<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
When it comes to delegation, it probably is the discovery service that
has to turn the user supplied identifier to a persistent identifier.
Unfortunately, it is not done so right now, and it is the
authentication service that does it. <br>
If we really need the delegation feature, this is one of the thing that
we should probably be addressing as well. <br>
<br>
Please see also a series of blog entries : <br>
<br>
<a
href="http://us1.sakimura.org/en/search.php?query=Discovery&action=results">http://www.sakimura.org/en/search.php?query=Discovery&action=results</a><br>
<br>
Cheers, <br>
<br>
=nat<br>
<br>
(2010/05/24 10:56), Allen Tom wrote:
<blockquote cite="mid:C81F2AE3.30C7B%25atom@yahoo-inc.com" type="cite">
<title>Re: [OIDFSC] OpenID v.Next Discovery Working Group Proposal</title>
<font face="Calibri, Verdana, Helvetica, Arial"><span
style="font-size: 11pt;">Hi Johannes,<br>
<br>
There isn’t a document summarizing the deficiencies with OpenID 2.0
discovery – I think it would be very useful for the WG and for the
Community if we wrote this down<br>
<br>
Off the top of my head, some of the problems are:<br>
<br>
</span></font>
<ul>
<li><font face="Calibri, Verdana, Helvetica, Arial"><span
style="font-size: 11pt;">Yadis discovery is very vague as to exactly
how the RP is supposed to fetch the OP’s discovery document. Should it
send the magic Accept header? Look for the X-XRDS-Location header in
the response? Do HTML discovery? In practice, many implementers have
had problems implementing discovery because there are too many ways to
do it
</span></font></li>
<li><font face="Calibri, Verdana, Helvetica, Arial"><span
style="font-size: 11pt;">Speaking of Yadis, the specs need to be
revised, and it’s unclear how to go about doing this
</span></font></li>
<li><font face="Calibri, Verdana, Helvetica, Arial"><span
style="font-size: 11pt;">Because a compromised discovery document can
result in the complete breakdown in OpenID security – it’s important
that we find ways to increase the security of discovery – perhaps it
can be signed? Moved into DNS?
</span></font></li>
<li><font face="Calibri, Verdana, Helvetica, Arial"><span
style="font-size: 11pt;">Discovery is hard to implement – the majority
of the code in OpenID libraries is to implement discovery. We can
probably simplify discovery to require less code to implement
</span></font></li>
<li><font face="Calibri, Verdana, Helvetica, Arial"><span
style="font-size: 11pt;">Delegation is a really useful feature in
OpenID – it was pretty straightforward in OpenID 1.1, but is very
confusing (to say the least) in OpenID 2.0 – we can probably do
something in discovery to make delegation work better
</span></font></li>
<li><font face="Calibri, Verdana, Helvetica, Arial"><span
style="font-size: 11pt;">The infamous NASCAR problem could possibly be
helped by discovery
</span></font></li>
<li><font face="Calibri, Verdana, Helvetica, Arial"><span
style="font-size: 11pt;">The infamous phishing problem could also
possibly be helped by discovery
</span></font></li>
<li><font face="Calibri, Verdana, Helvetica, Arial"><span
style="font-size: 11pt;">LRDD, host-meta, and webfinger are pretty
interesting – we should see how OpenID can leverage these new specs<br>
</span></font></li>
</ul>
<font face="Calibri, Verdana, Helvetica, Arial"><span
style="font-size: 11pt;"><br>
I’m sure that there are more issues with OpenID 2.0 discovery. Anyone
else want to take a stab at it?<br>
<br>
Allen<br>
<br>
<br>
On 5/21/10 7:55 PM, "Johannes Ernst" <<a moz-do-not-send="true"
href="jernst+openid.net@netmesh.us">jernst+openid.net@netmesh.us</a>>
wrote:<br>
<br>
</span></font>
<blockquote><font face="Calibri, Verdana, Helvetica, Arial"><span
style="font-size: 11pt;">On May 21, 2010, at 19:28, Allen Tom wrote:<br>
<br>
</span></font>
<blockquote><font face="Calibri, Verdana, Helvetica, Arial"><span
style="font-size: 11pt;">... there’s universal consensus that the
existing OpenID 2.0 discovery mechanism is very deficient ...<br>
</span></font></blockquote>
<font face="Calibri, Verdana, Helvetica, Arial"><span
style="font-size: 11pt;"><br>
Is there a summary somewhere of this "universal consensus" of
deficiencies?<br>
<br>
Thanks,<br>
<br>
<br>
</span></font><font face="Helvetica, Verdana, Arial"><span
style="font-size: 12pt;">Johannes Ernst<br>
NetMesh Inc.<br>
<br>
</span></font><font face="Calibri, Verdana, Helvetica, Arial"><span
style="font-size: 11pt;"><br>
<br>
<br>
</span></font></blockquote>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
specs mailing list
<a class="moz-txt-link-abbreviated" href="mailto:specs@lists.openid.net">specs@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs">http://lists.openid.net/mailman/listinfo/openid-specs</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Nat Sakimura (<a class="moz-txt-link-abbreviated" href="mailto:n-sakimura@nri.co.jp">n-sakimura@nri.co.jp</a>)
Nomura Research Institute, Ltd.
Tel:+81-3-6274-1412 Fax:+81-3-6274-1547
本メールに含まれる情報は機密情報であり、宛先に記載されている方のみに送信することを意図しております。意図された受取人以外の方によるこれらの情報の開示、複製、再配布や転送など一切の利用が禁止されています。誤って本メールを受信された場合は、申し訳ござ{
56;ませんが、送信者までお知らせいただき、受信されたメールを削除していただきますようお願い致します。
PLEASE READ:
The information contained in this e-mail is confidential and intended for the named recipient(s) only.
If you are not an intended recipient of this e-mail, you are hereby notified that any review, dissemination, distribution or duplication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete your copy from your system.
</pre>
</body>
</html>