Re: [VOTE] Portable Identifier Support Proposal (patch)
On 23-Oct-06, at 12:27 AM, Martin Atkins wrote: > Dick Hardt wrote: >> >> Complexity: There is no reason for the RP to be managing the binding >> between the IdP and the portable identifier. Both the IdP and the RP >> are verifying this. There is no extra security, and more things to go >> wrong in an implementation. >> > > You keep stating that both the RP and the IdP are verifying this, but > under 1.1 at least this is not the case: the RP verifies the > delegation, > and the IdP is completely unaware of it. There is no need for the > IdP to > verify the delegation, since the RP will only harm itself if it > fails to > verify the relationship correctly. In the proposal, both the IdP and the RP verify. The IdP has to since the public identifier is now part of the message it is signing. -- Dick ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [VOTE] Portable Identifier Support Proposal (patch)
Dick Hardt wrote: > > Complexity: There is no reason for the RP to be managing the binding > between the IdP and the portable identifier. Both the IdP and the RP > are verifying this. There is no extra security, and more things to go > wrong in an implementation. > You keep stating that both the RP and the IdP are verifying this, but under 1.1 at least this is not the case: the RP verifies the delegation, and the IdP is completely unaware of it. There is no need for the IdP to verify the delegation, since the RP will only harm itself if it fails to verify the relationship correctly. ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [VOTE] Portable Identifier Support Proposal (patch)
-1 for these reasons: Complexity: There is no reason for the RP to be managing the binding between the IdP and the portable identifier. Both the IdP and the RP are verifying this. There is no extra security, and more things to go wrong in an implementation. Privacy: There is no reason for the RP to know I am using a portable identifier instead of one managed directly by the IdP I'm not sure we are all on the same page on requirements, so I will write up a little summary about that and some conclusions. I know many of you wish this issue was over, but we do need to do this one right. -- Dick On 20-Oct-06, at 10:33 PM, Recordon, David wrote: > +1, though thinking we should define IdP-Specific Identifier and > Portable Identifier in the terminology section. > > Thanks for doing this! > > --David > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Josh Hoyt > Sent: Friday, October 20, 2006 7:31 PM > To: specs@openid.net > Subject: Portable Identifier Support Proposal (patch) > > As requested [1], I have made a patch to the specification [2] that > specifies the "two-identifier" mechanism for portable identifier > support. It's attached to this message. The net effect is adding one > line to the source XML file. > > I hope this proves useful in evaluating the proposal. > > Josh > > 1. http://openid.net/pipermail/specs/2006-October/000478.html > 2. http://openid.net/svn/listing.php? > repname=specifications&rev=70&sc=1 >(openid.net specifications svn trunk, revision 70) > ___ > specs mailing list > specs@openid.net > http://openid.net/mailman/listinfo/specs > > ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: [VOTE] Portable Identifier Support Proposal (patch)
+1, though thinking we should define IdP-Specific Identifier and Portable Identifier in the terminology section. Thanks for doing this! --David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Hoyt Sent: Friday, October 20, 2006 7:31 PM To: specs@openid.net Subject: Portable Identifier Support Proposal (patch) As requested [1], I have made a patch to the specification [2] that specifies the "two-identifier" mechanism for portable identifier support. It's attached to this message. The net effect is adding one line to the source XML file. I hope this proves useful in evaluating the proposal. Josh 1. http://openid.net/pipermail/specs/2006-October/000478.html 2. http://openid.net/svn/listing.php?repname=specifications&rev=70&sc=1 (openid.net specifications svn trunk, revision 70) ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
