<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7651.59">
<TITLE>RFC: Final outstanding issues with the OpenID 2.0 Authenticationspecification</TITLE>
</HEAD>
<BODY>
<DIV id=idOWAReplyText37352 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>Very good. Can you
produce a draft #12 with the 'issues and resolutions' so that there </FONT><FONT
face=Arial size=2>is something atomic to discuss?</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>-Hans</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> specs-bounces@openid.net on behalf of Josh
Hoyt<BR><B>Sent:</B> Thu 5/17/2007 9:25 AM<BR><B>To:</B> OpenID specs
list<BR><B>Subject:</B> RFC: Final outstanding issues with the OpenID 2.0
Authenticationspecification<BR></FONT><BR></DIV>
<DIV>
<P><FONT size=2>OpenID 2.0 has been a work in progress for a long time.
The<BR>specification has been largely at a stand-still for long enough
for<BR>people to implement it, and even deploy it. At the Internet
Identity<BR>Workshop for the past few days, I've been talking to the people
from<BR>the OpenID community about what is getting in the way of calling
the<BR>spec final. I'm sending this message to summarize what I've heard,
get<BR>comments from those of you who aren't here at this conference,
and<BR>hopefully establish a concrete plan of action that will get the
spec<BR>finalized.<BR><BR>In the conversations that I've had, there are four
issues that are<BR>holding up people's approval of the specification. These
issues are<BR>not new, but I'm going to list them here:<BR><BR> 1.
Identifier recycling. There are two different use cases
for<BR> identifier recycling. The first, and the one that most
people who<BR> I have talked to really want to solve is that
of a large provider<BR> that wants to allow re-use of parts of
its namespace. The second<BR> is if a user wants to relinquish
control of an identifier without<BR> relinquishing control of
the places that they have used this<BR> identifier. A concrete
example of this is if I ever choose to stop<BR> paying for
j3h.us.<BR><BR> 2. Realm spoofing. This encompasses the attacks that Allen
Tom has<BR> described (using redirectors, proxies or XSS
attacks) that create<BR> new phishing opportunities and make
certain types of phishing even<BR> worse.<BR><BR> 3.
Associations in the clear. While the OpenID 2
specification<BR> specifically allows a provider to refuse to
perform associations<BR> in the clear (no Diffie-Hellman or
SSL), there is consensus that<BR> the specification should
disallow these associations. This one's<BR>
easy.<BR><BR> 4. Reference to unfinished XRI specification. For resolving
XRI and<BR> the protocol formerly known as Yadis (XRDS
discovery for URLs),<BR> we're referring to a working draft
specification. We can't leave<BR> the final spec referring to
the draft.<BR><BR>If these four issues are resolved, can we call the OpenID
2.0<BR>Authentication specification done? Speak up if you have any
other<BR>show-stoppers.<BR><BR>Josh<BR>_______________________________________________<BR>specs
mailing list<BR>specs@openid.net<BR><A
href="http://openid.net/mailman/listinfo/specs">http://openid.net/mailman/listinfo/specs</A><BR></FONT></P></DIV>
</BODY>
</HTML>