Re: Are the Discovery Components Done Enough?

2009-06-09 Thread David Fuelling
On Tue, Jun 9, 2009 at 9:19 PM, SitG Admin wrote: > There's a significant camp of people that believe this information should >> be included in DNS. There's also a significant group of people who believe >> it could be located an XRD file (or, "on the web"). >> > > What if the discovery document

Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)

2009-06-09 Thread David Fuelling
Great feedback. I took the liberty to add this to the "Discussion Points" on the wiki page. http://wiki.openid.net/OpenID-Discovery On Tue, Jun 9, 2009 at 8:43 PM, Allen Tom wrote: > My primary concern with changing OpenID Discovery is the upgrade path to > the new discovery mechanism. It took

Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)

2009-06-09 Thread David Fuelling
My bad -- I errantly thought you were advocating the opposite. On Tue, Jun 9, 2009 at 9:15 PM, Breno de Medeiros wrote: > And I agree with you. My view is that in the absence of an OpenID discovery > WG there will be _more_ uncertainty about future directions for the spec, > not less. > > __

Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)

2009-06-09 Thread David Fuelling
On Tue, Jun 9, 2009 at 7:09 PM, Breno de Medeiros wrote: > If we start the process to form a WG for discovery now, most likely the > process would only be completed in 6 months, even if there was considerable > agreement and stable technologies to draw from. > > Right now, there is quite a bit of

Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)

2009-06-09 Thread David Fuelling
On Tue, Jun 9, 2009 at 7:00 PM, Santosh Rajan wrote: > > We need to remember that XRD only addreses discovery for URL identifiers. This is not really true. The XRD document schema only demands that an identifier be a URI, both for the XRD document's "subject" (i.e., the canonical-id) and the X

Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)

2009-06-09 Thread David Fuelling
David, Great questions -- see my thoughts/opinions inline... david On Tue, Jun 9, 2009 at 6:36 PM, David Recordon wrote: > Hey David,I've been following some of the discovery work the past few > months, but don't have a clear picture if the various components are > actually solid enough to beg

OpenID 2.1 Discovery WorkingGroup?

2009-06-07 Thread David Fuelling
Hey All, There have been quite a few questions/issues raised concerning the next iteration of OpenID Discovery. I have tried (as best as I could) to document these on the "*OpenID 2.1 Discovery WG*" wiki page ( http://wiki.openid.net/OpenID-Discovery). Please feel free to add or edit if you thin

Re: Request for consideration of AX 2.0 Working Group Charter Proposal

2009-01-27 Thread David Fuelling
+1 On Tue, Jan 27, 2009 at 3:33 PM, Dick Hardt wrote: > I'd prefer to narrow the scope of the WG and keep it focussed on a small > number of goals. > > A separate WG on SREG would be preferred, but I think it is a disservice to > the community to have two specs having such significant overlap. >

Re: New OP-MultiAuth Draft Published

2009-01-19 Thread David Fuelling
ery 2.1. > > Or at minimum a naming scheme that hilites the commonality .. UAPE :-) > > paul > > David Fuelling wrote: > > For anyone interested, I've put out a 2nd draft of my OP-MultiAuth idea. I > think the first draft was pretty confusing, so hope

New OP-MultiAuth Draft Published

2009-01-18 Thread David Fuelling
For anyone interested, I've put out a 2nd draft of my OP-MultiAuth idea. I think the first draft was pretty confusing, so hopefully this clarifies things a bit more. Wiki Page: http://wiki.openid.net/OP-MultiAuth Actual Draft: http://wiki.openid.net/f/openid-provider-multiauth-extension-1_0-2.htm

CLARIFICATION: Is OpenID Discovery Optional?

2009-01-06 Thread David Fuelling
All, Wondering if anybody, especially the original OIDF Board and any contributor's to the OpenID Auth 2.0 spec could comment on this question for me. *Is OpenID Discovery, as seen in section 7.3 of the Auth spec, optional? More specifically, is the information returned by discovery meant to be A

Re: [OpenID] DISCUSSION relating to OpenID Discovery 2.1

2008-12-31 Thread David Fuelling
On Tue, Dec 30, 2008 at 7:00 PM, Peter Williams wrote: > I gave up half way through my careful reply, as it was approaching > formatting-incomprehensible …to the poor reader trying follow it, point by > inset counterpoint. > Yes, I encountered the same thing in my responses. :) > > > 1.is meta

Re: [OpenID] DISCUSSION relating to OpenID Discovery 2.1

2008-12-30 Thread David Fuelling
> metadata. > > > See above. I'm very confident that *if* Discovery is to be performed, then it must be done via one of the three paths in 7.3. I'm less confident about Discovery not being optional since the wording is unclear, but I think the intent was for Discovery to be non-opt

DISCUSSION relating to OpenID Discovery 2.1

2008-12-29 Thread David Fuelling
Not sure if this made it through to everyone due to the mail list malfunction, so resending just in case. david -- Forwarded message -- From: David Fuelling Date: Fri, Dec 26, 2008 at 6:58 PM Subject: DISCUSSION relating to OpenID Discovery 2.1 To: "specs@openid.net&quo

Re: Proposal to form Discovery Working Group

2008-12-27 Thread David Fuelling
On Thu, Dec 25, 2008 at 10:56 AM, Nat Sakimura wrote: > 2. Separation of OP into Discovery Service and Authentication Service. > In the current terminology, OP spans both Discovery Service and > Authentication Service. > We should be explicit about it. > > +1. I would like to see discovery ser

DISCUSSION relating to OpenID Discovery 2.1

2008-12-27 Thread David Fuelling
All, I'd like to propose that the following ideas be considered as discussion points in the OpenID 2.1 Discovery WG. I've updated the OpenID 2.1 Discovery WG wiki pageto reflect these ideas, and have provided two very rough-draft proposals

Re: Use of Qworum for indirect communication

2008-12-15 Thread David Fuelling
Cool idea, although I wonder what benefit this would bring to OpenID auth? Seems like HTTP redirects and form submits work pretty well today. Would Qworum enable any sort of new features that aren't possible today because we're not using XML between RP/OP/User-agent? Thanks! david 2008/12/15 Do

Re: non-standard login mechanism

2008-11-17 Thread David Fuelling
Sounds like you're simply mapping a SL UUID to an OpenID, so my opinion would be "no, this does not break the spec", so long as the actual OpenID transaction utilizes the OpenID URL that you have on file in the DB. This is very similar to the other discussions going on regarding using an email add

Re: Proposing an OpenID Authentication 2.1 Working Group

2008-11-11 Thread David Fuelling
associations over HTTPS are > > required to also support associations using Diffie-Hellman encryption > > over HTTPS connections. > > - Exploratory work as defined below assuming the Working Group finds > > it feasible to do so. > > > > Exploratory Work: > > The WG

Re: [OpenID] OpenID Extension to handle Emails Addresses?

2008-10-30 Thread David Fuelling
On Thu, Oct 30, 2008 at 4:01 PM, Martin Atkins <[EMAIL PROTECTED]>wrote: > David Fuelling wrote: > >> >> I would even entertain the notion of the OpenID extension doing DNS lookup >> first, then EAUT, though I need to think more on the topic. Alternatively,

OpenID Extension to handle Emails Addresses?

2008-10-30 Thread David Fuelling
Wondering if it makes sense to talk about an OpenID Extension to handle email address, as opposed to changing the core spec? My thinking here is that EAUT could be used to solve much of this problem, but that an OpenID extension is required to add extra value. So, here's how I would see such an e

Re: OpenID Trusted Authentication Extension

2007-08-27 Thread David Fuelling
John, Have a look at OAuth (http://groups.google.com/group/oauth). I think it's currently a private google group, but it seems like you've given a lot of thought to this type of thing, so I'm sure the group owners would welcome your input. There's a lot of activity going on over there. David O

Re: OpenId as API authentication method

2007-07-31 Thread David Fuelling
What is OAuth? The group appears to be private, so is not accessible. david On 7/27/07, John Panzer <[EMAIL PROTECTED]> wrote: > > You should probably check out OAuth: > http://groups.google.com/group/oauth, and its draft > spec

Re: Do We Agree on the Problem We're Trying to Solve?

2007-06-11 Thread David Fuelling
On 6/11/07, Josh Hoyt <[EMAIL PROTECTED]> wrote: On 6/8/07, David Fuelling <[EMAIL PROTECTED]> wrote: > If in 50 years, a given canonical URL domain goes away, then couldn't a > given OpenId URL owner simply specify a new Canonical URL in his XRDS doc? If I unders

Re: Do We Agree on the Problem We're Trying to Solve?

2007-06-08 Thread David Fuelling
Assuming I understand things correctly, it seems like what we're calling a canonical URL in this thread is really a pseudo-canonical URL since a given OpenID's XRDS doc is what specifies the Canonical ID. If in 50 years, a given canonical URL domain goes away, then couldn't a given OpenId URL own

Re: Do We Agree on the Problem We're Trying to Solve?

2007-06-08 Thread David Fuelling
Wrt to the problems we're trying to solve, I think that we should define a (C) (which is similar to (A), yet instigated by the user and doesn't trigger an RP recycle) and a (D). In summary: A) Identifier recycling normally in large user-base deployments. i.e. needs a way to give 'TheBestUsern

Re: Questions about IIW Identifier Recycling Table

2007-06-07 Thread David Fuelling
Hey Josh, Thanks for your message and great points. See my thoughts/questions inline. On 6/7/07, Josh Hoyt < [EMAIL PROTECTED]> wrote: On 6/7/07, David Fuelling <[EMAIL PROTECTED]> wrote: > Over the last few days I've been thinking about your Identifier Recycling > p

Re: Questions about IIW Identifier Recycling Table

2007-06-07 Thread David Fuelling
Hey Johnny, Thanks for your clarifications and answers to my questions about [1]. Over the last few days I've been thinking about your Identifier Recycling proposal[2], in addition to other proposals (Tokens, etc). Assuming I understand things correctly, it seems as if a hybrid of the public/pr

Questions about IIW Identifier Recycling Table

2007-06-05 Thread David Fuelling
I wasn't at IIW, so please bear with me. In reference to the wiki at http://openid.net/wiki/index.php/IIW2007a/Identifier_Recycling, can somebody clarify what some of the terminology means? Specific questions are below. 1.) For URL+Fragment, what is the distinction between "private" and "public

What Should an OpenId Be? [WAS: RE: Proposal for Modularizing Auth 2.0 Discovery]

2007-02-28 Thread David Fuelling
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Gabe Wachob > Sent: Wednesday, February 28, 2007 3:02 PM > To: 'Drummond Reed'; 'Martin Atkins'; specs@openid.net > Subject: Proposal for Modularizing Auth 2.0 Discovery > > > Basically, the Discovery

OpenId & Yadis Question

2007-02-25 Thread David Fuelling
I'm wondering if the following is a correct interpretation of how OpenId 2.0 uses Yadis. Any clarifications are appreciated. 1.) User navigates to an RP, and enters a Claimed Identifier (e.g., http://sappenin.gmail.com). 2.) A Yadis doc is returned as follows: http://specs.openid.net/auth/2.0/

RE: [OpenID] Wiki page: Attempting to document the "Email Address as OpenId" debate.

2007-02-11 Thread David Fuelling
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Claus Färber >> >> http://openid.net/wiki/index.php?title=Debating_Emails_as_OpenIds > > I'd prefer to call them [EMAIL PROTECTED] OpenIDs. The concept of using this > format is not only used for email

RE: [OpenID] FW: PROPOSAL: An Extension to transform an EMail Addressto an OpenId URL

2007-02-10 Thread David Fuelling
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Eric Norman > > The other vital property of URL based schemes in addition to > resolvability > is that "ownership" can be confirmed. Email addresses are indeed > resolvable in the sense detailed here.

RE: [OpenID] FW: PROPOSAL: An Extension to transform an EMail Address to an OpenId URL

2007-02-10 Thread David Fuelling
> -Original Message- > From: Robert Yates [mailto:[EMAIL PROTECTED] > > 2) Why map the e-mail address to an openid url, which then has to be > further resolved to a Yadis document? Why not, instead, map straight > to a yadis doc and make e-mails full fledged openids. An openid is > nothin

Wiki page: Attempting to document the "Email Address as OpenId" debate.

2007-02-10 Thread David Fuelling
Hi List, In light of my recent extension proposal to map Email Addresses to OpenId URLs, I have setup a wiki page on openid.net that attempts to capture all the pro/cons/issues that have been shared in the debate over whether this is a good idea or not. http://openid.net/wiki/index.php?title=Deba

Yadis/XRDS Service Element URI Question

2007-02-10 Thread David Fuelling
Hey All, I'm working on a draft OpenId 2.0 extension [1] and am looking for guidance on how to define a Yadis Service Element that includes a URI Template (instead of a real URI). At first, I thought that the following would be ok: http://openid.net/srv/oeat/1.0/ett https://{username}.examp

RE: [OpenID] FW: PROPOSAL: An Extension to transform an EMail Address to an OpenId URL

2007-02-10 Thread David Fuelling
> -Original Message- > From: Robert Yates [mailto:[EMAIL PROTECTED] > > For what it's worth I think that this is excellent. Thanks for the positive feedback! >A couple of suggestions: > 1) You probably should take a look at the URI Template spec [1]. > These guys have done a lot of th

HTML-based discovery Question...

2007-02-08 Thread David Fuelling
Can anyone give me a brief overview of why HTML-Based Discovery is only allowed for Claimed Identifiers? I don't disagree with the spec here -- I'm just trying to understand things better. Thanks! David (Section 7.3.3): "HTML-Based discovery is only usable for discovery of Claimed Identifiers.

RE: Proposal: SMTP service extension for Yadis discovery

2007-02-05 Thread David Fuelling
> -Original Message- > From: Dmitry Shechtman [mailto:[EMAIL PROTECTED] > Subject: RE: Proposal: SMTP service extension for Yadis discovery > > > there's nothing wrong with transforming an email to > > an OpenId Endpoint url (using the root domain of the email). > > That would require a r

RE: [OpenID] Questions about Spoofing OpenId

2007-01-23 Thread David Fuelling
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Carl Howells > Subject: Re: [OpenID] Questions about Spoofing OpenId > > Some care has to be > taken to make sure that direct cross-linking won't work, but that's not > too difficult. What do you mean

RE: [OpenID] "The Case for OpenID" published by ZDNet / DigitalIdentity World Blog

2006-12-05 Thread David Fuelling
Looks like the article got Slashdottedthere's some interesting commentary going on, with some FUD, plenty of confusion, and some acceptance. Very interesting to read. http://it.slashdot.org/article.pl?sid=06/12/05/139204 > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL

RE: Map/Normalize Email Address to IdP/OP URL (Was [PROPOSAL] Handle"http://[EMAIL PROTECTED]" Style Identifiers)

2006-11-10 Thread David Fuelling
> -Original Message- > From: Dick Hardt [mailto:[EMAIL PROTECTED] > Sent: Friday, November 10, 2006 11:28 AM > To: David Fuelling > Cc: specs@openid.net; [EMAIL PROTECTED] > Subject: Re: Map/Normalize Email Address to IdP/OP URL (Was [PROPOSAL] > Handle"http:

RE: Map/Normalize Email Address to IdP/OP URL (Was [PROPOSAL] Handle"http://[EMAIL PROTECTED]" Style Identifiers)

2006-11-10 Thread David Fuelling
> -Original Message- > From: Dick Hardt [mailto:[EMAIL PROTECTED] > Sent: Friday, November 10, 2006 11:28 AM > To: David Fuelling > Cc: specs@openid.net; [EMAIL PROTECTED] > Subject: Re: Map/Normalize Email Address to IdP/OP URL (Was [PROPOSAL] > Handle"http:

RE: Map/Normalize Email Address to IdP/OP URL (Was [PROPOSAL] Handle"http://[EMAIL PROTECTED]" Style Identifiers)

2006-11-10 Thread David Fuelling
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On >Behalf > Of Jonathan Daugherty > # I think that all this discussion about email userid is moving us off > # track. My original proposal was that the email maps/normalizes to a > # URL of an IdP (the userid is igno

RE: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers

2006-11-10 Thread David Fuelling
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Martin Atkins > Sent: Friday, November 10, 2006 2:41 AM > To: [EMAIL PROTECTED] > Subject: Re: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers > > I provide email addresses to some of my f

Map/Normalize Email Address to IdP/OP URL (Was [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers)

2006-11-09 Thread David Fuelling
Hey David, Thanks for your ideas. Some more thoughts below. > -Original Message- > From: David Nicol [mailto:[EMAIL PROTECTED] > Sent: Thursday, November 09, 2006 6:49 PM > To: David Fuelling > Cc: Martin Atkins; specs@openid.net; [EMAIL PROTECTED] > Subject: Re: [PROP

RE: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers

2006-11-09 Thread David Fuelling
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Martin Atkins > Sent: Thursday, November 09, 2006 5:36 PM > To: [EMAIL PROTECTED] > Subject: Re: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers > > Sometimes these things will be charact

RE: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers

2006-11-09 Thread David Fuelling
Hi Martin, This is interesting. I guess your suggestion (see your msg below) deals with a sub-topic of the whole "should email be allowed in the OpenId login form" debate, which is this: "If email is allowed in the OpenId login form, should the mapping/normalization include the email Userid...O

RE: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers

2006-11-09 Thread David Fuelling
2 (Normalization). We're mapping/normalizing 'www.cnn.com' to 'http://www.cnn.com', even though www.cnn.com is not (technically) a validly schemed Http url. Why not do the same with email addresses? > -Original Message- > From: Hallam-Baker, Phillip [mailt

RE: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers

2006-11-08 Thread David Fuelling
is a bad thing. > -Original Message- > From: Dick Hardt [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 08, 2006 5:06 PM > To: David Fuelling > Cc: specs@openid.net > Subject: Re: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers > > Hi

RE: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers

2006-11-08 Thread David Fuelling
ginal Message- > From: Jonathan Daugherty [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 08, 2006 1:45 PM > To: David Fuelling > Cc: specs@openid.net > Subject: Re: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers > > # So, if in a hypothetical

RE: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers

2006-11-08 Thread David Fuelling
er, Phillip [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 08, 2006 1:45 PM > To: David Fuelling; specs@openid.net > Subject: RE: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers > > Please don't use HTTP this way. That is not the semantics for http

RE: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers

2006-11-08 Thread David Fuelling
to something that OpenID can use? David Fuelling > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Dick Hardt > Sent: Sunday, October 22, 2006 12:26 PM > To: John Panzer > Cc: Kaliya *; specs@openid.net > Subject: Re: [PRO

RE: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers

2006-11-08 Thread David Fuelling
ally make sense to cut out the most common "value" (which is an email address)? > -Original Message- > From: Jonathan Daugherty [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 08, 2006 1:30 PM > To: David Fuelling > Cc: specs@openid.net > Subject: Re:

RE: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers

2006-11-08 Thread David Fuelling
Please see my questions/ideas enclosed... Thanks! David Fuelling > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Drummond Reed > Sent: Friday, October 20, 2006 1:04 AM > To: 'Recordon, David'; specs@openid.net > Su

RE: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers

2006-11-08 Thread David Fuelling
usion, these 2 email proposals should be no less "confusing" than trying to educate a user that the Identity URL they type in (e.g., http://aol.com) is not their identity. Both will/would take some education. Thanks! David Fuelling [EMAIL PROTECTED] > -Original Message- >

RE: Request for comments: Sorting fields in signature generation

2006-09-27 Thread David Fuelling
Just for clarification -- if duplicate parameters of the same name are NOT allowed by the spec, would one still be able to encode multiple values in the same key/value pair? Wouldn't this accomplish the same result as allowing duplicate key names? Not sure if this would be a bad idea, or not, but

RE: Backwards compatibility

2006-09-24 Thread David Fuelling
nd to construct appropriate messages. In essence, it's a different protocol, and #1R is not required. Thanks! David Fuelling > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Josh Hoyt > Sent: Wednesday, September 20, 2006 4:31 PM