Re: RFC: Final outstanding issues with the OpenID 2.0 Authentication specification

2007-05-18 Thread Boris Erdmann
If these four issues are resolved, can we call the OpenID 2.0 Authentication specification done? Speak up if you have any other show-stoppers. Josh Yesterday, Dmitry and I had a long talk about browser support for OpenID. I think it is consensus between us two to state, that there are lots

Re: RFC: Final outstanding issues with the OpenID 2.0 Authentication specification

2007-05-18 Thread Don MacAskill
Josh Hoyt wrote: If these four issues are resolved, can we call the OpenID 2.0 Authentication specification done? Speak up if you have any other show-stoppers. Josh I hate to speak up last minute, but I was at a few tech conferences in the past month or two, and spoke with lots of

RE: RFC: Final outstanding issues with the OpenID 2.0 Authenticationspecification

2007-05-18 Thread Dmitry Shechtman
As a relative newcomer to the OpenID community, I realize this may have been debated endlessly already, and I may just be shouted down. It definitely has been debated endlessly. Or am I alone here? No, you aren't. There are many who agree with this entirely, some of whom have expressed their

RE: Proposal for improved security of association establishment in OpenID2.0

2007-05-18 Thread Guoping Liu
Hans: Thank you for your comments. I agree with you that not vulnerable to *this* man in the middle attack is more accurate. Regards, Guoping -Original Message- From: Granqvist, Hans [mailto:[EMAIL PROTECTED] Sent: Friday, May 18, 2007 10:14 AM To: Guoping Liu; OpenID specs list

Re: Final outstanding issues with the OpenID 2.0 Authenticationspecification

2007-05-18 Thread Marius Scurtescu
On 18-May-07, at 1:00 AM, Dmitry Shechtman wrote: 7.3.3. HTML-Based Discovery A LINK tag MUST be included with attributes rel set to openid2.provider and href set to an OP Endpoint URL A LINK tag MAY be included with attributes rel set to openid2.local_id and href set to the end

Re: Final outstanding issues with the OpenID 2.0Authenticationspecification

2007-05-18 Thread Marius Scurtescu
On 18-May-07, at 11:09 AM, Recordon, David wrote: Hey Marius, Good point, committed a patch so please review! :) http://openid.net/svn/diff.php?repname=specificationspath=% 2Fauthentica tion%2F2.0%2Ftrunk%2Fopenid-authentication.xmlrev=325sc=1 That was fast :-) Looks good, but I would add

Re: Final outstanding issues with the OpenID 2.0 Authenticationspecification

2007-05-18 Thread Josh Hoyt
On 5/18/07, Marius Scurtescu [EMAIL PROTECTED] wrote: On 18-May-07, at 1:00 AM, Dmitry Shechtman wrote: In order to be backwards compatible the HTML page should have two sets of tags one for OpenID 1.1 and one for OpenID 2.0, both pointing to the same OP endpoint URL. Otherwise an OpenID 1.1

Re: Final outstanding issues with the OpenID 2.0 Authenticationspecification

2007-05-18 Thread Marius Scurtescu
On 18-May-07, at 11:45 AM, Josh Hoyt wrote: On 5/18/07, Marius Scurtescu [EMAIL PROTECTED] wrote: On 18-May-07, at 1:00 AM, Dmitry Shechtman wrote: In order to be backwards compatible the HTML page should have two sets of tags one for OpenID 1.1 and one for OpenID 2.0, both pointing to the

Re: Final outstanding issues with the OpenID 2.0Authenticationspecification

2007-05-18 Thread Johnny Bufu
David, On 18-May-07, at 11:09 AM, Recordon, David wrote: Hey Marius, Good point, committed a patch so please review! :) On 18-May-07, at 11:08 AM, [EMAIL PROTECTED] wrote: + t + As discussed in the xref +target=compat_modeOpenID Authentication 1.1 +

Re: Final outstanding issues with the OpenID 2.0 Authenticationspecification

2007-05-18 Thread Josh Hoyt
On 5/18/07, Dmitry Shechtman [EMAIL PROTECTED] wrote: I'm sure that this will break a few implementations It certainly will break PHP-OpenID. Which implementation are you referring to as PHP-OpenID? Josh ___ specs mailing list specs@openid.net

Re: RFC: Final outstanding issues with the OpenID 2.0 Authentication specification

2007-05-18 Thread Josh Hoyt
Don, On 5/18/07, Don MacAskill [EMAIL PROTECTED] wrote: My company, SmugMug, is an OpenID provider for hundreds of thousands of high value paying accounts, and will shortly be a consumer as well. I'll freely admit that I haven't fully digested 2.0's pre-spec, but at least part of that reason

Please clarify 2.0 TOC 14 -- Re: RFC: Final outstanding issues with the OpenID 2.0 Authentication specification

2007-05-18 Thread Boris Erdmann
If these four issues are resolved, can we call the OpenID 2.0 Authentication specification done? Speak up if you have any other show-stoppers. I'd like to know WHERE to publish the below mentioned XRDS Document in 2_0-11 TOC 14.

HTML discovery: SGML entities and charsets

2007-05-18 Thread Peter Watkins
7.3.3 in draft 11 says The openid2.provider and openid2.local_id URLs MUST NOT include entities other than amp;, lt;, gt;, and quot;. Other characters that would not be valid in the HTML document or that cannot be represented in the document's character encoding MUST be escaped using the

directed identity + HTML discovery: is this right?

2007-05-18 Thread Peter Watkins
So I'd like my employer (for discussion purposes, The Great Plumbers Association, http://plumbers.co) to act as an OpenID OP. I want all our plumber members to use the same OP URL for OpenID authentication, let's say https://id.plumbers.co/ So the RP doesn't try XRI Resolution, and Yadis fails

Re: directed identity + HTML discovery: is this right?

2007-05-18 Thread Johnny Bufu
On 18-May-07, at 2:19 PM, Peter Watkins wrote: [...] Would we put the OP-Local Identifier in both openid.claimed_id *and* openid.identity? The user/OP can choose to send the local_id as the claimed identifier, or any other claimed identifier that delegates to the local_id sent as