Dick Hardt wrote:
On 21-Oct-06, at 10:52 PM, Josh Hoyt wrote:
On 10/21/06, Dick Hardt [EMAIL PROTECTED] wrote:
2) the RP does not verify the binding between the portable
identifier and the IdP-specific identifier in the response.
to the one the attacker controls and the IdP has
On 19-Oct-06, at 10:24 AM, Martin Atkins wrote:
Dick Hardt wrote:
Agreed that it is desirable to have multiple RP endpoints for an RP.
Does openid.realm then uniquely identify an RP? ie. no other RP will
use the same Realm?
I'd say that if two endpoints are within the same realm that
On 22-Oct-06, at 11:44 AM, Praveen Alavilli wrote:
It's more of a problem with how we can accept 3rd party OpenId
users at AOL (we as an RP). Obviously for simple use cases like
leaving comments on blogs it wouldn't really matter as long as the
user is identified by someone (and someone
While I'd certainly agree that a goal is letting anyone setup and IdP
and have it work on any RP, I see that as utopia. The protocol should
certainly support that, as well as not do anything to actively thwart
it. With that said, OpenID as a protocol can be used in cases where
this may not be
* Protocol has two distinct identifiers: public and IdP-local.
Relying
party manages delegation. IdP does not even know that the delegation
has
taken place and has no way to stop it happening [1]. RP now has to do
more work, but identifier portability now comes for free.
I'm much more in
For starters please don't use Comic Sans in professional correspondence. it is very hard to read (or take seriously) http://bancomicsans.com/home.htmlOn Oct 22, 2006, at 11:44 AM, Praveen Alavilli wrote: It's more of a problem with how we can accept 3rd party OpenId users at AOL (we as an RP).
Dick Hardt wrote:
What is different with OpenID vs email is that there is certainty
that the user actually is the user.
I'm a little confused. How is there certainty that the user actually
is the user? The viability of the identifier representing the same
user is dependent on the
On 22-Oct-06, at 12:55 PM, Recordon, David wrote:
In the case where there are two realms:
http://*.livejournal.com
http://dick.livejournal.com
I would have my IdP treat them as separate relying parties. If the RP
directly decided to set the realm differently, then I'd imagine the
[EMAIL PROTECTED] wrote:
For starters please don't use Comic Sans in professional
correspondence. it is very hard to read (or take seriously)http://bancomicsans.com/home.html
On Oct 22, 2006, at 11:44 AM, Praveen Alavilli wrote:
It's more of a problem with how we can
Dick Hardt wrote:
On 20-Oct-06, at 10:14 AM, George Fletcher wrote:
Of course, my expectation is that this syntax would be optional; the
user can always specify their full URI identifier.
I agree that this kind of an identifier is not portable, but I'm
guessing that most users wouldn't
[Please pardon me if I am spamming
the spec mailing list with general comments/issues that might have been
discussed before]
It's not the problem of just making AOL users OpenId enabled, so they
can access 3rd party RPs (use http://www.aol.com/loginId or
http://aimpages.com/loginId or
On 22-Oct-06, at 5:05 PM, George Fletcher wrote:
Dick Hardt wrote:
What is different with OpenID vs email is that there is certainty
that the user actually is the user.
I'm a little confused. How is there certainty that the user
actually is the user? The viability of the identifier
On 22-Oct-06, at 7:00 PM, George Fletcher wrote:
Dick Hardt wrote:
With OpenID, there is a presumption the user has selected a trust
worthy IdP that will only present the user's identifiers when it
really is the user.
Doesn't this imply that both the user and RP have to know which IdP's
Dick Hardt wrote:
On 22-Oct-06, at 7:00 PM, George Fletcher wrote:
Dick Hardt wrote:
With OpenID, there is a presumption the user has selected a trust
worthy IdP that will only present the user's identifiers when it
really is the user.
Doesn't this imply that both the user and RP
On 22-Oct-06, at 9:04 PM, George Fletcher wrote:
Dick Hardt wrote:
On 22-Oct-06, at 7:00 PM, George Fletcher wrote:
Dick Hardt wrote:
With OpenID, there is a presumption the user has selected a trust
worthy IdP that will only present the user's identifiers when it
really is the
-1 for these reasons:
Complexity: There is no reason for the RP to be managing the binding
between the IdP and the portable identifier. Both the IdP and the RP
are verifying this. There is no extra security, and more things to go
wrong in an implementation.
Privacy: There is no reason for
16 matches
Mail list logo
