<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
This is the first serious post I see (after my invitation to use the
OpenID server at no-password.com), which recognizes the need, that the
community MUST make decisions! This is very basic and "META" as
Drummond pointed out. I think we should stick to the mailing list for
now and suggest, that somebody outlines a new option or various
options, on what needs to be improved. Once we can agree to a useful
wording (created by the ones on the same line, who see a need for some
changes) we should forward that for voting (or whatever is acceptable
by OpenID).<br>
<br>
Please note, that some of the list members are not really involved
right now and will be back again after the weekend (I guess)! I think
to try to outline something soon...Any suggestion is welcome...<br>
<br>
<div class="moz-signature">-- <br>
<div><font face="Arial" size="2">Regards</font></div>
<div><font face="Arial" size="2"> </font></div>
<div><font face="Arial" size="2">Signer: Eddy Nigg, StartCom Ltd.</font></div>
<div><font face="Arial" size="2">Phone: +1.213.341.0390</font></div>
</div>
<br>
Drummond Reed wrote:
<blockquote cite="mid01ef01c6f9ee$cc390760$0d28a8c0@ELROND" type="cite">
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="Generator" content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";
color:black;}
h1
{margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:0in;
page-break-after:avoid;
font-size:16.0pt;
font-family:Arial;}
h2
{margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:0in;
page-break-after:avoid;
font-size:14.0pt;
font-family:Arial;
font-style:italic;}
h3
{margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:0in;
page-break-after:avoid;
font-size:12.0pt;
font-family:Arial;}
h4
{margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:0in;
page-break-after:avoid;
font-size:10.0pt;
font-family:"Times New Roman";
font-style:italic;}
p.MsoHeader, li.MsoHeader, div.MsoHeader
{margin:0in;
margin-bottom:.0001pt;
border:none;
padding:0in;
font-size:10.0pt;
font-family:Arial;}
p.MsoFooter, li.MsoFooter, div.MsoFooter
{margin:0in;
margin-bottom:.0001pt;
border:none;
padding:0in;
font-size:10.0pt;
font-family:Arial;}
p.MsoTitle, li.MsoTitle, div.MsoTitle
{margin-top:0in;
margin-right:0in;
margin-bottom:9.0pt;
margin-left:0in;
text-align:center;
font-size:16.0pt;
font-family:Arial;
font-weight:bold;}
p.MsoBodyText, li.MsoBodyText, div.MsoBodyText
{margin-top:0in;
margin-right:0in;
margin-bottom:6.0pt;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
p.MsoSubtitle, li.MsoSubtitle, div.MsoSubtitle
{margin-top:0in;
margin-right:0in;
margin-bottom:.25in;
margin-left:0in;
text-align:center;
font-size:12.0pt;
font-family:Arial;
color:black;}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
p.Quote, li.Quote, div.Quote
{margin-top:0in;
margin-right:.5in;
margin-bottom:6.0pt;
margin-left:.5in;
font-size:12.0pt;
font-family:"Times New Roman";
font-style:italic;}
p.Wiki, li.Wiki, div.Wiki
{margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.Graphic, li.Graphic, div.Graphic
{margin-top:0in;
margin-right:0in;
margin-bottom:6.0pt;
margin-left:0in;
text-align:center;
font-size:10.0pt;
font-family:Arial;
font-style:italic;}
span.EmailStyle26
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
/* Page Definitions */
@page
{mso-endnote-separator:url("cid:header.htm\@01C6F9B4.1F29CB20") es;
mso-endnote-continuation-separator:url("cid:header.htm\@01C6F9B4.1F29CB20") ecs;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:-132;
mso-list-type:simple;
mso-list-template-ids:-1328661930;}
@list l0:level1
{mso-level-tab-stop:1.25in;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.25in;}
@list l1
{mso-list-id:-131;
mso-list-type:simple;
mso-list-template-ids:-909054546;}
@list l1:level1
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;}
@list l2
{mso-list-id:-130;
mso-list-type:simple;
mso-list-template-ids:531935922;}
@list l2:level1
{mso-level-tab-stop:.75in;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;}
@list l3
{mso-list-id:-129;
mso-list-type:simple;
mso-list-template-ids:2046339550;}
@list l3:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4
{mso-list-id:-128;
mso-list-type:simple;
mso-list-template-ids:82112870;}
@list l4:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.25in;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.25in;
font-family:Symbol;}
@list l5
{mso-list-id:-127;
mso-list-type:simple;
mso-list-template-ids:-1405587484;}
@list l5:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l6
{mso-list-id:-126;
mso-list-type:simple;
mso-list-template-ids:828961842;}
@list l6:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.75in;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;
font-family:Symbol;}
@list l7
{mso-list-id:-125;
mso-list-type:simple;
mso-list-template-ids:1053828088;}
@list l7:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l8
{mso-list-id:-120;
mso-list-type:simple;
mso-list-template-ids:-2021464228;}
@list l8:level1
{mso-level-tab-stop:.25in;
mso-level-number-position:left;
margin-left:.25in;
text-indent:-.25in;}
@list l9
{mso-list-id:-119;
mso-list-type:simple;
mso-list-template-ids:445916746;}
@list l9:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.25in;
mso-level-number-position:left;
margin-left:.25in;
text-indent:-.25in;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="Section1">
<p class="MsoNormal"><font color="navy" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial; color: navy;">Just for
context, this exact thread ran
through the OpenID marketing list (at iwantmyopenid.org – no public
archives) about three weeks ago. Johannes Ernst even explained that he
had
implemented such a OpenID service at NetMesh just for testing purposes.<o:p></o:p></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial; color: navy;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial; color: navy;">So once
again this establishes the
baseline that OpenID Authentication as it currently stands really
proves just
one thing: that an OpenID Provider (IdP) is authoritative for an OpenID
Identifier
(URL or XRI), period. Currently the relationship between the OpenID
Provider
and the registrant of the OpenID Identifier, and the nature of the
authentication the OpenID Provider requires (or does not require) of
the
registrant of the OpenID Identifier, is out of scope.<o:p></o:p></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial; color: navy;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial; color: navy;">There are
many folks on the list that have
argued that this is by design – that OpenID Provider authentication of
an
Identifer is the baseline requirement for the protocol, and that the
OpenID Provider/End-User
authentication verification is a separate issue that can be layered on
top of
this. <o:p></o:p></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial; color: navy;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial; color: navy;">There are
others that are arguing that
this baseline is too low, and will kill OpenID adoption if it is not
raised.<o:p></o:p></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial; color: navy;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial; color: navy;">I understand
both sides. Rather than have
the argument all over again, for an issue as important as this, I’d
suggest we first need to answer the metaquestion: how do we as a
community
decide this question? Should we try to hash it out on the lists, or
should we
try to convene telecon(s), or should we go to a f2f meeting level?<o:p></o:p></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial; color: navy;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial; color: navy;">=Drummond <o:p></o:p></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial; color: navy;"><o:p> </o:p></span></font></p>
<div>
<div class="MsoNormal" style="text-align: center;" align="center"><font
color="black" face="Times New Roman" size="3"><span
style="font-size: 12pt; color: windowtext;">
<hr tabindex="-1" align="center" size="2" width="100%"></span></font></div>
<p class="MsoNormal"><b><font color="black" face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma; color: windowtext; font-weight: bold;">From:</span></font></b><font
color="black" face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma; color: windowtext;">
<a class="moz-txt-link-abbreviated" href="mailto:security-bounces@openid.net">security-bounces@openid.net</a>
[<a class="moz-txt-link-freetext" href="mailto:security-bounces@openid.net">mailto:security-bounces@openid.net</a>] <b><span
style="font-weight: bold;">On
Behalf Of </span></b>Alaric Dailey<br>
<b><span style="font-weight: bold;">Sent:</span></b> Friday, October
27, 2006
10:02 AM<br>
<b><span style="font-weight: bold;">To:</span></b> <a class="moz-txt-link-abbreviated" href="mailto:security@openid.net">security@openid.net</a><br>
<b><span style="font-weight: bold;">Subject:</span></b> Re:
[security] Who bears
the risk..</span></font><font color="black"><span
style="color: windowtext;"><o:p></o:p></span></font></p>
</div>
<p class="MsoNormal"><font color="black" face="Times New Roman"
size="3"><span style="font-size: 12pt;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font color="blue" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial; color: blue;">I seem to
remember saying that this would
happen if authentication was outside the the scope of the spec.</span></font><o:p></o:p></p>
<p class="MsoNormal"><font color="black" face="Times New Roman"
size="3"><span style="font-size: 12pt;"> <o:p></o:p></span></font></p>
<p class="MsoNormal"><font color="black" face="Times New Roman"
size="3"><span style="font-size: 12pt;"> <o:p></o:p></span></font></p>
<p class="MsoNormal"><font color="black" face="Times New Roman"
size="3"><span style="font-size: 12pt;"><o:p> </o:p></span></font></p>
<div class="MsoNormal" style="text-align: center;" align="center"><font
color="black" face="Times New Roman" size="3"><span
style="font-size: 12pt;">
<hr tabindex="-1" align="center" size="2" width="100%"></span></font></div>
<p class="MsoNormal" style="margin-bottom: 12pt;"><b><font
color="black" face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma; font-weight: bold;">From:</span></font></b><font
face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">
<a class="moz-txt-link-abbreviated" href="mailto:security-bounces@openid.net">security-bounces@openid.net</a> [<a class="moz-txt-link-freetext" href="mailto:security-bounces@openid.net">mailto:security-bounces@openid.net</a>] <b><span
style="font-weight: bold;">On Behalf Of </span></b>Eddy Nigg
(StartCom Ltd.)<br>
<b><span style="font-weight: bold;">Sent:</span></b> Friday, October
27, 2006 7:21
AM<br>
<b><span style="font-weight: bold;">Cc:</span></b> <a class="moz-txt-link-abbreviated" href="mailto:security@openid.net">security@openid.net</a><br>
<b><span style="font-weight: bold;">Subject:</span></b> Re:
[security] Who bears
the risk..</span></font><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 12pt;"><font color="black"
face="Times New Roman" size="3"><span style="font-size: 12pt;">Hi All,<br>
<br>
I'm glad to announce, that I have installed a new OpenID Server for
anybody to
use. This is a supper-trooper and absolutely cool OpenID server, since
it
doesn't require you to sign up, register or anything...Total privacy!
You can
choose any user name and change the name every time if you wish, all
you have
to do, is to provide at LiveJournal or other blog/forum, a URI like <a
href="http://123.no-password.com...everyhting">http://123.no-password.com...everyhting</a>
works, no questions asked! You can even choose a user name somebody
else used
previously. This is specially interesting, since viagra.no-password.com
will
become reusable...<br>
<br>
I simply downloaded one of the libraries from the OpenID web site and
removed
any authentication checking (patch available), so that when you have to
authenticate with no-password.com the web site simply post's you back
to
LiveJournal with is_valid="true". Also I removed the association for
shared secrets with the RP, since there is nothing here to protect and
completely <a
href="http://openid.net/specs/openid-authentication-2_0-10.html#anchor3">optional</a>
according to the specs. This makes no-password.com the fastest OpenID
server,
since we don't use SSL and have no need to create the assoc_handle. I'm
sure we
gained about 10 milliseconds on this! BTW, did I tell you, that
no-password.com
is completely private and anonymous? Any log files created by the
server are
directed to /dev/null so that any traces of your visit at
no-password.com are
destroyed immediately! This is much better that the PiP offered from
Verisign,
since they probably keep log files and make back ups of their databases
;-) and
because according to the specs <i><span style="font-style: italic;">the
IdP
establishes whether the End User is authorized to perform OpenID
Authentication
and wishes to do so and the manner in which the End User authenticates
to their
IdP is beyond the scope of the OpenID Authentication 2.0 Specifications</span></i>,
all users are authorized at no-password.com without questions asked.
Cool,
isn't it?<br>
<br>
I'm sure you now understand how useful the OpenID framework is and you
decided
to add OpenID login to your forum immediately. There are no
requirements on
your part, but you should....well, really you <a
href="http://openid.net/specs/openid-authentication-2_0-10.html#initiation">should</a>
make a small form at your forum, so the user can enter the
no-password.com URI.
It's also recommended that you place the <a
href="http://openid.net/login-bg.gif">OpenID logo</a> at the beginning
of the
form field. Well, perhaps you just remove any authentication at your
forum...it's useless anyway...Count on no-password.com to always
authenticate
the users of your forum positively!<br>
<br>
However, I'm not sure, if I'll keep no-password.com, since I just
bought it and
can return the domain within 10 days without getting charged. Anyway,
perhaps
I'll get another one (no-questions-asked.com is free) in ten
days....I'll keep
you updated on this!<o:p></o:p></span></font></p>
<div>
<p class="MsoNormal"><font color="black" face="Times New Roman"
size="3"><span style="font-size: 12pt;">-- <o:p></o:p></span></font></p>
<div>
<p class="MsoNormal"><font color="black" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">Regards</span></font><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><font color="black" face="Times New Roman"
size="3"><span style="font-size: 12pt;"> <o:p></o:p></span></font></p>
</div>
<div>
<p class="MsoNormal"><font color="black" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">Signer: Eddy Nigg,
StartCom Ltd.</span></font><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><font color="black" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;">Phone:
+1.213.341.0390</span></font><o:p></o:p></p>
</div>
</div>
</div>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
security mailing list
<a class="moz-txt-link-abbreviated" href="mailto:security@openid.net">security@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/security">http://openid.net/mailman/listinfo/security</a>
</pre>
</blockquote>
<br>
</body>
</html>