<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple style='word-wrap: break-word;
-webkit-nbsp-mode: space;-webkit-line-break: after-white-space'>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>John,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>What I did on my own server is, when I log in, I have a
check-box that asks whether I want to stay logged in all the time. If I
check that box, I return a cookie (over TLS) with a 30-day duration. When
I visit an OpenID-enabled site and enter my ID, I don’t get prompted for
a password. Rather, the browser passes the cookie (again over TLS) and
logs me in automatically. It also updates the TTL on the cookie. In
effect, I stay logged in all the time.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If I visit my OpenID URL, the server sees that I’m logged
in and puts a “log off” button on the page. I can click that
and the browser cookies get deleted and the server deletes the associated data.
This works pretty well as a means of logging off. However, one still has
to remember to log off from each application that might also utilize cookies to
keep you logged in. If web sites only used session cookies with a
relatively short TTL and OPs used cookies like I do, then clicking “log
off” on the user’s OpenID page and the closing the browser should
effectively serve as a log off for all applications.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>It does make use of “cookies” and some people feel
cookies are terribly evil, but for managing session state (i.e., associating
users with browser), it seems to be a fairly reasonable solution – especially
if the cookies are secure. TLS provides that, though we need something
better for HTTP. I wrote a draft for that, but it’s not moved too
far in the IETF (yet):<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><a
href="http://tools.ietf.org/html/draft-salgueiro-secure-state-management">http://tools.ietf.org/html/draft-salgueiro-secure-state-management</a><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Paul<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
openid-specs-bounces@lists.openid.net
[mailto:openid-specs-bounces@lists.openid.net] <b>On Behalf Of </b>John Bradley<br>
<b>Sent:</b> Saturday, May 22, 2010 12:58 PM<br>
<b>To:</b> Dick Hardt<br>
<b>Cc:</b> OpenID Specs Mailing List<br>
<b>Subject:</b> Re: OpenID v.Next Core Protocol Charter<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Single logout is notoriously difficult to get correct.
SAML has never managed it. <o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>I support looking at it as a option or extension, but would
not want to hold up the core spec for it.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Other protocols have expended large amounts of time on it
without a solution that can be understood by the users properly.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>John B.<o:p></o:p></p>
<div>
<div>
<p class=MsoNormal>On 2010-05-22, at 8:47 AM, Dick Hardt wrote:<o:p></o:p></p>
</div>
<p class=MsoNormal><br>
<br>
<o:p></o:p></p>
<div>
<p class=MsoNormal>Great point Torsten. If there is interest in exploring
single logout, then it likely belongs in this WG.<o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Are others interested in exploring single logout?<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>-- Dick<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<div>
<p class=MsoNormal>On 2010-05-22, at 2:30 AM, Torsten Lodderstedt wrote:<o:p></o:p></p>
</div>
<p class=MsoNormal><br>
<br>
<o:p></o:p></p>
<div>
<p class=MsoNormal>does this or another group consider to incorporate some kind
of single logout support into OpenId?<br>
<br>
regards,<br>
Torsten.<br>
<br>
<br>
<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>At
IIW yesterday I held a session on bashing the OpenID v.Nest Core Protocol
Charter. Below is the current draft. Comments and/or questions welcome. Anyone
interested in being a fellow proposer please let me know and I will add you.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>--
Dick<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>(a)
<i><u>Charter</u></i>.</b><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
2.0pt;margin-left:.5in;text-indent:-27.0pt'><b>(i)</b>
<b>WG name:</b> OpenID v.Next Core Protocol.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
2.0pt;margin-left:.5in;text-indent:-27.0pt'><b>(ii)</b>
<b>Purpose:</b> Produce a core protocol specification or family of
specifications for OpenID v.Next that address the limitations and drawbacks
present in the OpenID 2.0 that limit OpenID’s applicability, adoption,
usability, privacy, and security. Specific goals are:<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:0in;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'>
</span>define message flows and verification methods,<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:0in;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'>
</span>enable support for controlled release of attributes,<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:0in;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'>
</span>enable aggregation of attributes from multiple verifiable sources,<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:0in;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'>
</span>enable support for a spectrum of clients, including passive clients per
current usage, thin active clients, and active clients with OP functionality,<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:0in;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'>
</span>enable authentication to and use of attributes by non-browser
applications,<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:0in;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'>
</span>enable the use of public key technology to enhance scalability and
performance,<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:0in;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'>
</span>enable optimized protocol flows combining authentication, attribute
release, and resource authorization,<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:0in;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'>
</span>define profiles and support features intended to enable OpenID to be
used at levels of assurance higher than NIST SP800-63 v2 level 1 ,<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:0in;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'>
</span>define an extension mechanism<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:0in;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'>
</span>ensure the use of OpenID on mobile devices,<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:0in;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'>
</span>ensure the use of OpenID on existing browsers with URL length
restrictions,<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:0in;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'>
</span>complement OAuth 2.0<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:0in;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'>
</span>minimize migration effort from OpenID 2.0<o:p></o:p></p>
<p class=MsoListParagraph style='mso-margin-top-alt:0in;margin-right:0in;
margin-bottom:2.0pt;margin-left:45.0pt;text-indent:-.25in'><span
style='font-family:Symbol'>·</span><span style='font-size:7.0pt'>
</span>seamlessly integrate with and complement the other OpenID v.Next
specifications.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
2.0pt;margin-left:.5in;text-indent:-27.0pt'>
Compatibility with OpenID 2.0 is an explicit non-goal for this work.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
2.0pt;margin-left:.5in;text-indent:-27.0pt'><b>(iii)</b>
<b>Scope:</b> Produce a next generation OpenID core protocol
specification or specifications, consistent with the purpose statement.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
2.0pt;margin-left:.5in;text-indent:-27.0pt'><b>(iv)</b>
<b>Proposed List of Specifications</b>: OpenID v.Next Core Protocol and
possibly related specifications.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
2.0pt;margin-left:.5in;text-indent:-27.0pt'><b>(v)</b>
<b>Anticipated audience or users of the work:</b> Implementers of OpenID
Providers, Relying Parties, Active Clients, and non-browser applications
utilizing OpenID.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
2.0pt;margin-left:.5in;text-indent:-27.0pt'><b>(vi)</b>
<b>Language in which the WG will conduct business</b>: English.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
2.0pt;margin-left:.5in;text-indent:-27.0pt'><b>(vii)</b>
<b>Method of work: </b>E-mail discussions on the working group mailing
list, working group conference calls, and face-to-face meetings at the Internet
Identity Workshop and OpenID summits.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
2.0pt;margin-left:.5in;text-indent:-27.0pt'><b>(viii)</b>
<b>Basis for determining when the work of the WG is completed:</b> Work
will not be deemed to be complete until there is a consensus that the resulting
protocol specification or family of specifications fulfills the working group
goals. Additional proposed changes beyond that initial consensus will be
evaluated on the basis of whether they increase or decrease consensus within
the working group. The work will be completed once it is apparent that
maximal consensus on the draft has been achieved, consistent with the purpose
and scope.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>(b)
<i><u>Background Information</u></i>.</b><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
2.0pt;margin-left:.5in;text-indent:-27.0pt'><b>(i)</b>
<b>Related work being done in other WGs or organizations</b>: OpenID
Authentication 2.0 and related specifications, including Attribute Exchange (AX),
Contract Exchange (CX), Provider Authentication Policy Extension (PAPE), and
the draft User Interface (UI) Extension. OAuth, OAuth WRAP, and OAuth
2.0. OpenID Connect proposal. SAML 2.0 Core and SAML Authn Context.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
2.0pt;margin-left:.5in;text-indent:-27.0pt'><b>(ii)</b>
<b>Proposers:</b> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
margin-left:.5in'>Dick Hardt, <a href="mailto:dick.hardt@gmail.com">dick.hardt@gmail.com</a>
(chair)<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
margin-left:.5in'>Michael B. Jones, <a href="mailto:mbj@microsoft.com">mbj@microsoft.com</a><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
margin-left:.5in'>Breno de Medeiros, <a href="mailto:breno@google.com">breno@google.com</a><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
margin-left:.5in'>Ashish Jain, <a href="mailto:Ashish.Jain@paypal.com">Ashish.Jain@paypal.com</a><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
margin-left:.5in'>George Fletcher, <a href="mailto:gffletch@aol.com">gffletch@aol.com</a><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
2.0pt;margin-left:.5in;text-indent:-27.0pt'><b> (iii)</b>
<b>Anticipated Contributions</b>: None.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p>
<pre><o:p> </o:p></pre><pre>_______________________________________________<o:p></o:p></pre><pre>specs mailing list<o:p></o:p></pre><pre><a
href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><o:p></o:p></pre><pre><a
href="http://lists.openid.net/mailman/listinfo/openid-specs">http://lists.openid.net/mailman/listinfo/openid-specs</a><o:p></o:p></pre><pre> <o:p></o:p></pre>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
<p class=MsoNormal>_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br>
http://lists.openid.net/mailman/listinfo/openid-specs<o:p></o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>