<br><br><div class="gmail_quote">On Mon, Oct 26, 2009 at 4:28 PM, Manger, James H <span dir="ltr"><<a href="mailto:James.H.Manger@team.telstra.com">James.H.Manger@team.telstra.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div lang="EN-AU" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">Dirk,</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">I don’t think your IBM example is a very convincing argument for host-meta to take precedence over an actual OpenID URI. Listing an OP in host-meta may be
a bit easier for an IBM IT admin than preventing links to OPs from other URIs — but the latter is quite feasible (rules in the page editing tool; filter in web server; validator on page changes; background script to look in the file system for this specific
situation…). Even a non-technical corporate policy saying staff must not specify another OP goes some way to meeting the objective.</span></p></div></div></blockquote><div><br></div><div>I agree with all you're saying: having a policy might go "some way", background scripts looking for bad OPs in people's web pages can also catch problems, etc. Still, these would seem like work-arounds to a buggy spec to me, one in which an organization that otherwise can control what its users are doing down to very minute details (enforce anti-virus software on people's machines, for example) can suddenly not do this for a very security-sensitive issue (its users' identity provider). I would consider a spec in which users _had_ to rely on some admin to configure this for them also broken, for what it's worth. Like I said, we should try and address both use cases.</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div lang="EN-AU" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">It is probably more convenient for host-meta to be able to provide a default OP, which can be overwritten for some special URIs.</span></p>
</div></div></blockquote><div>You can do that under my proposal: You don't specify the OP in the host-meta. You use the Link-HTTP-header to point to the "default" XRD for most URIs (which in turn points to the "default" OP). You have some sort of process in which that Link-header can be set to point to a non-default XRD, which then points to a non-default OP. If a company/web site wants to do that, that's up to them.</div>
<div><br>Dirk.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div lang="EN-AU" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> Most OpenID URIs on a host
don’t specify an OP so they fallback to host-meta, but a few can use a different OP (for non-humans, for contractors, for testing, for migrating to a new OP implementation, for staff with a different hardware login token…).</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><b><span lang="FR" style="color:#1F497D">James Manger</span></b><span style="color:#1F497D">
<br>
<a href="mailto:James.H.Manger@team.telstra.com" target="_blank"><span lang="FR" style="font-size:10.0pt">James.H.Manger@team.telstra.com</span></a>
<br>
</span><span style="font-size:10.0pt;color:#1F497D">Identity and security team</span><span style="color:#1F497D">
</span><span style="font-size:10.0pt;color:#1F497D">—</span><span style="font-size:10.0pt;color:#1F497D"> Chief Technology Office</span><span style="color:#1F497D">
</span><span style="font-size:10.0pt;color:#1F497D">—</span><span style="font-size:10.0pt;color:#1F497D"> Telstra</span><span style="color:#1F497D">
</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt">From:</span></b><span lang="EN-US" style="font-size:10.0pt"> <a href="mailto:openid-general-bounces@lists.openid.net" target="_blank">openid-general-bounces@lists.openid.net</a> [mailto:<a href="mailto:openid-general-bounces@lists.openid.net" target="_blank">openid-general-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Dirk Balfanz<br>
<b>Sent:</b> Tuesday, 27 October 2009 7:51 AM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> <a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<b>Subject:</b> Re: [OpenID] user centric delegation vs portability: LRDD : competing threats: the consumer's fear hypothesis</span></p>
</div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal"><span style="color:#1F497D">…</span>If you have your own domain, you can pick (and change) your identity provider. But if you're one of 300,000 IBM employees, there are certain things you can't pick about your work account - you can't pick
your email provider, you can't pick your calendaring software, and you can't presumably pick your identity provider - professionals at IBM who get paid to worry about this stuff will pick one for you that they are reasonably sure will not, say, put into jeopardy
the 401k accounts of the combined IBM workforce (because, hypothetically speaking, IBM uses OpenID to log their employees into
<a href="http://fidelity.com" target="_blank">fidelity.com</a>). </p>
</div><div class="im">
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">We need a single sign-on solution for the Web that works both for Blogger/Facebook/consumer use case as well as the IBM use case.</p>
</div>
<div>
<p class="MsoNormal"><br>
Dirk.</p>
</div>
</div></div>
</div>
<br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
<br></blockquote></div><br>