Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)

David Recordon david at sixapart.com
Tue Jun 9 18:36:19 UTC 2009 

Hey David,
I've been following some of the discovery work the past few months,  
but don't have a clear picture if the various components are actually  
solid enough to begin working with.  I know XRD is moving forward, but  
what's the state of site-meta (http://tools.ietf.org/html/draft-nottingham-site-meta-01 
) or now WebFinger (http://code.google.com/p/webfinger/)?  Is there  
something in WebFinger which wouldn't solve OpenID discovery entirely?

These questions and the lack of adoption of XRD, site-meta or  
completion of WebFinger have all contributed to my belief that we're  
still just not ready to redefine how OpenID's discovery process should  
work.

Thoughts?

Thanks,
--David

Begin forwarded message:

> From: David Fuelling <sappenin at gmail.com>
> Date: June 9, 2009 10:07:20 AM PDT
> To: Allen Tom <atom at yahoo-inc.com>
> Cc: security at openid.net, general at openid.net
> Subject: Re: [security] OpenID Security Best Practices Doc
> Reply-To: sappenin at gmail.com
>
> On Tue, Jun 9, 2009 at 5:38 AM, Allen Tom <atom at yahoo-inc.com> wrote:
> Is the community ready to move forward with OpenID 2.1?
>
> I can't necessarily speak for the community, but I'd at least like  
> to move forward with the 2.1 Discovery WG.  The output of that is  
> expected to be a "best practices" document relating to Discovery  
> that would (it is expected) be used in the regular OpenID 2.1 WG.
>
> I'm not opposed to doing all of this in parallel.
>
> I do believe that we really need a security best practices document,  
> and it shouldn't have to wait until OpenID 2.1 is finalized.
>
>
> +1
>
>
> Anyway, when you said you had been "nominated", it made me think  
> there's some shadow process going on behind the scenes when it comes  
> to these Working Groups.
> At the December 2008 IIW, I was either nominated or was volunteered  
> to work on Security Best Practices document after I strongly  
> advocated that the community write one.
>
> Cool.  Like I said, I wasn't trying to say you shouldn't be doing  
> this work.  I just wanted to make sure it was "open".  I wasn't at  
> IIW, so that explains my disconnect.
>
> Am I missing something?  Are there "private" WG discussions going on  
> that the rest of us can't see?
> The security best practices document was first discussed at the  
> December 2008 IIW session on OpenID 2.1, completely in the open.
>
> See my comment above.
>
>
> Or are you just "taking some initiative", as it were?
> Well, I'd been procrastinating for more than 6 months, but I think  
> we waited long enough. More and more sites want to deploy OpenID,  
> and it's about time we had a security document that potential  
> implementers can read, other than just reading the specs, and  
> various blog posts.
>
> :)  -- I'm glad you've started working on this.  It's important to  
> have.
>
>
> -- I'm really just looking to get "in the loop" on this Working  
> Group business, assuming I'm out if currently).
> I believe that the process requires the WG proposers to take their  
> proposal to the Specifications council who will review the proposal  
> and give their recommendation to the general membership of the OIDF  
> to either approve or deny the request to form the WG. The general  
> membership then votes on the proposal, and if the proposal is  
> approved, the WG is formed. There's also a very painful process for  
> the WG members to get their employers to approve their participation  
> in the WG.
>
> The WG proposals that seem to be stalled right now appear to be  
> OpenID 2.1, SREG 1.1, and AX 2.0.
>
> At least with regards to SREG 1.1 and AX 2.0, I believe that the  
> proposers are waiting for their employers to approve their  
> participation. Where is Dick Hardt? The OpenID world misses you!
>
> I'm not sure about the status on OpenID 2.1, but at least for  
> myself, I'm more focused on the immediate goals of getting OpenID  
> OAuth Hybrid and the OpenID UI Extensions finalized.
>
> I for one would like to move forward on the 2.1 Discovery WG.  XRD  
> will be a big part of that, but at this point it seems like much of  
> XRD has been solidified (at least, enough for us to begin the 2.1  
> Discovery WG).
>
> The OpenID Wiki says that the Discovery WG proposal has been sent to  
> the specs council, but I have not seen the proposal yet.
>
>  I think this is the proposal:
> http://wiki.openid.net/OpenID-Discovery
>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090609/43cc7df3/attachment.htm>

More information about the specs mailing list