<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I guess that the attempt to twist around the final i-number in
the list of segments is an attempt to have it act as the mandatory PPID: a
value that can accountlink to the government cross-agency id (and thus implement
the linking-semantics of SAML2’s federated-name).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>But in SAML2, the user (not the IDP) gets to control the
federated-name (even for the PPID/persistent variant); unlinking it when
appropriate. Furthermore, the user gets to choose which of several IDP
names can be account-linked (using PPIDs) to the common linking record at the RP.
Perversely, the user has more control in the SAML2 model than in the now UCI-less
openid profile.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>This is the wrong thread to say this: but the profile is not
surviving the early shakedown test. I see its goals, tradeoffs and compromises.
They are articulated well enough and with enough personality and passion for
even me to suspend my normal assumption of deception and double dealing at *<b>anything</b>*
USG does in the security/private arena. But, my gut is telling me that this profile
of openid really is sacrificing the soul of the entire movement to win
adoption. But, I;m also convinced from watching 3 years worth of subtexts that this
was always the end goal of the leadership: dethrone SAML, usurp the crown, and
do the same thing essentially with lighterweight technology sold with UCI-themed
badge on the front -- to placate the plebs.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Markus Sabadello
[mailto:markus.sabadello@gmail.com] <br>
<b>Sent:</b> Thursday, September 10, 2009 12:13 AM<br>
<b>To:</b> John Bradley<br>
<b>Cc:</b> Peter Williams; openid-general@lists.openid.net<br>
<b>Subject:</b> Re: [OpenID] Fwd: [dotnetopenid] DotNetOpenAuth announces
support of the Government profile of OpenID<o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>FYI <a href="http://freexri.com">freexri.com</a>
(and <a href="http://fullxri.com">fullxri.com</a>) have partial support for
this directed identity (because I tried making HXRIs work with the Facebook
OpenID support).<br>
<br>
If you make a request with <a
href="http://specs.openid.net/auth/2.0/identifier_select">http://specs.openid.net/auth/2.0/identifier_select</a>,
the OP will ask you to enter your i-name and PW instead of just your PW.<br>
<br>
However the OP doesn't create a pairwise unique CanonicalID for the RP in the
manner you describe. Instead it simply returns your real i-number.<br>
<br>
Markus<o:p></o:p></p>
<div>
<p class=MsoNormal>On Thu, Sep 10, 2009 at 3:11 AM, John Bradley <<a
href="mailto:john.bradley@wingaa.com">john.bradley@wingaa.com</a>> wrote:<o:p></o:p></p>
<p class=MsoNormal>I don't know if anyone is going to do this, but this is how
it would work for the sake of discussion.<br>
<br>
It would be a directed identity flow with XRI discovery.<br>
<br>
The button at the RP would trigger discovery for something like @freexri.<br>
<br>
The resulting XRD would have the OP Identifier Element <Type> <a
href="http://specs.openid.net/auth/2.0/server" target="_blank">http://specs.openid.net/auth/2.0/server</a><br>
<br>
The RP would then initiate the request with <a
href="http://specs.openid.net/auth/2.0/identifier_select" target="_blank">http://specs.openid.net/auth/2.0/identifier_select</a> as
the claimed_id and identity.<br>
<br>
The OP after authentication would create a pairwise XRI canonicalID to return
as the claimed_id.<br>
<br>
The RP performs XRI discovery on the claimedID as it normally would and
retrieves the XRDS via XRI resolution of the claimed_id.<br>
<br>
The OP is going to have to programatically generate the XRDS for the iNumber in
question.<br>
<br>
The OP needs to use a two or more subsegment iNumber so that it is
authoritative for the last subsegment.<br>
<br>
I don't know of any OP doing this now and if they did, I don't know if any of
the RP code is going to correctly resolve a XRI returned as a claimed_id.<br>
<br>
I expect Andrew to chime in that he has it done or it is in the next version.<br>
<br>
The community iNumber would not be portable between OP's as a top level iNumber
is.<br>
<br>
There are other reasons you may want to do it with XRI, but I don't see a big
advantage to it in this scenario.<br>
<br>
John B.<o:p></o:p></p>
<div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
<br>
<br>
On 2009-09-09, at 2:28 PM, Peter Williams wrote:<o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>Can you describe a legal flow
with an XRI, in the .gov profile for LOA1?<br>
<br>
In the beginning there was the button, in a nascar array of federally-trusted
providers, on <a href="http://plebs.gov" target="_blank">plebs.gov</a>.<br>
<br>
Let's start there.<br>
<br>
<br>
-----Original Message-----<br>
From: John Bradley [mailto:<a href="mailto:john.bradley@wingaa.com"
target="_blank">john.bradley@wingaa.com</a>]<br>
Sent: Wednesday, September 09, 2009 9:31 AM<br>
To: Peter Williams<br>
Cc: <a href="mailto:openid-general@lists.openid.net" target="_blank">openid-general@lists.openid.net</a><br>
Subject: Re: [OpenID] Fwd: [dotnetopenid] DotNetOpenAuth announces support of
the Government profile of OpenID<br>
<br>
We will see what happens as we move forward.<br>
<br>
SP-800-63 is not friendly to the idea of self assertion.<br>
<br>
I had to leave p-cards out of the initial info-card profile as well<br>
for some of the same issues.<br>
<br>
I am hoping to address corilatable and other sorts of self asserted<br>
identities where there is no IdP to certify in upcoming revisions to<br>
the profiles.<br>
<br>
This is what we could get agreement on as a first step.<br>
<br>
There are a number of UX issues that will need to be addressed as the<br>
number of certified IdP grows.<br>
<br>
John B.<br>
On 2009-09-09, at 12:14 PM, Peter Williams wrote:<o:p></o:p></p>
<p class=MsoNormal><br>
<br>
<br>
Don't worry about the uci evil label. I was never under any<br>
illusions that it was not viable. You guys marketted with it fine,<br>
and I got to use to overcome the over stodgy practices of the saml<br>
world. As always, things meet somewhere in the middle.<br>
<br>
I'm also glad to see live is not in the<br>
<br>
On Sep 9, 2009, at 9:08 AM, "John Bradley" n<<a
href="mailto:john.bradley@wingaa.com" target="_blank">john.bradley@wingaa.com</a><mailto:<a
href="mailto:john.bradley@wingaa.com" target="_blank">john.bradley@wingaa.com</a><o:p></o:p></p>
<blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=MsoNormal>wrote:<o:p></o:p></p>
</blockquote>
<p class=MsoNormal><br>
It was early I forgot to copy the general list.<br>
<br>
John B.<br>
<br>
Begin forwarded message:<br>
<br>
From: John Bradley <<mailto:<a href="mailto:ve7jtb@ve7jtb.com"
target="_blank">ve7jtb@ve7jtb.com</a>><a href="mailto:ve7jtb@ve7jtb.com"
target="_blank">ve7jtb@ve7jtb.com</a><mailto:<a
href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a><o:p></o:p></p>
<blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=MsoNormal><o:p> </o:p></p>
</blockquote>
<p class=MsoNormal>Date: September 9, 2009 10:03:44 AM GMT-04:00<br>
To: <mailto:<a href="mailto:dotnetopenid@googlegroups.com" target="_blank">dotnetopenid@googlegroups.com</a>><br>
<a href="mailto:dotnetopenid@googlegroups.com" target="_blank">dotnetopenid@googlegroups.com</a><mailto:<a
href="mailto:dotnetopenid@googlegroups.com" target="_blank">dotnetopenid@googlegroups.com</a>><br>
Subject: Re: [dotnetopenid] DotNetOpenAuth announces support of the<br>
Government profile of OpenID<br>
<br>
I want to thank Andrew Arnott, Johnny Bufu and many others for there<br>
feedback during the process of developing the GSA profile for openID.<br>
<br>
Today we have Six OP announcing support for the profile and the GSA<br>
Pilot: AOL, Google, Yahoo, and Verisign, and Wave.<br>
<<a
href="http://openid.net/2009/09/09/yahoo-paypal-google-equifax-aol-verisign-acxiom-citi-privo-wave-systems-pilot-open-identity-for-open-government/"
target="_blank">http://openid.net/2009/09/09/yahoo-paypal-google-equifax-aol-verisign-acxiom-citi-privo-wave-systems-pilot-open-identity-for-open-government/</a><o:p></o:p></p>
<p class=MsoNormal><a
href="http://openid.net/2009/09/09/yahoo-paypal-google-equifax-aol-"
target="_blank">http://openid.net/2009/09/09/yahoo-paypal-google-equifax-aol-</a><o:p></o:p></p>
<p class=MsoNormal>verisign-acxiom-citi-privo-wave-systems-pilot-open-identity-for-open-<br>
government/<br>
<br>
<<a
href="http://openid.net/2009/09/09/yahoo-paypal-google-equifax-aol-verisign-acxiom-citi-privo-wave-systems-pilot-open-identity-for-open-government/"
target="_blank">http://openid.net/2009/09/09/yahoo-paypal-google-equifax-aol-verisign-acxiom-citi-privo-wave-systems-pilot-open-identity-for-open-government/</a><o:p></o:p></p>
<p class=MsoNormal>Andrew has helped build the test RP that is available at
<<a href="http://test-id.org/" target="_blank">http://test-id.org/</a><br>
<a href="http://test-id.org" target="_blank">http://test-id.org</a> that we
have been using for the last several<o:p></o:p></p>
<p class=MsoNormal>months to help the IdP conform to the profile.<br>
<br>
<<a href="http://www.idmanagement.gov/documents/" target="_blank">http://www.idmanagement.gov/documents/</a><br>
ICAM_OpenID20Profile.pdf><a href="http://www.idmanagement.gov/documents/"
target="_blank">http://www.idmanagement.gov/documents/</a><br>
ICAM_OpenID20Profile.pdf<br>
<br>
If other IdP are interested in participating they can contact the<br>
OIDF or myself for more information.<br>
<br>
Getting 5 OP's ready to go into this pilot has been a major challenge.<br>
<br>
I would like to thank all of the 5 OPs for there commitment to<br>
openID and to making this happen.<br>
<br>
This is a big day on the openID and federated identity adoption curve.<br>
<br>
Thanks<br>
John Bradley<br>
<br>
PS No delegation is not supported by the profile. No you cannot<br>
enter a vanity URL or any other identifier for privacy and non<br>
correlation reasons. Yes XRI is allowed, but even I can't see why<br>
you would bother given the profile. Yes I am an evil and loathsome<br>
person for violating the principals of UCI (Sorry about that)<br>
<br>
<br>
On 2009-09-09, at 9:34 AM, Andrew Arnott wrote:<br>
<br>
DotNetOpenAuth community:<br>
<br>
The government has just announced<<a
href="http://www.idmanagement.gov/drilldown.cfm?action=openID_openGOV"
target="_blank">http://www.idmanagement.gov/drilldown.cfm?action=openID_openGOV</a><o:p></o:p></p>
<p class=MsoNormal>that they are piloting accepting OpenID on several of their
web<o:p></o:p></p>
<p class=MsoNormal>sites, and the major OpenID Providers (Google, Yahoo, AOL,
PayPal,<br>
Verisign) will be supporting Providers<<a
href="http://openid.net/u-s-government-openid-pilot-program-participants/"
target="_blank">http://openid.net/u-s-government-openid-pilot-program-participants/</a><o:p></o:p></p>
<p class=MsoNormal>of this new Government profile for OpenID.<o:p></o:p></p>
<p class=MsoNormal><br>
What is this "government profile<<a
href="http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf"
target="_blank">http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf</a><o:p></o:p></p>
<p class=MsoNormal>"? Basically it's a set of rules that an OP and
RP must follow.<o:p></o:p></p>
<p class=MsoNormal>These rules are more restrictive than, but nonetheless
compliant<br>
with, the OpenID 2.0 spec. For example, HTTPS must be used<br>
throughout the process, and shared associations must only last up to<br>
a given maximum length of time.<br>
<br>
I'm very pleased to announce that DotNetOpenAuth has support for<br>
this government profile, and in fact is the underlying library used<br>
by the NIH for its OpenID RP support. Watch for a new release of<br>
DNOA (3.2.1) in the next day or two that actually includes the<br>
government profile in it. (We could release it earlier than today's<br>
announcement).<br>
<br>
More in the news<<a
href="http://www.techcrunch.com/2009/09/09/us-government-to-embrace-openid-courtesy-of-google-yahoo-paypal-et-al/"
target="_blank">http://www.techcrunch.com/2009/09/09/us-government-to-embrace-openid-courtesy-of-google-yahoo-paypal-et-al/</a><o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><br>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the<br>
death your right to say it." - S. G. Tallentyre<br>
<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net" target="_blank">general@lists.openid.net</a><mailto:<a
href="mailto:general@lists.openid.net" target="_blank">general@lists.openid.net</a>><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net" target="_blank">general@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><o:p></o:p></p>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>