<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi All,<br>
<br>
Sorry for the delayed response, I'm still catching up on mail after
being on vacation last week.<br>
<br>
Breno - How would artifact binding help OpenID attain Loa2? I'm unclear
as to how that would make a difference.<br>
<br>
The Yahoo OP was recently updated to return responses that are larger
than 2KB using POST, and this has caused many users to see the ugly
browser warning because most RPs don't support HTTPS. Displaying the
ugly browser warning is really unacceptable, so we'll probably update
the Yahoo OP to only use POST only for HTTPS return_to URLs.<br>
<br>
The excessively large responses are mostly due to AX being excessively
verbose. It would be really nice if we could revise AX to be a lot more
compact. Perhaps if we had a standardized AX schema, we'd be able to
shorten the message size.<br>
<br>
Allen<br>
<br>
<br>
<br>
Breno de Medeiros wrote:
<blockquote
cite="mid:29fb00360908131112n5a1af375m6a81c4f388c1407d@mail.gmail.com"
type="cite">
<pre wrap="">Since Google was mentioned here as wanting artifact, let me make the
record clear to say that I spoke about artifact binding on my personal
capacity.
My very own personal view is that an artifact profile would be easy to
spec out (the check_authentication or stateless mode is already the
artifact flow without the additional benefits of artifact) and would
make OpenID more robust. Currently long URLs require POST which only
gives you so much mileage. POST is ugly if the RP has a non-HTTPS
endpoint, with scary user confirmation dialogs.
Also, I did not wish to express any personal opinion on whether OpenID
should seek Loa2, just to note that artifact is the easiest route
there.
On Thu, Aug 13, 2009 at 10:45 AM, Nat Sakimura<a class="moz-txt-link-rfc2396E" href="mailto:sakimura@gmail.com"><sakimura@gmail.com></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">John,
You changed the topic of this thread.
This thread was about artifact binding, not about Government LoA.
That's another thread :-)
Yes, Artifact helps LoA, but it is not only that.
It helps the mobile space immensely.
=nat
On Fri, Aug 14, 2009 at 2:00 AM, John Bradley <a class="moz-txt-link-rfc2396E" href="mailto:jbradley@mac.com"><jbradley@mac.com></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Chris
I think we are agreeing. OpenID needs to play to it's strengths.
Chasing shiny things is tempting.
We need to carefully consider the impact of changes.
That is not to say that openID shouldn't evolve.
There are always tradeoffs.
Remember that a GSA LoA 2 or 3 profile is focused on the Gov accepting the
assertions for specific uses.
Other people are free to make there own determinations for other use
cases.
I am interested in finding out if IdP really want to be certified at LoA 2
with all of the extra identity
proofing, liability and other things that go with that.
A LoA 2 certification for a IdP involves a lot more than just tweaking
some protocol peaces.
Are there OPs that want that?
John B.
On 13-Aug-09, at 9:11 AM, Chris Messina wrote:
On Thu, Aug 13, 2009 at 8:34 AM, John Bradley <a class="moz-txt-link-rfc2396E" href="mailto:jbradley@mac.com"><jbradley@mac.com></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Some may ask if we add artifact binding, signatures and encryption are we
not reinventing SAML Web SSO, or something of equal complexity?
</pre>
</blockquote>
<pre wrap="">I would like to know more about this, but my instinct is always to say
"NO" for as long as possible when any new feature will a) introduce
complexity and b) stifle or impair potential adoption.
That we've come as far as we have is a feat; maintaining that momentum is
critical — and that means making good on the promise of what OpenID offers
*today* — and only extending it with real world examples where people are
implementing kludges (en masse) to serve a common need.
Chris
--
Chris Messina
Open Web Advocate
Personal: <a class="moz-txt-link-freetext" href="http://factoryjoe.com">http://factoryjoe.com</a>
Follow me on Twitter: <a class="moz-txt-link-freetext" href="http://twitter.com/chrismessina">http://twitter.com/chrismessina</a>
Citizen Agency: <a class="moz-txt-link-freetext" href="http://citizenagency.com">http://citizenagency.com</a>
Diso Project: <a class="moz-txt-link-freetext" href="http://diso-project.org">http://diso-project.org</a>
</pre>
<pre wrap="">OpenID Foundation: <a class="moz-txt-link-freetext" href="http://openid.net">http://openid.net</a>
</pre>
<br>
This email is: [ ] bloggable [X] ask first [ ] private<br>
<br>
<br>
_______________________________________________<br>
specs mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
<br>
</blockquote>
<pre wrap="">
--
Nat Sakimura (=nat)
<a class="moz-txt-link-freetext" href="http://www.sakimura.org/en/">http://www.sakimura.org/en/</a>
_______________________________________________
specs mailing list
<a class="moz-txt-link-abbreviated" href="mailto:specs@lists.openid.net">specs@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs">http://lists.openid.net/mailman/listinfo/openid-specs</a>
</pre>
</blockquote>
<pre wrap=""><!---->
</pre>
</blockquote>
<br>
</body>
</html>