We need to enhance the OpenID spec so that active clients can work. Discovering that the user has navigated to an RP and might want to log in is not standardized right now.
-- Dick On 2009-12-14, at 11:23 AM, John Bradley wrote: We currently have two different openID selectors making the rounds. One from MS for IE and one from Higgins. At the NIH iTrust event last week we demoed both selectors and received a good response. The two selectors use slightly different approaches. The MS one is using a object tag and the Higgins one is looking for a link to XRD/S meta-data. They both use unsolicited positive assertions. The ICAM profile for openID allows for that. (Whoever wrote that profile must have known something:) MS has indicated that if there is enough interest in the idea they will add it to there existing platform. If people want it send in your cards and letters to MS. While a smart client is required to provide ease of use with privacy, we can't loose sight of having a good RP hosted experience. Unfortunately that will always be subject to phishing attacks and a limitation on the OP who can have one click buttons in the UI. John B. On 2009-12-14, at 3:52 PM, Drummond Reed wrote: I just want to reinforce the point that there are serious privacy issues (not to mention security issues) with an RP being able to discovery the OPs a user uses (let alone the OPs the user is currently logged in with) without the user opting in to grant permission to the RP to know that. I know it's not very helpful to say, "This problem is much more easily solved - without any of the attendant privacy risks - with an active client", but based on my experience (folks like the Liberty Alliance tried to solve this problem for three years to no avail), it may just be than an active client is the place to focus time/attention. After IIW it appears it's inevitable that its coming, and probably built directly into the browser itself. =Drummond On Mon, Dec 14, 2009 at 9:52 AM, Dirk Balfanz <[email protected]<mailto:[email protected]>> wrote: Breno just forwarded this thread to me. Bizarrely, even though I'm subscribed to specs, I never get a single message from that list. Anyway - what we demonstrated at IIW was a simple "broadcasting" of who your OP is. The RP would just do a JSONP call to a central discovery service (which would carry the user's cookies for that service with it), and the discovery service would reply with a list of OPs. As Andrew points out there are privacy issues with this approach that make it infeasible - you would either have to tell the central discovery service about your OPs, our you don't. In the former case, the identity of the OPs would be revealed to any RP that asks. Which is not good enough. So our current thinking is to access-control this per-RP. The central discovery service would somehow know which RPs you're using (or at least which RPs you're willing to tell it about). Then, when one of those whitelisted RPs asks about your OPs (and only then), the discovery service will respond with the list of your OPs. I'd say it's still up in the air whether this can be made seamless enough so that average users can handle it. It would work for Google Apps (with Google playing the role of the central discovery service), but I'm not quite sure what it would look like in general. As for the can-my-mother-log-in scenario: I believe the percentage of users that are already logged into their OP when they visit an RP is way above 90% in the case where that OP is something like Google. Dirk. On Mon, Dec 14, 2009 at 8:59 AM, Breno de Medeiros <[email protected]<mailto:[email protected]>> wrote: ---------- Forwarded message ---------- From: Andrew Arnott <[email protected]<mailto:[email protected]>> Date: Mon, Dec 14, 2009 at 7:22 AM Subject: Re: Google Apps availability broadcasting To: Santosh Rajan <[email protected]<mailto:[email protected]>> Cc: specs <[email protected]<mailto:[email protected]>> I'm a bit concerned about the privacy aspect, but I'm sure regardless of the future spec that OPs will be smart about giving the user the option to "advertise" their login status at an OP to an untrusted RP. As I recall the way Google resolved the privacy concern is actually giving each domain admin the option to advertise or not to RPs. A standard addition to the protocol would be interesting, to be sure. However, it doesn't make as much sense out of the context of Google Apps, since that's the only host that represents very many OP endpoints, which is what makes it interesting for the RP to poll with the question "hey, which OPs is the user logged into?" >From a UI standpoint, even if it were possible for the RP to meaningfully ask the question (of someone) "what are all the OPs the user is logged into?", I'm dubious about the value of an RP doing so. It wouldn't pass the "my mom can login" test if she revisited an RP, and couldn't login because her "Google" button was missing. It wouldn't occur to her that she has to go to Google herself and log in there before she can log into the RP. Some OPs do that today (like Verisign), by refusing to log a user in as part of the OpenID flow, but it's not very user-friendly -- and that's when Verisign appears at the RP in the first place. Just my 2 cents. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Mon, Dec 14, 2009 at 7:09 AM, Santosh Rajan <[email protected]<mailto:[email protected]>> wrote: > > I agree with Andrew, and I think every OP must do the same. Or maybe we add > that to the protocol. > > On Mon, Dec 14, 2009 at 8:17 PM, Andrew Arnott > <[email protected]<mailto:[email protected]>> wrote: >> >> Nope, that's not it either. What I'm thinking of is an aid to pure login UI >> -- nothing to do with OAuth. And again, Google is supplying the list of >> Google Apps domains the user is logged into -- not the RP asking for each >> specific domain. >> -- >> Andrew Arnott >> "I [may] not agree with what you have to say, but I'll defend to the death >> your right to say it." - S. G. Tallentyre >> >> >> On Mon, Dec 14, 2009 at 6:32 AM, Chris Obdam >> <[email protected]<mailto:[email protected]>> wrote: >>> >>> > The solution Dirk/Breno spoke of (as I recall) was a single URL that >>> > would return all google apps for domains the user is logged into. >>> Ok, clear. Is this the one? >>> > openid.ext2.scope - (required) List of URLs identifying the Google >>> > service(s) to be accessed. See documentation for the services of interest >>> > to get scopes must be space-delimited and properly escaped. This >>> > parameter is not defined in the OAuth standards; it is a Google-specific >>> > parameter. >>> >>> Cheers, >>> >>> Chris Obdam >>> Stichting OpenID NL (Dutch OpenID foundation) >>> >>> > -- >>> > Andrew Arnott >>> > "I [may] not agree with what you have to say, but I'll defend to the >>> > death your right to say it." - S. G. Tallentyre >>> > >>> > >>> > On Mon, Dec 14, 2009 at 6:14 AM, Chris Obdam >>> > <[email protected]<mailto:[email protected]>> wrote: >>> > Andrew, >>> > >>> > That sounds a lot like de openid.ui.x-has-session variable David >>> > mentioned earlier today? >>> > >>> > More info on >>> > http://svn.openid.net/repos/specifications/user_interface/1.0/trunk/openid-user-interface-extension-1_0.html >>> > and >>> > http://code.google.com/intl/nl-NL/apis/accounts/docs/OpenID.html >>> > >>> > Cheers, >>> > >>> > Chris Obdam >>> > Stichting OpenID NL (Dutch OpenID foundation) >>> > >>> > Op 14 dec 2009, om 14:54 heeft Andrew Arnott het volgende geschreven: >>> > >>> > > At IIW, Google mentioned that they are trying out a way for Google Apps >>> > > domains to advertise to RPs that the user is logged into them so that >>> > > RPs can show a "log into puffypoodles.com<http://puffypoodles.com/>" >>> > > option. Where can we find documentation on how that works? >>> > > >>> > > Thanks. >>> > > -- >>> > > Andrew Arnott >>> > > "I [may] not agree with what you have to say, but I'll defend to the >>> > > death your right to say it." - S. G. Tallentyre >>> > > _______________________________________________ >>> > > specs mailing list >>> > > [email protected]<mailto:[email protected]> >>> > > http://lists.openid.net/mailman/listinfo/openid-specs >>> > >>> > >>> >> >> >> _______________________________________________ >> specs mailing list >> [email protected]<mailto:[email protected]> >> http://lists.openid.net/mailman/listinfo/openid-specs >> > > > > -- > http://hi.im/santosh > > _______________________________________________ specs mailing list [email protected]<mailto:[email protected]> http://lists.openid.net/mailman/listinfo/openid-specs -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) _______________________________________________ specs mailing list [email protected]<mailto:[email protected]> http://lists.openid.net/mailman/listinfo/openid-specs _______________________________________________ specs mailing list [email protected]<mailto:[email protected]> http://lists.openid.net/mailman/listinfo/openid-specs _______________________________________________ specs mailing list [email protected]<mailto:[email protected]> http://lists.openid.net/mailman/listinfo/openid-specs
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
