<div dir="ltr">"a random value
as an HttpOnly a session cookie" -> remove the "a" after HttpOnly?<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Nov 13, 2013 at 11:35 AM, George Fletcher <span dir="ltr"><<a href="mailto:gffletch@aol.com" target="_blank">gffletch@aol.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<font face="Helvetica, Arial, sans-serif">I'll let John quibble over
the specifics :) ... but it looks good to me. Thanks, George<br>
<br>
</font><div><div class="h5">
<div>On 11/13/13 1:30 PM, Mike Jones wrote:<br>
</div>
<blockquote type="cite">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Please
review the new text at
<a href="http://openid.bitbucket.org/openid-connect-core-1_0.html#NonceNotes" target="_blank">http://openid.bitbucket.org/openid-connect-core-1_0.html#NonceNotes</a>,
which is where the implementation suggestions for the nonce
parameter have been moved.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
-- Mike<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a>
[<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">mailto:openid-specs-ab-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Brian Campbell<br>
<b>Sent:</b> Wednesday, October 30, 2013 9:00 AM<br>
<b>To:</b> John Bradley<br>
<b>Cc:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab] Nonce value suggestion
for the Implicit Flow<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">The nonce is a different approach to
protecting against things like replay prevention but doesn't
have the same scaling implications as tracking token ids.
Which is nice.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Wed, Oct 30, 2013 at 4:13 AM, John
Bradley <<a href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>>
wrote:<u></u><u></u></p>
<div>
<p class="MsoNormal">The nonce is opaque to the AS, it is
sent by the client and validated by the client. It
binds the signed id_token to something in the user's
browser session. This is critical to prevent attacks
on the implicit flow, where the redirect_uri is not sent
to the token endpoint for validation. It is not
required for the "code" flow. In the hybrid flows it
needs to be used to validate the id_token presented in
the front channel as well, as the client may be using
the id_token before exchanging code at the token
endpoint, and discovering an attack.<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">I think it also prevents some
attacks against code interception that checking the
redirect_uri wouldn't so in a high loa deployment I
would check both nonce and the redirect_uri.<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Are you asking about "jti" in the
assertion used to authenticate the client to the
token endpoint?<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">On Oct 30, 2013, at 1:44
AM, Anthony Nadalin <<a href="mailto:tonynad@microsoft.com" target="_blank">tonynad@microsoft.com</a>>
wrote:<u></u><u></u></p>
</div>
<p class="MsoNormal"><br>
<br>
<u></u><u></u></p>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I’m
not seeing how you are dealing with
duplicate nonces as this can be a
scaling issue when dealing with
millions of requests, the nonces need
better advice</span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><a name="14252bf9530978a2_14208dc46cdfd917__MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></a><u></u><u></u></p>
</div>
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<div>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a>
[<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">mailto:openid-specs-ab-bounces@lists.openid.net</a>] <b>On
Behalf Of </b>John Bradley<br>
<b>Sent:</b> Tuesday, October 29,
2013 7:33 PM<br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re:
[Openid-specs-ab] Nonce value
suggestion for the Implicit Flow</span><u></u><u></u></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">You want to store the
random value and send the hash. Saving
the hash is not secure unless it is
signed. <u></u><u></u></p>
</div>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">The idea is to
force an attacker to compute a
plaintext for the hash (hard to
impossible depending on length) in
order to be able to present the
response from the AS.<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">For
case 1: The Client can generate a
random value with sufficient
entropy and store that value in
local storage. This value is then
hashed to produce a nonce value.
The hashed value could optionally
be truncated to a sufficient
number of bits (such as 128)
before use. </span><u></u><u></u></p>
</div>
</blockquote>
<div>
<div>
<div>
<p class="MsoNormal">On Oct 29,
2013, at 9:40 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank"><span style="color:purple">Michael.Jones@microsoft.com</span></a>>
wrote:<u></u><u></u></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Here’s
an attempt at simplifying
George’s text.</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">For
case 1: The Client can
generate a random value with
sufficient entropy and store a
cryptographic hash (such as
SHA-256) of that value in
local storage. The hashed
value could optionally be
truncated to a sufficient
number of bits (such as 128)
before use. The stored value
is used as the nonce value.</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">For
case 2: The Client can
generate a random value with
sufficient entropy and store
that value as an HttpOnly
session cookie. A
cryptographic hash (such as
SHA-256) of the cookie value
(or a truncation of the hash
value to a sufficient number
of bits) is used as the nonce
value.</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Am
I correct that the
cryptographic hash function is
used to spread the entropy
present in the random value
generated throughout the nonce
value in both cases?</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Comments?</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
-- Mike</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
</div>
</div>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Richer,
Justin P. [<a href="mailto:jricher@mitre.org" target="_blank"><span style="color:purple">mailto:jricher@mitre.org</span></a>] <br>
<b>Sent:</b> Saturday,
October 26, 2013 11:33 AM<br>
<b>To:</b> George Fletcher<br>
<b>Cc:</b> John Bradley;
Mike Jones; <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank"><span style="color:purple">openid-specs-ab@lists.openid.net</span></a><br>
<b>Subject:</b> Re:
[Openid-specs-ab] Nonce
value suggestion for the
Implicit Flow</span><u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span style="font-family:"Helvetica","sans-serif"">I
don't know where the best
place is to provide this
guidance. If we have a
"validating the ID Token"
sub-section in the new ID
Token section, then maybe it
would best fit there.</span><u></u><u></u></p>
</div>
</blockquote>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">+1 to this
idea with a cross link from the
nonce definition.<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> -- Justin<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal">On Oct 25,
2013, at 6:17 AM, George
Fletcher <<a href="mailto:gffletch@aol.com" target="_blank"><span style="color:purple">gffletch@aol.com</span></a>>
wrote:<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
<u></u><u></u></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-family:"Helvetica","sans-serif"">If we
are going to give guidance,
then we really need to give
guidance for two different use
cases...<br>
<br>
1. The "client" will validate
the response locally in the
browser<br>
2. The "client" will validate
the response at it's server
(even though it's using the
implicit flow)<br>
<br>
For use case 1: One method to
achieve this is for the client
to generate a random string
with sufficient entropy and
store a SHA-1 hash of the
string in local storage. Then
use the SHA-1 hash of the
random string as the value of
the nonce parameter. To
validate the nonce on receipt
of the ID Token, extract the
nonce from the ID Token and
compare it to the stored SHA-1
hash in local storage.<br>
<br>
For use case 2: One method to
achieve this is for the
backend server to use a SHA-1
hash of the "clients"
protected session cookie as
the value of the nonce
parameter when constructing
the AuthorizationRequest. Note
that the Session cookie SHOULD
be protected (restricted to
SSL and not readable by
JavaScript) for this method.
To validate the ID Token at
the server, the server
calculates a SHA-1 hash of the
Session cookie value and
compares that to the nonce
value in the ID Token.<br>
<br>
I don't know where the best
place is to provide this
guidance. If we have a
"validating the ID Token"
sub-section in the new ID
Token section, then maybe it
would best fit there.<br>
<br>
Thanks,<br>
George</span><u></u><u></u></p>
<div>
<div>
<p class="MsoNormal">On
10/24/13 7:16 PM, John
Bradley wrote:<u></u><u></u></p>
</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">We want
the implicit flow to
validate nonce, it would
be better to have some
reasonable advice for
using HTML local storage
rather than session
cookies.<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal">On
2013-10-24, at 3:44
PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank"><span style="color:purple">Michael.Jones@microsoft.com</span></a>> wrote:<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">We
could drop it from
the Implicit Flow,
as it’s already
present in the
Code Flow. Does
that work for
people?</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
-- Mike</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
</div>
</div>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Richer,
Justin P. [<a href="mailto:jricher@" target="_blank"><span style="color:purple">mailto:jricher@</span></a><a href="http://mitre.org/" target="_blank"><span style="color:purple">mitre.org</span></a>] <br>
<b>Sent:</b> Thursday,
October 24, 2013
12:56 PM<br>
<b>To:</b> Mike
Jones<br>
<b>Cc:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank"><span style="color:purple">openid-specs-ab@lists.openid.net</span></a><br>
<b>Subject:</b> Re:
[Openid-specs-ab]
Nonce value
suggestion for
the Implicit
Flow</span><u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">I'm
actually in favor of
dropping this
example, or else
providing it in a
list of
alternatives. The
important thing is
that the client can
validate the exact
value of the nonce
parameter on its way
back through, the
mechanics of how
that happens are
client specific (but
we can provide
simple guidance).<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> --
Justin<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal">On
Oct 24, 2013,
at 11:44 AM,
Mike Jones
<<a href="mailto:Michael.Jones@microsoft.com" target="_blank"><span style="color:purple">Michael.Jones@microsoft.com</span></a>><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> wrote:<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
<br>
<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">For
the Implicit
Flow, the
“nonce”
description
contains this
text at<a href="http://openid.bitbucket.org/openid-connect-core-1_0.html#ImplicitAuthorizationRequest" target="_blank"><span style="color:purple">http://openid.bitbucket.org/openid-connect-core-1_0.html#ImplicitAuthorizationRequest</span></a>:</span><u></u><u></u></p>
</div>
</div>
<div style="margin-left:.5in">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Verdana","sans-serif"" lang="EN">Sufficient
entropy MUST
be present in
the </span><tt><span style="font-size:10.0pt;color:#003366" lang="EN">nonce</span></tt><span style="font-size:11.0pt;font-family:"Verdana","sans-serif"" lang="EN"> values
used to
prevent
attackers from
guessing
values. <span style="background:yellow">One method to achieve this is to store a
random value
as a signed
session
cookie, and
pass the value
in the</span></span><tt><span style="font-size:10.0pt;color:#003366;background:yellow" lang="EN">nonce</span></tt><span style="font-size:11.0pt;font-family:"Verdana","sans-serif";background:yellow" lang="EN"> parameter.
In that case,
the </span><tt><span style="font-size:10.0pt;color:#003366;background:yellow" lang="EN">nonce</span></tt><span style="font-size:11.0pt;font-family:"Verdana","sans-serif";background:yellow" lang="EN"> in
the returned
ID Token can
be compared to
the signed
session cookie
to detect ID
Token replay
by third
parties.</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">George
wrote this
about the
suggestion in
his review:</span><u></u><u></u></p>
</div>
</div>
<div style="margin-left:.5in">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">“I'm
not sure this
suggestion
makes sense
for the
implicit flow.
The client
would need to
write a cookie
value on the
domain of the
redirect_uri
and the
attempt to
read it on the
return of the
implicit flow.
Wondering if a
local storage
example would
make more
sense.”</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Do
people agree
with him? If
so, does
someone want
to supply
specific
alternative
text to use?</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">
-- Mike</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Helvetica","sans-serif"">_______________________________________________<br>
Openid-specs-ab
mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank"><span style="color:purple">Openid-specs-ab@lists.openid.net</span></a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank"><span style="color:purple">http://lists.openid.net/mailman/listinfo/openid-specs-ab</span></a></span><u></u><u></u></p>
</div>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Helvetica","sans-serif"">_______________________________________________<br>
Openid-specs-ab
mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank"><span style="color:purple">Openid-specs-ab@lists.openid.net</span></a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank"><span style="color:purple">http://lists.openid.net/mailman/listinfo/openid-specs-ab</span></a></span><u></u><u></u></p>
</div>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
<br>
<u></u><u></u></p>
</div>
</div>
<pre>_______________________________________________<u></u><u></u></pre>
<pre><u></u> <u></u></pre>
<pre><u></u> <u></u></pre>
<pre>Openid-specs-ab mailing list<u></u><u></u></pre>
<pre><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank"><span style="color:purple">Openid-specs-ab@lists.openid.net</span></a><u></u><u></u></pre>
<pre><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank"><span style="color:purple">http://lists.openid.net/mailman/listinfo/openid-specs-ab</span></a><u></u><u></u></pre>
</blockquote>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">-- <br>
<a href="http://connect.me/gffletch" title="View full card on
Connect.Me" target="_blank"><span style="color:purple"><XeC.png></span></a><u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank"><span style="color:purple">Openid-specs-ab@lists.openid.net</span></a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank"><span style="color:purple">http://lists.openid.net/mailman/listinfo/openid-specs-ab</span></a><u></u><u></u></p>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><u></u><u></u></p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Openid-specs-ab mailing list
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</div></div><span class="HOEnZb"><font color="#888888"><div>-- <br>
<a href="http://connect.me/gffletch" title="View full card on
Connect.Me" target="_blank"><img src="cid:part29.01040202.09030806@aol.com" alt="George Fletcher" height="113" width="359"></a></div>
</font></span></div>
</blockquote></div><br></div>