<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi Nat, <br>
<br>
How will the WG define workflow and proof of user consent if the
charter says that UI and UX are out of scope?<br>
<br>
Allen<br>
<br>
<br>
Nat wrote:
<blockquote cite="mid:E6B6DDD2-40A0-455C-AA73-DC132DFBA0DE@gmail.com"
type="cite">
<div>Whether it really is legally binding depends on what
jurisdiction you are in, but typically there are some minimal set of
info that has to be included to be considered to be a good one. Namely,
sufficiently unique identifiers for all the parties involved, term,
date, expiry, renewal privision, termination clause, jurisdiction, and
signatures. Signature sometimes is of not the subject but of a proxy
agent. </div>
<div>CX is going to define how these should be represented. </div>
<div><br>
</div>
<div>These "contracts" typically lives long, and there are
readability requirement as well. (I.e. it should not require a special
software to read and understand what it means.) Cryptographically, it
requires provisioning against algorithm getting compromised such as
time stamping. </div>
<div><br>
</div>
<div>We also have to define the verification procedure for all the
above. </div>
<div><br>
</div>
<div>Then, there is an issue of what entails the reasonable action
and workflow etc. as a proof of user consent. </div>
<div><br>
</div>
<div>So, in summary, while we intend to use AX (and/or OAuth hybrid)
as the undelying protocol, it is a little more than merely defining
another set of attributes. </div>
<div><br>
=nat<span class="Apple-style-span" style="">@TOKYO via iPhone</span></div>
<div><br>
On 2009/01/23, at 5:43, Allen Tom <<a moz-do-not-send="true"
href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>> wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>Hi Nat,<br>
<br>
Can you define the term "contract"? Is it legally binding? It is just a
signed set of attributes? Who are the parties involved with signing the
contract? The RP, OP, and user? Instead of defining a new CX extension,
would it just be sufficient to define new attributes using AX?<br>
<br>
Would it make more sense to use OAuth instead of defining a new OpenID
extension? OAuth is designed to allow a user to authorize an RP (aka
Consumer) to access protected resources hosted by the user's OP (aka
Service Provider). It might make more sense to use the OpenID+OAuth
hybrid protocol along with an OAuth protected web service to exchange
contract information.<br>
<br>
Thanks<br>
Allen<br>
<br>
<br>
<br>
<br>
Nat Sakimura wrote:
<blockquote
cite="mid:bf26e2340901130123v2227546xd73b629898e8ed90@mail.gmail.com"
type="cite">I have edited the Contract Exchange Proposal on the wiki. <br>
<br>
<a moz-do-not-send="true"
href="http://wiki.openid.net/Working_Groups%3AContract_Exchange_1">http://wiki.openid.net/Working_Groups%3AContract_Exchange_1</a><br>
<br>
It is substantially shorter and easier to parse, hopefully. <br>
<br>
Please discuss. <br clear="all">
<br>
-- <br>
Nat Sakimura (=nat)<br>
<a moz-do-not-send="true" href="http://www.sakimura.org/en/">http://www.sakimura.org/en/</a><br>
<pre wrap=""><hr size="4" width="90%">
_______________________________________________
specs mailing list
<a moz-do-not-send="true" href="mailto:specs@openid.net">specs@openid.net</a>
<a moz-do-not-send="true"
href="http://openid.net/mailman/listinfo/specs">http://openid.net/mailman/listinfo/specs</a>
</pre>
</blockquote>
<br>
</div>
</blockquote>
</blockquote>
<br>
</body>
</html>