<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">So let's change the process! You're a board member, we're all members of the Foundation, let's do it instead of complain about it. :)<div><br></div><div>I think the larger reason is no one has stepped up like they would need to do as an editor to the next version of OpenID Authentication given how large of a time commitment that it is. There are plenty of things in the next version that we should remove, others things we should add, exploratory work around things like discovery and how OpenID interacts with OAuth. While I would like to do it, I know that I don't have the time by myself.</div><div><br></div><div>--David</div><div><br><div><div>On Aug 13, 2009, at 9:17 AM, Nat Sakimura wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">I think enough people wants to do artifact binding, including Google. <div>All the mobile carriers in Japan wants to do it as well. </div> <div>So what is stopping us? </div><div><br></div><div>It is probably the "process". </div><div><br></div><div>It is way top heavy. </div><div><br></div><div>Why did they need to create OAuth on their own IPR regime? </div> <div>Because, OpenID did not move fast enough. </div><div><br></div><div>Can we move fast enough? No. With the current process, we just cannot. </div><div>It probably is more practical to start the discussion in Kantara, OASIS, or IETF. </div> <div>OIDF is the most heavyweight and slowest of all. </div><div><br></div><div>We will start seeing cavitation phenomenon on OpenID soon if we do not change our course quickly. </div><div><br></div><div>Nat</div></span><br> <div class="gmail_quote">On Fri, Aug 14, 2009 at 12:34 AM, John Bradley <span dir="ltr"><<a href="mailto:jbradley@mac.com">jbradley@mac.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"> <div style="word-wrap:break-word">Nat,<div><br></div><div>You can do identity less openID checkid_imediate requests to invoke extensions like AX.</div><div><br></div><div>That doesn't let you piggyback AX on a association request though.</div> <div><br></div><div>I am sympathetic to your problem of wanting an artifact binding for openID.</div><div><br></div><div>The reality is that we need to create a artifact binding in 2.1 rather than try and slip it through some loose wording in the 2.0 spec.</div> <div><br></div><div>OpenID 2.0 doesn't support artifact binding.</div><div><br></div><div>If it did then that would have helped me with the LoA 2 justification. </div><div><br></div><div>Artifact binding will add complexity and not everyone will support it.</div> <div><br></div><div>Some may ask if we add artifact binding, signatures and encryption are we not reinventing SAML Web SSO, or something of equal complexity?</div><div><br></div><div>I am not against doing it if that is the chosen direction. However I would like to see a full and open discussion on it.</div> <div><br></div><div>John B.</div><div><br><div><div>On 13-Aug-09, at 8:03 AM, <a href="mailto:openid-specs-request@lists.openid.net" target="_blank">openid-specs-request@lists.openid.net</a> wrote:</div><br><blockquote type="cite"> <span style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:monospace">Date: Fri, 14 Aug 2009 00:03:12 +0900<br> From: Nat Sakimura <<a href="mailto:sakimura@gmail.com" target="_blank">sakimura@gmail.com</a>><br>Subject: Re: So, what is an OpenID Extension?<br>To: James Henstridge <<a href="mailto:james@jamesh.id.au" target="_blank">james@jamesh.id.au</a>><br> Cc: OpenID Specs Mailing List <<a href="mailto:specs@openid.net" target="_blank">specs@openid.net</a>><br>Message-ID:<br><span style="white-space:pre"> </span><<a href="mailto:bf26e2340908130803h390947eya0f6af01c65daee5@mail.gmail.com" target="_blank">bf26e2340908130803h390947eya0f6af01c65daee5@mail.gmail.com</a>><br> Content-Type: text/plain; charset="iso-8859-1"<br><br>Hmmm. So, there is no way we can do direct communication in an extension? What<br>I want to do is to send the large payload directly between the servers and<br> move only the reference through OpenID Authn request and response so that<br><br>1) mobile clients will not choke.<br>2) is going to be more secure.<br><br>In AX, there is a notion of update_url, but is that also used only for<br> indirect communication through browser?<br><br>I feel that it is extremely limiting if we cannot do the server to server<br>communication.<br><br>If that is not a possibility, then I should probably do the server to server<br> portion elsewhere, and just do the reference/artifact moving through OpenID<br>AuthN, but that sounds like OpenID strangling itself.<br><br>=nat<br></span></span></blockquote></div><br></div></div><br>_______________________________________________<br> specs mailing list<br> <a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br> <a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br> <br></blockquote></div><br><br clear="all"><br>-- <br>Nat Sakimura (=nat)<br><a href="http://www.sakimura.org/en/">http://www.sakimura.org/en/</a><br> _______________________________________________<br>specs mailing list<br><a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br>http://lists.openid.net/mailman/listinfo/openid-specs<br></blockquote></div><br></div></body></html>