegroups.com</a><mailto:<a href="mailto:dotnetopenid@googlegroups.com" target="_blank">dotnetopenid@googlegroups.com</a>><br>
Subject: Re: [dotnetopenid] DotNetOpenAuth announces support of the<br>
Government profile of OpenID<br>
<br>
I want to thank Andrew Arnott, Johnny Bufu and many others for there<br>
feedback during the process of developing the GSA profile for openID.<br>
<br>
Today we have Six OP announcing support for the profile and the GSA<br>
Pilot: AOL, Google, Yahoo, and Verisign, and Wave.<br>
<<a href="http://openid.net/2009/09/09/yahoo-paypal-google-equifax-aol-verisign-acxiom-citi-privo-wave-systems-pilot-open-identity-for-open-government/" target="_blank">http://openid.net/2009/09/09/yahoo-paypal-google-equifax-aol-verisign-acxiom-citi-privo-wave-systems-pilot-open-identity-for-open-government/</a><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<a href="http://openid.net/2009/09/09/yahoo-paypal-google-equifax-aol-" target="_blank">http://openid.net/2009/09/09/yahoo-paypal-google-equifax-aol-</a><br>
</blockquote>
verisign-acxiom-citi-privo-wave-systems-pilot-open-identity-for-open-<br>
government/<br>
<br>
<<a href="http://openid.net/2009/09/09/yahoo-paypal-google-equifax-aol-verisign-acxiom-citi-privo-wave-systems-pilot-open-identity-for-open-government/" target="_blank">http://openid.net/2009/09/09/yahoo-paypal-google-equifax-aol-verisign-acxiom-citi-privo-wave-systems-pilot-open-identity-for-open-government/</a><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Andrew has helped build the test RP that is available at <<a href="http://test-id.org/" target="_blank">http://test-id.org/</a><br>
<a href="http://test-id.org" target="_blank">http://test-id.org</a> that we have been using for the last several<br>
</blockquote>
months to help the IdP conform to the profile.<br>
<br>
<<a href="http://www.idmanagement.gov/documents/" target="_blank">http://www.idmanagement.gov/documents/</a><br>
ICAM_OpenID20Profile.pdf><a href="http://www.idmanagement.gov/documents/" target="_blank">http://www.idmanagement.gov/documents/</a><br>
ICAM_OpenID20Profile.pdf<br>
<br>
If other IdP are interested in participating they can contact the<br>
OIDF or myself for more information.<br>
<br>
Getting 5 OP's ready to go into this pilot has been a major challenge.<br>
<br>
I would like to thank all of the 5 OPs for there commitment to<br>
openID and to making this happen.<br>
<br>
This is a big day on the openID and federated identity adoption curve.<br>
<br>
Thanks<br>
John Bradley<br>
<br>
PS No delegation is not supported by the profile. No you cannot<br>
enter a vanity URL or any other identifier for privacy and non<br>
correlation reasons. Yes XRI is allowed, but even I can't see why<br>
you would bother given the profile. Yes I am an evil and loathsome<br>
person for violating the principals of UCI (Sorry about that)<br>
<br>
<br>
On 2009-09-09, at 9:34 AM, Andrew Arnott wrote:<br>
<br>
DotNetOpenAuth community:<br>
<br>
The government has just announced<<a href="http://www.idmanagement.gov/drilldown.cfm?action=openID_openGOV" target="_blank">http://www.idmanagement.gov/drilldown.cfm?action=openID_openGOV</a><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
that they are piloting accepting OpenID on several of their web<br>
</blockquote>
sites, and the major OpenID Providers (Google, Yahoo, AOL, PayPal,<br>
Verisign) will be supporting Providers<<a href="http://openid.net/u-s-government-openid-pilot-program-participants/" target="_blank">http://openid.net/u-s-government-openid-pilot-program-participants/</a><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
of this new Government profile for OpenID.<br>
</blockquote>
<br>
What is this "government profile<<a href="http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf" target="_blank">http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf</a><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
"? Basically it's a set of rules that an OP and RP must follow.<br>
</blockquote>
These rules are more restrictive than, but nonetheless compliant<br>
with, the OpenID 2.0 spec. For example, HTTPS must be used<br>
throughout the process, and shared associations must only last up to<br>
a given maximum length of time.<br>
<br>
I'm very pleased to announce that DotNetOpenAuth has support for<br>
this government profile, and in fact is the underlying library used<br>
by the NIH for its OpenID RP support. Watch for a new release of<br>
DNOA (3.2.1) in the next day or two that actually includes the<br>
government profile in it. (We could release it earlier than today's<br>
announcement).<br>
<br>
More in the news<<a href="http://www.techcrunch.com/2009/09/09/us-government-to-embrace-openid-courtesy-of-google-yahoo-paypal-et-al/" target="_blank">http://www.techcrunch.com/2009/09/09/us-government-to-embrace-openid-courtesy-of-google-yahoo-paypal-et-al/</a><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
</blockquote>
<br>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the<br>
death your right to say it." - S. G. Tallentyre<br>
<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net" target="_blank">general@lists.openid.net</a><mailto:<a href="mailto:general@lists.openid.net" target="_blank">general@lists.openid.net</a>><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
</blockquote>
<br>
</blockquote>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net" target="_blank">general@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
</div></div></blockquote></div><br>