Re: OPs to advertise support for OpenID extensions via the extension's type URI

+1 Allen Breno de Medeiros wrote: I agree with Andrew on this suggestion. I don't think the UI WG proceeded differently for any particular reason, except that no such convention existed and we were not aware of side-effects previously. Regardless of interoperability issues with existing libr

Clarification needed in PAPE spec

Another ambiguous parameter is the openid.pape.preferred_auth_policies request parameter in section 5.1. The first sentence in Section 5.1 says that all the request parameters are mandatory (MUST be included), however the description openid.pape.preferred_auth_policies says that zero policies

Typo in the PAPE spec?

Hi All, In Section 5.1 of the PAPE Spec, there's a request parameter defined called openid.pape.preferred_auth_level_types however the example in the same section calls it openid.pape.preferred_auth_levels Which one is it? Thanks ___ spec

Re: OAuth Hybrid and UI ML?

igned contribution agreements before posting, I can make the list itself. --David On Jun 11, 2009, at 6:21 PM, Allen Tom wrote: Hi Nat, How does one create a mailing list? At least with regards to the OpenID UI WG, we're just mailing each other directly. Allen Nat Sakimura wrote: Hi. I

Re: OAuth Hybrid and UI ML?

Hi Nat, How does one create a mailing list? At least with regards to the OpenID UI WG, we're just mailing each other directly. Allen Nat Sakimura wrote: Hi. I just found out that the Mailing list for OAuth Hybrid WG and UI WG are not listed on http://openid.net/mailman/listinfo/ .

Re: [OpenID] Signing method for XRD

+1 John Panzer wrote: So, +1 for the simplest form of signing that could possibly work. ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs

Re: [OpenID] Signing method for XRD

Hi Nat, Generating signatures is tricky, and XMLDSig is trickier than most. That being said, there are libraries that do it, and they do seem to work. First of all, I'd be happier to see something other than XML, but if XML has already been decided on, then I would not mind seeing something

Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)

avid Fuelling mailto:sappe...@gmail.com>> *Date: *June 9, 2009 10:07:20 AM PDT *To: *Allen Tom mailto:a...@yahoo-inc.com>> *Cc: *secur...@openid.net <mailto:secur...@openid.net>, gene...@openid.net <mailto:gene...@openid.net> *Subject: **Re: [security] OpenID Security Best Practi

Re: Some suggestions about Open Id AX profile

Hi David, There has been a lot of discussion about adding Attribute Metadata to AX 2.0, and this is within the charter of the proposed AX 2.0 Working Group. http://wiki.openid.net/OpenID_Attribute_Exchange_Extension_2_0 One of the primary use cases driving this is to enable an OP to describe

Re: SREG's Privacy Policy URL

The XRD spec is solidifying but is not 100% stable. I think we should have a discovery option regardless of whether we update UX or AX. So I'd like to see a proposal for XRDS and then when XRD is available, supporting that.

Re: SREG's Privacy Policy URL

XRD is available, supporting that. Thanks, George Allen Tom wrote: Hi Luke, Yes, this is what we're looking for. Currently, in OpenID, the only way for the RP to link to its privacy policy (which is sort of like linking to its ToS) is by passing it in the openid.sreg.policy_url param

SREG's Privacy Policy URL

Hi All, The Simple Registration Extension provides an interface for the RP to pass the OP a link to the RP's privacy policy in the authentication request. According to the SREG spec, OPs SHOULD display this URL to the End User if it is given. http://openid.net/specs/openid-simple-registratio

Re: Does OAuth security vulnerability affect OpenID/OAuth hybrid?

n't have a reasonable OAuth token authorizing scenario and block it. So I agree it's good to call it out in the spec. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Tue, May 12,

Re: Requiring Pseudonymous Identifier

I don't think it makes sense to use an AX attribute for the pseudonymous identifier, since assertion will still contain the correlatable OpenID identifier. It seems that the OP should return a unique RP-specific OpenID in the response. Breno's idea about using an identifier-less request is int

Re: Identifier for group of individulas

The intent of the fragment was to allow OPs to recycle OpenIDs, and the fragment is intended to be a "generation identifier" that RPs can use to determine that the OpenID was recycled. Allen Andrew Arnott wrote: From the spec

Re: Does OAuth security vulnerability affect OpenID/OAuth hybrid?

_ From: Andrew Arnott To: Allen Tom Cc: Luke Shepard; OpenID Specs Mailing List Sent: Wed May 13 17:05:00 2009 Subject: Re: Does OAuth security vulnerability affect OpenID/OAuth hybrid? I would expect a decent OP to consider that it goes without saying that checkid_immediate wouldn't have a r

Re: Does OAuth security vulnerability affect OpenID/OAuth hybrid?

but I just want to make sure I'm clear on the issues. On 5/12/09 9:48 PM, "Allen Tom" wrote: Hi Nat, Here you go: http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html We might need to revise the spec to not support c

Re: Most current version of OpenID / OAuth hybrid spec draft?

Hi Nat, Here you go: http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html We might need to revise the spec to not support checkid_immediate for the Hybrid flow, becuase auto-issuing OAuth access tokens is probably a bad thing, in light of the recent O

Re: Defining how OpenID should behave with fragments in the return_to url

hat Yahoo! is currently supporting this just fine? What are you "fixing"? Dirk. On Tue, Mar 24, 2009 at 2:16 PM, Allen Tom <mailto:a...@yahoo-inc.com>> wrote: Hi Luke, I have to confess that I was not aware of technique of passing parameters after the fragment to ta

Re: Defining how OpenID should behave with fragments in the return_to url

Hi Luke, I have to confess that I was not aware of technique of passing parameters after the fragment to take advantage of browser caching, until you blogged about it. Since then, we've noticed that developers have been doing this, and in fact, we fixed the same bug on our OAuth service just

Re: Request to consider creation of the User Interface Work Group

itment to deploy OpenID worldwide. (I might be a bit biased) Allen Allen Tom wrote: Hi Specs Council, Please consider the attached proposal to form the User Interface Work Group. http://wiki.openid.net/OpenID-User-Interface-Work-Group-Proposal Charter Proposal In accordance with

Request to consider creation of the User Interface Work Group

e activity The OpenID User Interface Extension 1.0 final draft is completed. Proposers * Allen Tom, a...@yahoo-inc.com, Yahoo! * Brian Ellin, br...@janrain.com, Janrain * David Recordon, da...@sixapart.com, Six Apart * Chris Messina, ch...@citizenagency.com, Vidoop/Di

Re: Suggested scoping for AX 2.0 WG

Hi Dick, I'll be happy to add language to the revised SREG spec to strongly encourage all new deployments to use AX and to NOT use SREG, however, given the current popularity of SREG, I think it's a good idea to clarify and modernize it a bit. Speaking on behalf of Yahoo, once we have a usab

Re: OpenID Mobile Profile?

Hi Nat, OpenID has a huge opportunity in the mobile market, because logging in/registering is at least an order of magnitude more painful on a handset than on a standard desktop browser. Even with my iPhone, logging in is terrible, and I can't think of a single time I've bothered to register.

Re: Request for consideration of AX 2.0 Working Group Charter Proposal

I agree with Martin. I believe that AX is the correct solution in the long run, but given that there appears to be more SREG implementations currently in the wild, we should update it to make it useful for sites that want to use it. The other factor is that our lawyers feel very strongly that

Re: Request for consideration of AX 2.0 Working Group Charter Proposal

Breno - I've updated the WG Charter to include patching SREG to include avatar image and info about the quality of the user's email address. I also updated the charter to mention that AX will be updated to allow RPs to pass a link to their privacy policy. http://openid.pbwiki.com/OpenID_Att

Re: Request for consideration of AX 2.0 Working Group Charter Proposal

t; wrote: > > Hey Everyone > > I dropped off the planet for a bit moving and getting my world setup. Have > > missed all the email threads on this. > > What have I missed out on? :-) > > I plan on participating heavy in the AX 2.0 spec myself. &g

Re: CX proposal update

ittle more than merely defining another set of attributes. =...@tokyo via iPhone On 2009/01/23, at 5:43, Allen Tom <mailto:a...@yahoo-inc.com>> wrote: Hi Nat, Can you define the term "contract"? Is it legally binding? It is just a signed set of attributes? Who are the

Re: CX proposal update

Hi Nat, Can you define the term "contract"? Is it legally binding? It is just a signed set of attributes? Who are the parties involved with signing the contract? The RP, OP, and user? Instead of defining a new CX extension, would it just be sufficient to define new attributes using AX? Would

Re: Request for consideration of AX 2.0 Working Group Charter Proposal

I believe that one of the goals of AX 2.0 should be to maintain backwards compatible with AX 1.0 whenever possible. Allen Mike Jones wrote: > Can you add a clear statement to the draft charter that implementations > already using AX 1.0 will remain compatible with the output of this working >

Re: Request for consideration of Working Group Charter Proposal

enility feels like. On Fri, Dec 19, 2008 at 12:39 PM, Allen Tom mailto:a...@yahoo-inc.com>> wrote: > +1, but I don't know who this Tom Allen is. > > Allen > > > Breno de Medeiros wrote: >> >> Attribute Exchange (1.0), and

Re: Request for consideration of Working Group Charter Proposal

+1, but I don't know who this Tom Allen is. Allen Breno de Medeiros wrote: > > Attribute Exchange (1.0), and Simple Registration. > II. Initial Membership > > * Tom Allen, a...@yahoo-inc.com. Yahoo! Inc (editor) > * Mike Graves, mgra...@janrain.com, JanRain, Inc. > * Dick Hardt, d...

Re: What is the status of AX 2.0 WG proposal?

The in person chat was very productive, and I expect to move forward with this proposal after the holidays. Allen Dick Hardt wrote: I've been busy with other things. :-) I had an in person chat with Allen Tom, Eran and Breno about what they were thinking of. There was some discussion o

Re: Completing the SREG 1.1 specification

r would like to provide. > > I agree that the strength of SREG is its constrained fields. These > two additions would allow ALOT of value to the spec, however, if they > were to be considered. > > -Sam > > On Dec 2, 2008, at 3:41 PM, Allen Tom wrote: > >> Yah

Re: OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Martin Atkins wrote: > There's also the need to have something to point at as what the user > trusted, so that other applications can't piggy-back off the trust of a > popular app. > > Hi Martin, The OAuth access token is the credential that is issued to the instance of the application that

Re: OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Hi Martin, The intent is to be able to identify applications which were not deliberately designed to be malicious. Well designed malicious apps would piggy back off of another app's CK or just cycle through a list of CKs to evade detection. However, there have been occasions where legitimate a

Re: OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

apps anyway, I would volunteer that the most sensible thing is to have empty consumer keys in that case (and warn users that we can't vouch for the origin of the request). On Tue, Dec 2, 2008 at 4:37 PM, Allen Tom <[EMAIL PROTECTED]> wrote: Dirk Balfanz wrote: On Tue, Nov 25, 200

Re: OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Dirk Balfanz wrote: On Tue, Nov 25, 2008 at 7:17 PM, Allen Tom <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: In Section 10, and perhaps also in Section 12, the spec should mention that because the hybrid protocol does not have a request token secret, and beca

Re: Completing the SREG 1.1 specification

Yahoo is currently testing SREG, and we'd like to see the 1.1 SREG draft updated to clarify any ambiguities before we're done testing. We'd also like to see the schema updated to include the user's profile pic. We decided to build support for SREG before AX because SREG seems to be more widely

Re: OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Some more feedback: The first sentence in the Abstract should say "describes" instead of "describe." The phrase "OpenID OAuth Extension" is not consistently capitalized in the spec. For instance, it's capitalized in the first sentence in section 3, but "extension" is lowercase in section 4.

Re: OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

A couple minor edits are needed to Section 12: Security Considerations. I assume that the response_token in Section 12 is the same as the request_token in Section 9. The terminology needs to be consistent. "Is" shoudl be changed to "are" in the phrase "The following security principles is refle

Re: OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

allowed values can be the same as the values defined in the ProblemReporting extension. http://oauth.pbwiki.com/ProblemReporting Allen Dirk Balfanz wrote: On Wed, Nov 19, 2008 at 2:31 PM, Allen Tom <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: Since the new hybri

Re: OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Since the new hybrid draft spec doesn't affect the OpenID association method, this is moot. However, the spec should mention what SPs should do if the CK is invalid (or doesn't match the realm) in the OpenID authentication request. Presumably, the SP should continue servicing the OpenID portio

Re: OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Hi Martin, Not sure why you say that requiring pre-registration and having an open stack are mutually exclusive. Are you saying that there's no benefit for service providers to provide a standard interface to developers? Allen Martin Atkins wrote: > Allen Tom wrote: >> >&g

Re: OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Dirk Balfanz wrote: > Ok, new spec is up: > http://step2.googlecode.com/svn/spec/openid_oauth_extension/drafts/0/openid_oauth_extension.html > > > Hi Dirk, It doesn't look like the hybrid spec changes the OpenID association mechanism, so you should not mention the association mechanism in the

Re: OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Manger, James H wrote: > Ideally, an app would attempt to access a protected resource at an SP and get: > * A 401 Unauthenticated response from the SP; with > * A “WWW-Authenticate: OAuth” header; with > * A parameter providing the authorization URL; and > * Another parameter with the OP URL (when

Re: OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Dirk Balfanz wrote: > > Oh I see. Ok. I'l make a new revision of the spec where I add a > required parameter (the consumer key) to the auth request. > Cool, thanks! > What should the spec recommend the OP should do if the consumer key > and realm don't match? Return a cancel? Return something e

Re: OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Sadly, because the OpenID authentication request is not signed, the CK can't be authenticated, but as you pointed out, although the user may authorize the application, the CK secret is still required to fetch the credentials. The worst that could happen is that a user will authorize an impostor

Re: OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Dirk Balfanz wrote: > > So, again, the proposal seems to be to embed a hint to the consumer > key into the association request (which will then be threaded through > the association handle into the auth request). This doesn't buy us any > additional security, it just hints at what scope the cons

Re: OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

In the future, we might update our OAuth service to allow developers to pass us the scope dynamically, rather than binding the scope to the CK. However, we'd still probably require developers to agree to a TOS in order to get a CK/CS. I'm concerned about having to tell developers to pass the CK

Re: OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Adding OAuth signature methods, including RSA-SHA1, to OpenID 2.1 is supposed to happen. It is probably not a good idea to return RSA keys via association requests for unregistered consumers though. Allen Breno de Medeiros wrote: 2008/11/13 Allen Tom <[EMAIL PROTECTED]>:

Re: OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

the user is falsely represented based solely on the realm in that circumstance. Sent from a mobile device. On Nov 13, 2008, at 4:58 PM, Dirk Balfanz <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: On Thu, Nov 13, 2008 at 1:45 PM, Allen Tom <[EMAIL PR

Re: OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Dirk Balfanz wrote: > > I don't think this is true - I believe the realm is sufficient. Let me > try and explain. (We'll assume registered consumers.) On the approval > page, we need to identify the consumer. In its current form, the spec > basically assumes that you're gonna use the realm for t

OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>, Google - Joseph Smarr, [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>, Plaxo - Yariv Adan, [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>, Google - Allen Tom, [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> , Yahoo -

Re: Login Federation

expires_in only specifies the lifetime of an association handle. There's no parameter that indicates the lifetime of an authentication response. Allen Martin Paljak wrote: On Feb 18, 2008, at 5:11 PM, McGovern, James F (HTSC, IT) wrote: Likewise, I would think that for automatic signon, i

Re: Realm spoofing spec patch

. Anyway, I don't think there's any pressing need to change the association request interface at this time. Thanks! Allen > Allen, > > On 5/29/07, Allen Tom <[EMAIL PROTECTED]> wrote: > > From an implementation perspective, it might make sense for the OP to > >

RE: Realm spoofing spec patch

Josh - thanks for writing this up! David - Many OPs may choose not to let their users login into RPs that can't be verified. For instance, in the case where a large corporation like Sun issues their employees OpenIDs, the corporation may want to be very selective as to which RPs they let their emp

Re: Proposal for Recycling Identifiers in OpenID 2.0

Hi Dick, I'm very glad to see that we're making progress in resolving the OpenID recycling issue. It would seem to make sense to embed the fragment into the document referenced by the OpenID, however in the interest of keeping the OP discovery implementation simple and robust, I'd be in favor of