Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)
David Recordon
david at sixapart.com
Tue Jun 9 11:36:19 PDT 2009
--Apple-Mail-51--22592339
Content-Type: text/plain;
charset=US-ASCII;
format=flowed;
delsp=yes
Content-Transfer-Encoding: 7bit
Hey David,
I've been following some of the discovery work the past few months,
but don't have a clear picture if the various components are actually
solid enough to begin working with. I know XRD is moving forward, but
what's the state of site-meta (http://tools.ietf.org/html/draft-nottingham-site-meta-01
) or now WebFinger (http://code.google.com/p/webfinger/)? Is there
something in WebFinger which wouldn't solve OpenID discovery entirely?
These questions and the lack of adoption of XRD, site-meta or
completion of WebFinger have all contributed to my belief that we're
still just not ready to redefine how OpenID's discovery process should
work.
Thoughts?
Thanks,
--David
Begin forwarded message:
> From: David Fuelling <sappenin at gmail.com>
> Date: June 9, 2009 10:07:20 AM PDT
> To: Allen Tom <atom at yahoo-inc.com>
> Cc: security at openid.net, general at openid.net
> Subject: Re: [security] OpenID Security Best Practices Doc
> Reply-To: sappenin at gmail.com
>
> On Tue, Jun 9, 2009 at 5:38 AM, Allen Tom <atom at yahoo-inc.com> wrote:
> Is the community ready to move forward with OpenID 2.1?
>
> I can't necessarily speak for the community, but I'd at least like
> to move forward with the 2.1 Discovery WG. The output of that is
> expected to be a "best practices" document relating to Discovery
> that would (it is expected) be used in the regular OpenID 2.1 WG.
>
> I'm not opposed to doing all of this in parallel.
>
> I do believe that we really need a security best practices document,
> and it shouldn't have to wait until OpenID 2.1 is finalized.
>
>
> +1
>
>
> Anyway, when you said you had been "nominated", it made me think
> there's some shadow process going on behind the scenes when it comes
> to these Working Groups.
> At the December 2008 IIW, I was either nominated or was volunteered
> to work on Security Best Practices document after I strongly
> advocated that the community write one.
>
> Cool. Like I said, I wasn't trying to say you shouldn't be doing
> this work. I just wanted to make sure it was "open". I wasn't at
> IIW, so that explains my disconnect.
>
> Am I missing something? Are there "private" WG discussions going on
> that the rest of us can't see?
> The security best practices document was first discussed at the
> December 2008 IIW session on OpenID 2.1, completely in the open.
>
> See my comment above.
>
>
> Or are you just "taking some initiative", as it were?
> Well, I'd been procrastinating for more than 6 months, but I think
> we waited long enough. More and more sites want to deploy OpenID,
> and it's about time we had a security document that potential
> implementers can read, other than just reading the specs, and
> various blog posts.
>
> :) -- I'm glad you've started working on this. It's important to
> have.
>
>
> -- I'm really just looking to get "in the loop" on this Working
> Group business, assuming I'm out if currently).
> I believe that the process requires the WG proposers to take their
> proposal to the Specifications council who will review the proposal
> and give their recommendation to the general membership of the OIDF
> to either approve or deny the request to form the WG. The general
> membership then votes on the proposal, and if the proposal is
> approved, the WG is formed. There's also a very painful process for
> the WG members to get their employers to approve their participation
> in the WG.
>
> The WG proposals that seem to be stalled right now appear to be
> OpenID 2.1, SREG 1.1, and AX 2.0.
>
> At least with regards to SREG 1.1 and AX 2.0, I believe that the
> proposers are waiting for their employers to approve their
> participation. Where is Dick Hardt? The OpenID world misses you!
>
> I'm not sure about the status on OpenID 2.1, but at least for
> myself, I'm more focused on the immediate goals of getting OpenID
> OAuth Hybrid and the OpenID UI Extensions finalized.
>
> I for one would like to move forward on the 2.1 Discovery WG. XRD
> will be a big part of that, but at this point it seems like much of
> XRD has been solidified (at least, enough for us to begin the 2.1
> Discovery WG).
>
> The OpenID Wiki says that the Discovery WG proposal has been sent to
> the specs council, but I have not seen the proposal yet.
>
> I think this is the proposal:
> http://wiki.openid.net/OpenID-Discovery
>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
--Apple-Mail-51--22592339
Content-Type: text/html;
charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
<html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; ">Hey David,<div>I've been =
following some of the discovery work the past few months, but don't have =
a clear picture if the various components are actually solid enough to =
begin working with. I know XRD is moving forward, but what's the =
state of site-meta (<a =
href=3D"http://tools.ietf.org/html/draft-nottingham-site-meta-01)">http://=
tools.ietf.org/html/draft-nottingham-site-meta-01)</a> or now WebFinger =
(<a =
href=3D"http://code.google.com/p/webfinger/)?">http://code.google.com/p/we=
bfinger/)?</a> Is there something in WebFinger which wouldn't =
solve OpenID discovery entirely?</div><div><br></div><div>These =
questions and the lack of adoption of XRD, site-meta or completion of =
WebFinger have all contributed to my belief that we're still just not =
ready to redefine how OpenID's discovery process should =
work.</div><div><br></div><div>Thoughts?</div><div><br></div><div>Thanks,<=
/div><div>--David<br><div><br><div>Begin forwarded message:</div><br =
class=3D"Apple-interchange-newline"><blockquote type=3D"cite"><div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><font face=3D"Helvetica" size=3D"3" color=3D"#000000" =
style=3D"font: 12.0px Helvetica; color: #000000"><b>From: =
</b></font><font face=3D"Helvetica" size=3D"3" style=3D"font: 12.0px =
Helvetica">David Fuelling <<a =
href=3D"mailto:sappenin at gmail.com">sappenin at gmail.com</a>></font></div>=
<div style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><font face=3D"Helvetica" size=3D"3" color=3D"#000000" =
style=3D"font: 12.0px Helvetica; color: #000000"><b>Date: =
</b></font><font face=3D"Helvetica" size=3D"3" style=3D"font: 12.0px =
Helvetica">June 9, 2009 10:07:20 AM PDT</font></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><font face=3D"Helvetica" size=3D"3" color=3D"#000000" =
style=3D"font: 12.0px Helvetica; color: #000000"><b>To: </b></font><font =
face=3D"Helvetica" size=3D"3" style=3D"font: 12.0px Helvetica">Allen Tom =
<<a =
href=3D"mailto:atom at yahoo-inc.com">atom at yahoo-inc.com</a>></font></div>=
<div style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><font face=3D"Helvetica" size=3D"3" color=3D"#000000" =
style=3D"font: 12.0px Helvetica; color: #000000"><b>Cc: </b></font><font =
face=3D"Helvetica" size=3D"3" style=3D"font: 12.0px Helvetica"><a =
href=3D"mailto:security at openid.net">security at openid.net</a>, <a =
href=3D"mailto:general at openid.net">general at openid.net</a></font></div><div=
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><font face=3D"Helvetica" size=3D"3" color=3D"#000000" =
style=3D"font: 12.0px Helvetica; color: #000000"><b>Subject: =
</b></font><font face=3D"Helvetica" size=3D"3" style=3D"font: 12.0px =
Helvetica"><b>Re: [security] OpenID Security Best Practices =
Doc</b></font></div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; "><font face=3D"Helvetica" =
size=3D"3" color=3D"#000000" style=3D"font: 12.0px Helvetica; color: =
#000000"><b>Reply-To: </b></font><font face=3D"Helvetica" size=3D"3" =
style=3D"font: 12.0px Helvetica"><a =
href=3D"mailto:sappenin at gmail.com">sappenin at gmail.com</a></font></div><div=
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><br></div> </div><div =
class=3D"gmail_quote">On Tue, Jun 9, 2009 at 5:38 AM, Allen Tom <span =
dir=3D"ltr"><<a =
href=3D"mailto:atom at yahoo-inc.com">atom at yahoo-inc.com</a>></span> =
wrote:<br><blockquote class=3D"gmail_quote" style=3D"border-left: 1px =
solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: =
1ex;"> <div class=3D"im"></div> Is the community ready to move forward =
with OpenID 2.1? </blockquote><div><br> I can't necessarily speak for =
the community, but I'd at least like to move forward with the 2.1 =
Discovery WG. The output of that is expected to be a "best =
practices" document relating to Discovery that would (it is expected) be =
used in the regular OpenID 2.1 WG.<br> <br> I'm not opposed to doing all =
of this in parallel.<br> </div><blockquote class=3D"gmail_quote" =
style=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt =
0.8ex; padding-left: 1ex;">I do believe that we really need a security =
best practices document, and it shouldn't have to wait until OpenID 2.1 =
is finalized.<div class=3D"im"> <br> =
</div></blockquote><div><br>+1<br> </div><blockquote =
class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, =
204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class=3D"im"> =
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid =
rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <br> =
Anyway, when you said you had been "nominated", it made me think there's =
some shadow process going on behind the scenes when it comes to these =
Working Groups. <br> </blockquote></div> At the December 2008 IIW, I was =
either nominated or was volunteered to work on Security Best Practices =
document after I strongly advocated that the community write one.<div =
class=3D"im"></div></blockquote><div><br>Cool. Like I said, I =
wasn't trying to say you shouldn't be doing this work. I just =
wanted to make sure it was "open". I wasn't at IIW, so that =
explains my disconnect.<br> </div><blockquote class=3D"gmail_quote" =
style=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt =
0.8ex; padding-left: 1ex;"><div class=3D"im"><blockquote =
class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, =
204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Am I missing =
something? Are there "private" WG discussions going on that the =
rest of us can't see?<br> </blockquote></div> The security best =
practices document was first discussed at the December 2008 IIW session =
on OpenID 2.1, completely in the open.<div =
class=3D"im"></div></blockquote><div><br>See my comment =
above.<br><br> </div><blockquote class=3D"gmail_quote" =
style=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt =
0.8ex; padding-left: 1ex;"> <div class=3D"im"><blockquote =
class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, =
204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Or are you just =
"taking some initiative", as it were?<br> </blockquote></div> Well, I'd =
been procrastinating for more than 6 months, but I think we waited long =
enough. More and more sites want to deploy OpenID, and it's about time =
we had a security document that potential implementers can read, other =
than just reading the specs, and various blog posts.<div class=3D"im"> =
</div></blockquote><div><br>:) -- I'm glad you've started working =
on this. It's important to have.<br><br> </div><blockquote =
class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, =
204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div class=3D"im"> =
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid =
rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> -- =
I'm really just looking to get "in the loop" on this Working Group =
business, assuming I'm out if currently).<br> </blockquote></div> I =
believe that the process requires the WG proposers to take their =
proposal to the Specifications council who will review the proposal and =
give their recommendation to the general membership of the OIDF to =
either approve or deny the request to form the WG. The general =
membership then votes on the proposal, and if the proposal is approved, =
the WG is formed. There's also a very painful process for the WG members =
to get their employers to approve their participation in the WG.<br> =
<br> The WG proposals that seem to be stalled right now appear to be =
OpenID 2.1, SREG 1.1, and AX 2.0.<br> </blockquote><blockquote =
class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, =
204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br> At least with =
regards to SREG 1.1 and AX 2.0, I believe that the proposers are waiting =
for their employers to approve their participation. Where is Dick Hardt? =
The OpenID world misses you!<br> <br> I'm not sure about the status on =
OpenID 2.1, but at least for myself, I'm more focused on the immediate =
goals of getting OpenID OAuth Hybrid and the OpenID UI Extensions =
finalized.<br> </blockquote><div><br>I for one would like to move =
forward on the 2.1 Discovery WG. XRD will be a big part of that, =
but at this point it seems like much of XRD has been solidified (at =
least, enough for us to begin the 2.1 Discovery WG).<br> =
<br></div><blockquote class=3D"gmail_quote" style=3D"border-left: =
1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: =
1ex;"> The OpenID Wiki says that the Discovery WG proposal has been sent =
to the specs council, but I have not seen the proposal yet.<br><font =
color=3D"#888888"> </font></blockquote><div><br> I think this is =
the proposal:<br><a =
href=3D"http://wiki.openid.net/OpenID-Discovery">http://wiki.openid.net/Op=
enID-Discovery</a><br><br></div></div> =
_______________________________________________<br>security mailing =
list<br><a =
href=3D"mailto:security at openid.net">security at openid.net</a><br>http://open=
id.net/mailman/listinfo/security<br></blockquote></div><br></div></body></=
html>=
--Apple-Mail-51--22592339--
More information about the specs
mailing list