Re: OPs to advertise support for OpenID extensions via the extension's type URI

Sounds good to me! On Jul 22, 2009, at 5:23 PM, John Bradley wrote: +1 I think that advertising the extension itself is a good practice. A RP may prefer OPs that support the extension over ones that don't. That is the case for PAPE now as an example. With XRD most of that will be described i

Re: experimental namespace for openid.net

Should this experimental namespace only apply to work being done by OpenID working groups? I'm very supportive of pushing the standards forward via prototypes, but that should be done as part of the OpenID community instead of by a single company. I'd be very happy to help get a discovery

Re: Clarification needed in PAPE spec

Yeah, it was meant to be included with the value of an empty string. --David On Jun 17, 2009, at 10:56 AM, Andrew Arnott wrote: A space-delimited list of no elements is the empty string. So I'd say (and DNOA is coded such that) it cannot be omitted, but may be empty. -- Andrew Arnott "I [

Re: OAuth Hybrid and UI ML?

tcher wrote: Will these lists be open for reading to the community? I'd like to keep up with what's happening in both these groups. Thanks, George David Recordon wrote: Once the working groups are approved and someone is willing to moderate new members on the list to make sure

Re: [OpenID board] OAuth Hybrid and UI ML?

m I responsible for collecting the contribution agreements myself? Allen David Recordon wrote: Once the working groups are approved and someone is willing to moderate new members on the list to make sure they've signed contribution agreements before posting, I can make the list i

Re: OAuth Hybrid and UI ML?

Once the working groups are approved and someone is willing to moderate new members on the list to make sure they've signed contribution agreements before posting, I can make the list itself. --David On Jun 11, 2009, at 6:21 PM, Allen Tom wrote: Hi Nat, How does one create a mailing list?

Fwd: [OpenID] Signing method for XRD

The specs list feels like a better home for this thread. :) --David - "Nat Sakimura" wrote: > Hi all: > > At XRI TC of OASIS Open, we are talking about the signing method for XRD. > The current trend in the TC is that to use a constrained form of XML DSig, > which is found in the SAM

Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)

Hey Breno, I think this is a good point and judging from this thread already, there seems to be a group of people really interested in working on discovery for OpenID. If we can frame the working group in the right way (David Fuelling framed it well as "I guess I'm more of the opinion tha

Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)

Hey David, I've been following some of the discovery work the past few months, but don't have a clear picture if the various components are actually solid enough to begin working with. I know XRD is moving forward, but what's the state of site-meta (http://tools.ietf.org/html/draft-nottingh

Re: Requiring Pseudonymous Identifier

Does it make more sense to use a PAPE policy requesting a pseudonymous identifier or an AX attribute requesting one? Any of these approaches would work, I just don't think we've mapped out the pros/cons of each. --David On May 13, 2009, at 8:44 AM, George Fletcher wrote: I don't think Open

Re: Requiring Pseudonymous Identifier

Agreed. RP requests a pseudonymous identifier and it's up to the OP to figure out how to make one and ideally communicate back to the RP that it did so. --David On May 13, 2009, at 9:41 AM, Andrew Arnott wrote: Agreed. There is no reason for OpenID to mandate how pseudononymous identifi

RECOMMENDED: Proposal to create the OpenID User Interface working group

d.net/pipermail/specs/2009-February/002726.html Brad Fitzpatrick - http://openid.net/pipermail/specs/2009-February/002729.html David Recordon - http://openid.net/pipermail/specs/2009-February/002731.html Dick Hardt - http://openid.net/pipermail/specs-council/2009-February/000115.html Johnny Bufu -

Re: Request to consider creation of the User Interface Work Group

g on an ad-hoc basis. Basis for completion of the activity The OpenID User Interface Extension 1.0 final draft is completed. Proposers * Allen Tom, a...@yahoo-inc.com, Yahoo! * Brian Ellin, br...@janrain.com, Janrain * David Recordon, da...@sixapart.com, Six Apart * Chris M

Re: Suggested scoping for AX 2.0 WG

Agreed with Allen, let's modernize SREG so that the spec matches how people are using it already with 2.0 though point people to using AX instead. I'd prefer this happen within the same WG. --David On Feb 3, 2009, at 3:20 PM, Allen Tom wrote: Hi Dick, I'll be happy to add language to the

Re: RECOMMENDED: Proposal to create the Contract Exchange Extension working group

;OpenID Trusted data eXchange Extention Specification (draft)", Oct. 2008. [TX2008]. - "David Recordon" wrote: > The Specifications Council recommends that the Foundation members > approve the creation of the Contract Exchange Extension working group > (http://openid.n

Re: RECOMMENDED: Proposal to create the OpenID and OAuth Hybrid Extension working group

Unless there are any objections, I will change this voting period to match that of the CX working group where the vote will open Saturday February 14th. --David - "David Recordon" wrote: > The Specifications Council recommends that the Foundation members approve the >

RECOMMENDED: Proposal to create the Contract Exchange Extension working group

The Specifications Council recommends that the Foundation members approve the creation of the Contract Exchange Extension working group (http://openid.net/pipermail/specs-council/2009-January/000110.html), as proposed below and found at http://wiki.openid.net/Working_Groups%3AContract_Exchange_

RECOMMENDED: Proposal to create the OpenID and OAuth Hybrid Extension working group

that maximal consensus on the protocol proposal has been achieved within the working group, consistent with the purpose and scope. Proposers * Ben Laurie, b...@google.com, Google * Breno de Medeiros, br...@google.com, Google * David Recordon, drecor...@sixapart.com, Six Apart *

Re: Request for consideration of AX 2.0 Working Group Charter Proposal

+1 On Jan 27, 2009, at 6:30 PM, Allen Tom wrote: I agree with Martin. I believe that AX is the correct solution in the long run, but given that there appears to be more SREG implementations currently in the wild, we should update it to make it useful for sites that want to use it. The ot

Re: Request for consideration of AX 2.0 Working Group Charter Proposal

This has been on my list to kick to the specs council but I've also been waiting for Dick to reengage since he's been such a core driver of the AX spec in the past. :) --David - "Nat Sakimura" wrote: > > > > On Sat, Jan 24, 2009 at 4:02 AM, Breno de Medeiros < br...@google.com > > w

Re: OpenID Problem

Hi Faisal, While this is most likely a permissions issue between PHP and your filesystem, I doubt that you'll receive an answer on this mailing list. The specs@openid.net mailing list is designed to discuss the OpenID specifications themselves. You can try reposting to gene...@openid.net though

Re: Separation of Discovery from AuthN (was Proposal to form Discovery Working Group)

I'd advocate for waiting until all of the discovery work occurring in OASIS, IETF, and W3C shakes out before we make changes to how OpenID discovery works. I'd much rather make this sort of change once rather than twice. --David On Jan 4, 2009, at 11:14 PM, Drummond Reed wrote: I’m just

Re: [OIDFSC] FW: Proposal to create the TX working group

#cSpecificationCouncilIssues > > > > It may be that all the Specs Council members agree with your four points > below, in which case you can just wholesale copy them into the wiki page. > However it is very important that the Specs Council come to it's own > consensus

Re: Proposal to form Discovery Working Group

ould add an appendix noting that changes in discovery to >> support new use cases are coming, and pointers on how to manage the >> transition. >> >> >> >> On Mon, Dec 22, 2008 at 10:27 AM, David Recordon > > wrote: >>> Agreed with Breno here.

Re: Proposal to form Discovery Working Group

e- >> From: specs-boun...@openid.net [mailto:specs-boun...@openid.net] On >> Behalf Of Breno de Medeiros >> Sent: Thursday, December 18, 2008 6:14 PM >> To: OpenID Specs Mailing List >> Cc: David Recordon; Brian Eaton; Johannes Ernst >> Subject: Proposal to form

Re: Proposal to create the TX working group

PROTECTED], Nomura Research Institute, Ltd. (iii) Anticipated Contributions: * Sakimura, N., et. al "OpenID Trusted data eXchange Extention Specification (draft)", Oct. 2008. [TX2008]. On Wed, Nov 12, 2008 at 6:39 AM, David Recordon <[EMAIL PROTECTED] > wrote: Just wanted

A Working Groups Wiki Page

We now have a wiki page for Working Groups! http://wiki.openid.net/Working_Groups I've listed the current PAPE WG as well as the groups that I know have been proposed. I've also filled in the draft charter for the Auth 2.1 group at http://wiki.openid.net/Working_Groups:Auth_2.1. If you're

Re: Proposing an OpenID Authentication 2.1 Working Group

I believe that the charter should now reflect the proposed changes. You can view it at http://wiki.openid.net/Working_Groups:Auth_2.1. Please let me know if not. Thanks, --David On Nov 11, 2008, at 12:46 PM, David Recordon wrote: > Yep, thanks! I'll be sending out a new charter

Re: Completing the SREG 1.1 specification

I certainly want to see us push the world to implementing AX instead of SREG, though agree with Mart that there are existing interoperability problems with SREG that would be nice to fix given that large OPs are still implementing it in a broken fashion. I'd see no issue with including in

Re: PAPE and NIST level policies.

Yeah, the latest draft is at http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-05.html . On Nov 25, 2008, at 2:21 AM, Martin Paljak wrote: > Right. I was lazy and google directed me to 1.0-02 as the first > response ... > > m. > On 25.11.2008, at 12:03, Nat wrote: > >

Re: Proposal to create the TX working group

Just wanted to add that Nat is running a session on TX at IIW this afternoon. We should definitly chat about the needs being expressed in this thread and how they might be able to be solved with OpenID. --David On Nov 11, 2008, at 1:13 PM, Martin Paljak wrote: > On 09.11.2008, at 20:51, Nat

Re: Proposing an OpenID Authentication 2.1 Working Group

Yep, thanks! I'll be sending out a new charter shortly. On Nov 11, 2008, at 11:24 AM, George Fletcher wrote: > Great notes! Thanks! > > Martin Atkins wrote: >> Here's the output from today's IIW session on this: >> >> >> 2.0 has been finalized >> bunch of implementations >> found lots of spec bu

Re: Email Address to URL Transformation

Hey Arshad, This is now something we're talking about supporting in OpenID Authentication 2.1 though it isn't yet clear whether it will support a transformation technique like EAUT or something else. --David On Aug 12, 2008, at 5:35 PM, Arshad Khan wrote: Does OpenID 2.0 support ‘Email Ad

Re: Proposal to create the TX working group

Hi David, I do not have any particular attachment to "trust exchange". So, I am ok in changing it but it would be nice if I can preserve "TX" acronym though. Do you have any specific suggestions? =nat On Sun, Nov 9, 2008 at 3:50 AM, David Recordon <[EMAIL PROTECTED]>

Proposing an OpenID Authentication 2.1 Working Group

maximal consensus on the draft has been achieved, consistent with the purpose and scope. Proposers: - Allen Tom, [EMAIL PROTECTED], Yahoo! - Brad Fitzpatrick, [EMAIL PROTECTED], Google - Breno de Medeiros, [EMAIL PROTECTED], Google - Carl Howells, [EMAIL PROTECTED], JanRain - David R

Re: Proposal to create the OpenID OAuth Hybrid Working Group

parent that maximal consensus on the protocol proposal has been achieved within the working group, consistent with the purpose and scope. Proposers: - Ben Laurie, [EMAIL PROTECTED], Google - Breno de Medeiros, [EMAIL PROTECTED], Google - David Recordon, [EMAIL PROTECTED], Six Apart - Dirk Balf

Re: Proposal to create the TX working group

On Nov 1, 2008, at 2:19 AM, Nat Sakimura wrote: Hi David, Thanks for your comments. My reply inline below: 2008/11/1 David Recordon <[EMAIL PROTECTED]> Hey Nat, Do you see this as being built atop Attribute Exchange for transport or as something new that TX defines? I know Sxip had d

Fwd: [xrds-simple] Refocusing XRDS / XRDS-Simple / Discovery

This is worth reading as it outlines what Eran plans to do with the current XRDS and XRDS-Simple specifications. It will have future implications on OpenID as the current Yadis discovery protocol actually violates the HTTP and web architecture (as pointed out by the W3C). I'm going to be

Re: Proposal to create the TX working group

Hey Nat, Do you see this as being built atop Attribute Exchange for transport or as something new that TX defines? I know Sxip had done work with AX to enable passing signed and encrypted attributes using SAML assertions. Is "Trust Exchange" really the best name? Seems like "trust" is qu

The Specifications Council

n Tom - Brad Fitzpatrick - David Recordon - Johnny Bufu - Josh Hoyt ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs

Fwd: [OpenID] The 3xx Redirect Debate

Wanted to make sure everyone saw this, though please reply to it on the General list since the majority of the discussion ended up happening over there. --David Begin forwarded message: > From: David Recordon <[EMAIL PROTECTED]> > Date: March 29, 2008 1:19:39 AM PDT >

XRDS-Simple 1.0 Draft 1 Released

If you haven't taken a look about XRDS-Simple -- and care about Yadis or XRDS Based Discovery -- then you should! The blow by blow history is: 1) Brad Fitzpatrick, Johannes Ernst, and I were looking at merging OpenID and LID in 2005 and needed a discovery protocol. Made a text based one bu

Re: [OpenID] Problems with OpenID and TAG httpRange-14

I don't see why changes would really need to wait, if there is an interested group of people then lets spin up a mailing list and get participants to agree to the IP policy. The entire goal of having "working groups" and seperate mailing lists is to help ensure that future OpenID specs are n

Re: OWASP Review

Hey James, I suppose there could be merit, but my guess is that if you want it to happen then you'll need to organize it. --David On Mar 10, 2008, at 1:38 PM, "McGovern, James F (HTSC, IT)" <[EMAIL PROTECTED] > wrote: > > Is there merit in having a third-party group such as OWASP > (http://w

Re: handling of url redirection

Hi Marv, This has never been specified as a relying party could choose to follow as many redirects as it wishes. Maybe there should be a hard line drawn though from an interoperability side? --David On Feb 17, 2008, at 3:06 PM, SignpostMarv Martin wrote: > Was talking with keturn in #openid

Re: OpenID 3.0

+1. Let's get 2.0 deployed and figure out what it might be lacking before just starting on 3.0. On Feb 3, 2008, at 11:05 PM, Johannes Ernst wrote: > Amen. Let's build (optional) extensions, and only if that absolutely > does not work for an essential feature, meekly suggest that the > smallest

Re: OAuth + OpenID

Great, thanks! We're talking about these drawing at OpenIDDevCamp right now. Thanks, --David On Dec 11, 2007, at 7:33 PM, NISHITANI Masaki wrote: > > I enumerated all possible cases to use OAuth and OpenID > together to organize my thought a bit more. > > And correct the charts for one misund

Finalizing OpenID Authentication 2.0 and OpenID Attribute Exchange

Hey all, While its certainly been a long process in the making, it seems that we're now in a position to declare OpenID Authentication 2.0 and OpenID Attribute Exchange as final specifications. Both have evolved through extensive community participation and feedback and each are stable as Implemen

Re: [security] Phishing-Resistant Authentication definition

Do you have proposed wording for this? It might also make sense to rename this policy to something like "No Shared Secret" and then also draft a second policy which allows shared secrets which are more resistant to phishing than passwords. In the end, not calling anything "phishing resista

Fwd: OSIS PAPE call results

Hey all, It turned out that from the OSIS interoperability event in Barcelona a call was scheduled to discuss PAPE issues from the interop. I heard about the call a few minutes before, but Mike, Johnny, and I had a really productive call. If no one disagrees, we should get these edits in

Re: SREG namespace URI rollback

Sorry it took me a few days, but seems alright to me. I think a larger question would be if there should be any material differences with SREG 1.1 such as adding a few additional common fields. -David On Oct 26, 2007, at 4:51 PM, Johnny Bufu wrote: > David, Josh, > > Reviving an old thread

Fwd: [OpenID] Provider Assertion Policy Extension Draft 2 Published

Begin forwarded message: > From: David Recordon <[EMAIL PROTECTED]> > Date: October 23, 2007 4:39:23 PM PDT > To: OpenID List <[EMAIL PROTECTED]> > Subject: [OpenID] Provider Assertion Policy Extension Draft 2 > Published > Reply-To: [EMAIL PROTECTED] > >

Re: Some PAPE Wording Clarifications

y Ferg wrote: > Yes, there are arguments to be made for both sides here. I have to > agree with Johnny and David's point on this; lets give the RP what it > can be reasonably expected to understand. > > On 10/23/07, David Recordon <[EMAIL PROTECTED]> wrote: >> I see bo

Re: Some PAPE Wording Clarifications

I see both sides of this. At the end of the day the RP is ultimately making the decision as to if the user can proceed or not. Just as in SREG if the RP says email is required and the user/OP choose not to provide it, the RP still has to decide what to do. I do agree that it is easier on a

Some PAPE Wording Clarifications

Hey Johnny and Jonathan, Just checked in some clarifications, review would be appreciated. http://openid.net/pipermail/commits/2007-October/000381.html Thanks, --David ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs

Re: Defining PAPE "active authentication" (WAS: Re: PAPE Extension Specification)

Hey Paul, How do you guys define "passive". Seems like the opposite problem of defining "active". Thanks, --David On Oct 22, 2007, at 3:18 PM, Paul Madsen wrote: > SAML 2.0 expresses it in terms of whether or not the authentication > is 'passive

Re: Question about PAPE

Hey Siddharth, Just to be clear, a OTP hardware token is considered a "one-time password device token" not a "Hard token" given SP 800-63, section 6 on page 15. This means that a OTP device can satisfy up to level 3, though a FIPS compliant Hard token would be needed for level 4. Level 3 al

Re: PAPE Extension Specification (part 2)

On Oct 9, 2007, at 10:08 AM, Jonathan Daugherty wrote: > Hi all, > > Here are a few more items. > > Section 5.1 > > - The spec doesn't specify what should be done in the absence of > max_auth_age in a PAPE request. I could assume, but it would be > easy enough to specify, say, that the

Defining PAPE "active authentication" (WAS: Re: PAPE Extension Specification)

Agreed with Jonathan here, don't think we need to define a policy URI for "active". Rather need to clarify what is meant in section 5.1. (Optional) If the End User has not actively authenticated to the OP within the number of seconds specified in a manner fitting the requested

Re: PAPE Extension Specification

Great! Let's try to publish Draft 2 of PAPE either later today or tomorrow morning. Few more emails coming shortly on this stuff. --David On Oct 11, 2007, at 9:28 AM, Johnny Bufu wrote: > > On 8-Oct-07, at 8:20 AM, David Recordon wrote: > >>>> # On the same topi

An OAuth OpenID Extension

Hey all, I know John did some work in September (http://extremeswank.com/ openid_trusted_auth.html and http://extremeswank.com/ openid_inline_auth.html). Both solve extremely important use-cases and are becoming increasingly discussed especially with the advent of OAuth. I'd really like to

Re: OpenID 2.0 finalization progress

Completely agreed with Johannes. We are very close with the IPR policy/process being in place and assuming all the contributors agree to it, 2.0 can be declared final within 30 days of October 30th as that is the end of the public review period for the policy. 2.0 is really important and

SVN URLs Changed

Hey all, We're currently in the process of changing all of the SVN URLs to be in the form of http://svn.openid.net/. New URLs are: http://svn.openid.net/ - WebSVN http://svn.openid.net/repos/website/ http://svn.openid.net/repos/specifications/ Sorry for the change, --David ___

Re: PAPE Extension Specification

On Oct 4, 2007, at 4:59 PM, Johnny Bufu wrote: > > On 4-Oct-07, at 4:27 PM, Jonathan Daugherty wrote: > >> # +1 on clarifying what "active" means. Before getting to wording, >> I'm >> # not totally sure what would be considered active authentication and >> # what wouldn't. >> >> Agreed; that sh

HTML-Based Discovery with OP Identifiers

Sitting here in Seattle with Drummond and looking through the spec. Section 7.3.3 says: HTML-based discovery MUST be supported by Relying Parties. HTML- based discovery is only usable for discovery of Claimed Identifiers. OP Identifiers must be XRIs or URLs that support XRDS discovery. Th