Anyone here noodling how to integrate the emerging OASIS CARML/AAPML
specifications into OpenID?
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
The Hartford chapter will be broadcasting its meeting tomorrow. There
will be a discussion from Mary Ruddy of Higgins. Register here:
https://www2.gotomeeting.com/register/566470294
This communication, including attachments, is for the e
-Original Message-
From: Peter Watkins [mailto:pet...@tux.org]
Sent: Friday, February 06, 2009 8:29 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: OpenID Security
>> What do you mean, "the" implementation? There is no "the"
implementation
:48:06 -0500
From: Darren Bounds
Subject: Re: OpenID Security
To: "McGovern, James F (HTSC, IT)"
Cc: specs@openid.net
Message-ID:
<26563eca0902051248o446aa21br23aeb19f743ae...@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
I do not believe OWASP presently does any a
t: Re: OpenID Security
To: "McGovern, James F (HTSC, IT)"
Cc: specs@openid.net
Message-ID:
Content-Type: text/plain; charset=ISO-8859-1
Yeah. Fortify is nice. I do not know what would be the licensing terms
now, but before, it used to have a "traveling" kind of license
OpenID certainly has security features but are all the libraries out
there written to secure coding practices? Wouldn't it be great if all
the library creators could have their code reviewed for security
defects? Check out http://owasp.fortify.com/
*
rance customers to participate as well...
From: Nat Sakimura [mailto:[EMAIL PROTECTED]
Sent: Thursday, December 04, 2008 7:40 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: P&C Insurance Carriers
That sounds interesting.
We have some member co
I am attempting to put together a discussion amongst "employees" of P&C
insurance carriers to discuss scenarios for using OpenID for independent
insurance agents. Does anyone on this list know of employees at carriers
that have an understanding at a technical level regarding OpenID?
NOTE: I am not
I am interested in setting up a discussion with employees of insurance
carriers on adopting OpenID and would appreciate if you know of others,
that you ask them to drop me a note. I do want to avoid turning this
type of activity into a vendor sales lead pipeline though...
**
Figured I would ask a somewhat offtopic question to see if anyone has
thoughts. I am currently project leader for OWASP Certification Project
(http://www.owasp.org/index.php/Category:OWASP_Certification_Project)
which has on its roadmap, certification questions around identity.
What types of thing
This would require defining an OpenID SRV record in DNS. Would make
sense for someone to get this formally defined as part of IETF. Could
kinda be done in the same way that Boeing is moving forward definition
of XRI in LDAP..
-Original Message-
Message: 1
Date: Mon, 07 Apr 2008 18:56:57
Does anyone have a perspective on Yahoo and AOL and their weak support
for OpenID? It is good that they are a provider, but shouldn't they
really also allow access based on an OpenID issued by signon.com,
myvidoop.com and others...
Out on the Wiki is a discussion on creating a WS-Security profile to
support OpenID. Is anyone planning on taking this further?
*
This communication, including attachments, is
for the exclusive use of addressee and may conta
Is there merit in having a third-party group such as OWASP
(http://www.owasp.org) provide a third-party opinion that is public on
the security of OpenID? Having large entities market OpenID will help
spread the word even faster.
***
sage-
From: Paul Madsen [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 26, 2008 1:23 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: OpenID 3.0
in a B2B case, would not the insurance agency be the OP, and its
identity carried through the relevant assertion fields?
As Mas
Sent: Tuesday, February 26, 2008 10:14 AM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: OWASP
James,
Considering that the majority of the individuals and organizations that
have created the OpenID libraries do not have access to vast sums of
cash to pay for these applications
I would be curious to know if the implementers of the various OpenID
libraries have used tools such as Ounce Labs (www.ouncelabs.com),
Coverity (www.coverity.com) and others to ensure that the OWASP Top Ten
(www.owasp.org) doesn't occur?
***
: NISHITANI Masaki [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 26, 2008 1:10 AM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: OpenID 3.0
Let me confirm a point.
On #1, do you mean to enforce OpenID to control the identity-holders are
permitted to access what kind of
party how long to
leave an otherwise idle session open before timing it out. Not sure if
this would require an extension or not.
-Original Message-
From: Brett Carter [mailto:[EMAIL PROTECTED]
Sent: Friday, February 15, 2008 10:09 PM
To: McGovern, James F (HTSC, IT)
Subject: Re: Login
Wouldn't this take the user out of the middle? I would think this would
be bad at some level.
--
Message: 1
Date: Thu, 14 Feb 2008 19:31:40 -0800
From: Brett Carter <[EMAIL PROTECTED]>
Subject: Login Federation
To: specs@openi
> If it turns out that some particular feature absolutely can't be done
> without making a new Authentication spec release then so be it, but
> ideally I think we want 2.0 to be stable for many years to come to
> avoid repeating all of the current pain of incompatible versions and
> the poor
I'm not sure what there would be to say in the spec about this: SQL
injection is not party of the standard, but rather a feature of some
implementations :)
[JFM] I agree that many of the ways that have been implemented to date
are insecure and that many of the implementors would be well served by
Figured I would ask if anyone is interested in brainstorming the next
version of OpenID and how it can be used in Enterprise B2B settings and
not solely focusing on consumerish interactions. Some things that I
would like to see in the next version are:
1. A discussion on how AuthZ can converge wit
Is there merit in also defining other aspects such as how the OP would
store history in LDAP by defining new ObjectClass?
*
This communication, including attachments, is
for the exclusive use of addressee and may contain prop
software should work
in enterprise settings while minimizing configuration regardless of how
easy it is.
-Original Message-
From: Schleiff, Marty [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 24, 2008 8:17 PM
To: Johannes Ernst; specs@openid.net
Cc: McGovern, James F (HTSC, IT); Drummond
that ...
perhaps a separate 1-page "standard"?
On Jan 24, 2008, at 7:02, McGovern, James F (HTSC, IT) wrote:
> For CardSpace, MS and other providers store it in the SeeAlso
> attribute. Figured OpenID in the next rev of the spec should talk more
> about implementation de
.
=Drummond
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of McGovern, James F (HTSC, IT)
> Sent: Wednesday, January 23, 2008 1:47 PM
> To: specs@openid.net
> Subject: Integration with Enterprise Directory Services
>
&
What is the standard recommendation for how identifiers get stored in
enterprise directory services (e.g. LDAP)?
*
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
mode.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Bill Washburn
Sent: Tuesday, December 11, 2007 1:27 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: XACML
Hi James--
Thanks for your note. The OpenID community, made up
OpenID 2.0 seems to have closed major security gaps and is usable in a
consumer context. Are their plans to figure out how to add functionality
to the next version of OpenID to support more enterprise considerations
including support for XACML, modeling of relationships, attestation, etc
or is the
Currently OpenID 2.0 is targeted for supporting consumer-oriented
interactions. I would love to develop a sense as to when/if members of
OpenID have any interest in sketching out B2B interactions where not
only identity is important but also assertion of authorization
information at runtime via XA
Recently saw a demo of Vidoop and think there approach rocks. Was
curious if there is an opportunity to express an authentication strength
and style as an attribute to be consumed by the relying party.
*
This communication,
Been silently observing many of the email exchanges over the last couple of
weeks and from an end-customer perspective I am somewhat concerned. Some of the
general themes I have observed are:
1. Too much focus on breaking compatibility with OpenID 1.1. While you have had
some success, now is th
I have been thinking that the best contribution I could make to OpenID would be
the first enterprise that deploys OpenID into production. OpenID needs more
press than it is receiving and by showing that a large Fortune enterprise is
using would be a big win. I do however have one constraint in t
So, what will it take to move the mentioned vendors from simply being "aware"
to actively participating?
-Original Message-
From: Dick Hardt [mailto:[EMAIL PROTECTED]
Sent: Sunday, April 08, 2007 2:48 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re:
In thinking about this, wouldn't it be interesting if the RP could return a URL
that the selector could callback on? Of course this would be optional.
*
This communication, including attachments, is
for the exclusive use of
st [mailto:[EMAIL PROTECTED]
Sent: Friday, April 06, 2007 2:25 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: Logout
That might be hard from a usability perspective, and in my experience, the
underlying user requirement tends to be a variation of "I am about to go to
lunc
ginal Message-
From: Johannes Ernst [mailto:[EMAIL PROTECTED]
Sent: Friday, April 06, 2007 12:29 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: Logout
So far, neither OpenID nor CardSpace define the notion of a session, so no
common logout is possible within the sta
VeriSign's Consumer Authentication Service authenticates customers by using
real-time automation processes in combination with unique interactive question.
Once consumers are properly authenticated by CAS, enterprises can be assured of
their identity, and they can
execute secure business transac
Curious question that someone asked that I didn't know the answer to.
OpenID/Cardspace allow for easy SSO into web sites. How does one perform the
equivalent logout from an Identity Selector?
*
This communication, including
Are you saying that the large vendors aren't participating because OpenID
forces too many things to be open? Having large companies on-board will
accelerate adoption and whatever the impediments to this happening should be of
higher priority than discussion around specifications.
> -Origina
Are there special considerations for either relying parties when they may be
protected by Web Access Management products? For example, if I initially sign
onto a web site using OpenID, I still will need for the Web Access Management
product to create a secure cookie that contains a session ident
Sent: Thursday, April 05, 2007 1:05 PM
To: Dick Hardt
Cc: McGovern, James F (HTSC, IT); specs@openid.net
Subject: Re: Web Access Management
> Ping demoed OpenID technology at RSA.
>
> I hear Novell and IBM are looking at supporting OpenID.
>
> Microsoft has said they wil
I believe that specifying an arbitrary time is the better way to go as
it puts the work into the hands of the user. Otherwise, you would go
down a rathole in that a provider otherwise may then require the ability
to express a policy against it.
Message: 6
Date: Thu, 05 Apr 2007 09:16:20 -0700
From
I would think this would be better solved by leveraging the Oracle
Identity Framework and using components such as AAPML and CARML
Message: 3
Date: Thu, 5 Apr 2007 10:57:22 +
From: Vinay Gupta <[EMAIL PROTECTED]>
Subject: Re: Re[3]: Server-to-server channel
To: Chris Drake <[EMAIL PROTECTED]>
The term attestation has a distinct legal meaning but within an IT
context may be used interchangably with the notion of certification or
periodic review. There are of course several levels of attestation. I
propose that minimally OpenID incorporate the first notion where someone
certifies you are
mmond Reed; Dick Hardt; McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: RE: Features for Future Versions
I also agree with the feedback however I wanted to just pass along how I
am using authentication and authorization on a series of applications
that I am working on.
I have a
, IT)
Cc: specs@openid.net
Subject: Re: Promoting OpenID
On 2-Apr-07, at 8:15 AM, McGovern, James F ((HTSC, IT)) wrote:
> Is anyone here working with vendors in the ERP, CRM, ECM, BPM or
> VRM spaces such that user-centric identity is built into their
> product?
We are wor
IBM
then I would be game to rally many of my industry peers to put some pressure...
-Original Message-
From: Dick Hardt [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 03, 2007 8:21 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: Web Access Management
Ping demoed
id [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 03, 2007 3:18 PM
To: McGovern, James F (HTSC, IT); specs@openid.net
Subject: RE: Promoting OpenID
People might be, though nothing real formal that I personally know of.
You volunteering? :P
--David
-Original Message-
From: [EMAIL PROTECTE
-Original Message-
From: Gabe Wachob [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 03, 2007 4:44 PM
To: 'Recordon, David'; McGovern, James F (HTSC, IT); specs@openid.net
Subject: RE: Promoting OpenID
More likely that the people promoting OpenID to large organizations are
vendo
As an end-user to user-centric approaches, I have noticed an interesting
pattern. Microsoft does a wonderful job of selling Cardspace as a solution to
others who develop in Microsoft languages. Likewise, there are tons of vendors
that can offer solutions for large enterprises to purchase but no
Unlike blog sites and Internet startups, many large enteprises have purchased
Web Access Management products such as Tivoli Access Manager, Netegrity
Siteminder, etc where authentication doesn't occur by embedding code into the
application. Is anyone directly working with any of the vendors in t
I originally joined this list with the hopes of injecting support for
relationships, authorization and attestation into the specification but have
been somewhat disappointed. I do have the following questions?
1. Will OpenID avoid incorporating features where identity selectors such as
Cardspac
May I argue that a secure end-to-end encrypted channel does not always equal
SSL? I know that PKI is pervasive, but wouldn't want to rule out the potential
of using identity-based encryption (IBE)...
Date: Wed, 28 Feb 2007 20:23:46 -0600
From: "Alaric Dailey" <[EMAIL PROTECTED]>
Subject: RE: HTT
correlated.
-Original Message-
From: Dick Hardt [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 25, 2007 4:43 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: Federated Authorization
On 25-Jan-07, at 1:36 PM, McGovern, James F ((HTSC, IT)) wrote:
Modify your scenario
Hopefully we can develop specifications which go deeper than just
matching/correlation of identity and attribute.
-Original Message-
From: Dick Hardt [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 18, 2007 7:16 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: Federated
MAIL PROTECTED]
Sent: Monday, January 22, 2007 3:19 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: Special Request: Client Certificates vs. OpenID
So I've been doing some asking around who might be interested in co-authoring
some kind of white paper on the subject of user-ce
/press_releases/2005/03/29/) where to look
at their problem space in 2007, would they have chosen client certificates.
-Original Message-
From: Alaric Dailey [mailto:[EMAIL PROTECTED]
Sent: Monday, January 22, 2007 2:02 PM
To: McGovern, James F (HTSC, IT); specs@openid.net
Subject: RE: Special
Last week I sent a note to the list inquiring whether anyone on this list
wanted to participate in our industry vertical standards body in hopes of
ratifying OpenID as an endorsed horizontal specification. In terms of
preparation, it would be greatly appreciated if Dick Hardt, Johannes Ernst and
Hopefully everyone is noodling the previously sent requirements on relationship
and will reply back with their own thoughts. In the meantime, I figured I would
also share the requirements for attestation:
* At the high level, there are two ways that attestation can work:
* The iden
The standards body for my vertical is ACORD (www.acord.org) and is where I
would like to get many of my industry peers to put together standards for
user-centric identity within an industry vertical context. Would be curious to
know whom on this list would be interested in participating once I f
I would love to see folks hear that also blog not only continue to discuss
federated identity but also consider of the course of several additional
postings also talk about the need for federated authorization. Consider an
example where a Doctor in a hospital is having an electronic interaction
I am looking for any generic whitepapers targeted at any vertical that outline
a business scenario (not the usual consumer-orientation) where user-centric
identity has either been deployed or at least discussed. Also would love to
know of situations in which user-centric identity displaced PKI b
Oracle also has a similar specification named CARML
(http://www.oracle.com/technology/tech/standards/idm/igf/pdf/IGF-CARML-spec-03.pdf)
which defines how applications define their attribute requirements as it
relates to identity. CARML can be used to automate configuration of identity
attribute
Curious if anyone here has read the AAPML specification from Oracle
(http://www.oracle.com/technology/tech/standards/idm/igf/pdf/IGF-AAPML-spec-08.pdf).
The goal is to allow attribute authorities to specify conditions under which
information under management may be used. This sounds like somethi
Hopefully, everyone had the opportunity to read document I sent that outlines
the business scenario(s) we are interested in using OpenID for. Figured I would
start taking each theme and sharing requirements with the hope that others will
react.
The requirements for relationship are as follows:
Johannes invited me to lead the development of the specification for including
relationships and authorization as part of OpenID. I have the following
questions:
1. Would it be too distracting to have the conversation occur on this listserv
or should the admin establish another one?
2. I would
68 matches
Mail list logo
