On 10/26/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
> On 26-Oct-06, at 8:27 AM, Josh Hoyt wrote:
> > Requiring this discovery adds another (redundant) HTTP request to the
> > authentication process, which takes time. I'd like to be able to
> > improve the "User Experience" by implementing an IdP tha
On 26-Oct-06, at 8:27 AM, Josh Hoyt wrote:
> On 10/26/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
>> > * If the IdP-specific identifier is not checked by the relying
>> > party's discovery, the IdP MUST do discovery on every request to
>> > ensure that it's not making an assertion based on sta
ardt
Cc: Martin Atkins; specs@openid.net
Subject: Re: Yet Another Delegation Thread
On 10/26/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
> > * If the IdP-specific identifier is not checked by the relying
> > party's discovery, the IdP MUST do discovery on every request
On 10/26/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
> If the IdP is not doing discovery per your previous comment, then
> compromising the RP's discovery is sufficient hijack a user's
> identifier, and it likely is easier to compromise an RP then an IdP,
> and we should move complexity to IdPs to an
On 10/26/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
> > * If the IdP-specific identifier is not checked by the relying
> > party's discovery, the IdP MUST do discovery on every request to
> > ensure that it's not making an assertion based on stale information.
>
> Which is probably a good idea.
On 25-Oct-06, at 11:24 AM, Drummond Reed wrote:
>>> On 25-Oct-06, at 8:57 AM, Drummond Reed wrote:
>>>
>>> Sure, Dick, here's the list of reasons that Josh and David and I
>>> discussed
>>> for allowing the RP to do the mapping between a Claimed
>>> Identifier and
>>> IdP-Specific Identifier:
>
On 25-Oct-06, at 12:43 PM, Josh Hoyt wrote:
>
> The primary reasons that I think it's useful to send the IdP-specific
> identifer as well:
>
> 1. The IdP is not *responsible for* doing discovery, so:
>
> * It's possible to be more efficient, since discovery is not
> duplicated by the IdP a
On 25-Oct-06, at 11:15 AM, Josh Hoyt wrote:
> On 10/25/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
>> > I have said this several times already, but THE IDP DOES NOT
>> HAVE TO
>> > TRUST THIS INFORMATION.
>>
>> Then why send it?
>
> Why send which one?
Sorry, why send the IdP-specific identifier
On 25-Oct-06, at 11:27 AM, Boris Erdmann wrote:
> On 10/25/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
>> On 25-Oct-06, at 8:57 AM, Drummond Reed wrote:
>>
>>> 2) Since the RP has to do discovery on the Claimed Identifier
>>> anyway, if it
>>> discovers a mapping between the Claimed Identifier and
On 10/25/06, Martin Atkins <[EMAIL PROTECTED]> wrote:
> > Then why send it?
>
> That's what I've been asking all along! :)
>
> What exactly do we imagine the IdP doing with the claimed_identifier?
> The main answer I've seen anyone post so far is that the IdP will use it
> to greet the user
The pr
Dick Hardt wrote:
> The RP can't trust state that it has sent to the IdP since the
> message may have been modified in transit between the RP and the IdP.
>
> Perhaps someone can explain what state needs to be maintained? And if
> the RP wants to put state in the message, I thought we had that
Pete Rowley wrote:
>
> Actually I think this is a consequence of using URLs as identifiers and
> wanting to use my site to host the portable identifiers - you're
> probably thinking separate domains per portable identifier or using some
> well known IdP. Each identifier can be correlated by inf
Drummond Reed wrote:
Josh Hoyt wrote:
If the user uses different IdP-specific identifiers for each portable
identifier, I don't see how they can be correlated.
Pete Rowley wrote:
Unless I mis-understand the the OpenID discovery mechanism - at the
point of discove
Dick Hardt wrote:
> On 25-Oct-06, at 10:36 AM, Josh Hoyt wrote:
>
>> On 10/25/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
2) Since the RP has to do discovery on the Claimed Identifier
anyway, if it
discovers a mapping between the Claimed Identifier and an IdP-
>>> Specific
Ident
Josh Hoyt wrote:
On 10/25/06, Pete Rowley <[EMAIL PROTECTED]> wrote:
Josh Hoyt wrote:
> If the user uses different IdP-specific identifiers for each portable
> identifier, I don't see how they can be correlated.
Unless I mis-understand the the OpenID discovery mechanism - at the
point of discov
>> Josh Hoyt wrote:
>> If the user uses different IdP-specific identifiers for each portable
>> identifier, I don't see how they can be correlated.
>
>Pete Rowley wrote:
>Unless I mis-understand the the OpenID discovery mechanism - at the
>point of discovery, which can be done out of band in a spi
On 10/25/06, Pete Rowley <[EMAIL PROTECTED]> wrote:
> Josh Hoyt wrote:
> > If the user uses different IdP-specific identifiers for each portable
> > identifier, I don't see how they can be correlated.
>
> Unless I mis-understand the the OpenID discovery mechanism - at the
> point of discovery, whic
Josh Hoyt wrote:
If the user uses different IdP-specific identifiers for each portable
identifier, I don't see how they can be correlated.
Unless I mis-understand the the OpenID discovery mechanism - at the
point of discovery, which can be done out of band in a spider like web
harvesting fashio
Drummond Reed wrote:
Drummond Reed wrote:
3) Allowing the user to control Claimed
Identifier-to-IdP-Specific-Identifier mapping gives the user the ability
to
establish any number of OpenID "synonyms" that do not require any
involvement on the part of the IdP. In many ways this is the
On 10/25/06, Pete Rowley <[EMAIL PROTECTED]> wrote:
> > The IdP can issue as many identifiers as it wants to the user, and the
> > user can use a different IdP-specific identifier for each of their
> > separate portable identifiers.
>
> I don't understand why this would help - it really doesn't mat
Josh Hoyt wrote:
On 10/25/06, Pete Rowley <[EMAIL PROTECTED]> wrote:
Is it a goal to not allow correlation of identifiers? If so, I do not
think this meets that goal.
Looking at the parties involved here, I necessarily have to trust my
IdP, but I certainly don't want to trust RPs. So if there i
>>Drummond Reed wrote:
>> 3) Allowing the user to control Claimed
>> Identifier-to-IdP-Specific-Identifier mapping gives the user the ability
to
>> establish any number of OpenID "synonyms" that do not require any
>> involvement on the part of the IdP. In many ways this is the user-facing
>> compli
On 10/25/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
> On 25-Oct-06, at 8:57 AM, Drummond Reed wrote:
>
> > 2) Since the RP has to do discovery on the Claimed Identifier
> > anyway, if it
> > discovers a mapping between the Claimed Identifier and an IdP-Specific
> > Identifier, the RP can send the Id
On 10/25/06, Pete Rowley <[EMAIL PROTECTED]> wrote:
> Is it a goal to not allow correlation of identifiers? If so, I do not
> think this meets that goal.
>
> Looking at the parties involved here, I necessarily have to trust my
> IdP, but I certainly don't want to trust RPs. So if there is to be
> l
>> On 25-Oct-06, at 8:57 AM, Drummond Reed wrote:
>>
>> Sure, Dick, here's the list of reasons that Josh and David and I
>> discussed
>> for allowing the RP to do the mapping between a Claimed Identifier and
>> IdP-Specific Identifier:
>>
>> 1) The first is the reason Brad designed this mechanism
Drummond Reed wrote:
3) Allowing the user to control Claimed
Identifier-to-IdP-Specific-Identifier mapping gives the user the ability to
establish any number of OpenID "synonyms" that do not require any
involvement on the part of the IdP. In many ways this is the user-facing
compliment of the dir
On 10/25/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
> > I have said this several times already, but THE IDP DOES NOT HAVE TO
> > TRUST THIS INFORMATION.
>
> Then why send it?
Why send which one?
___
specs mailing list
specs@openid.net
http://openid.net/ma
On 25-Oct-06, at 10:36 AM, Josh Hoyt wrote:
> On 10/25/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
>> > 2) Since the RP has to do discovery on the Claimed Identifier
>> > anyway, if it
>> > discovers a mapping between the Claimed Identifier and an IdP-
>> Specific
>> > Identifier, the RP can send
On 10/25/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
> > 2) Since the RP has to do discovery on the Claimed Identifier
> > anyway, if it
> > discovers a mapping between the Claimed Identifier and an IdP-Specific
> > Identifier, the RP can send the IdP-Specific Identifier to the IdP
> > and save
> > t
On 25-Oct-06, at 8:57 AM, Drummond Reed wrote:
> Sure, Dick, here's the list of reasons that Josh and David and I
> discussed
> for allowing the RP to do the mapping between a Claimed Identifier and
> IdP-Specific Identifier:
>
> 1) The first is the reason Brad designed this mechanism in the
ps,
=Drummond
-Original Message-
From: Dick Hardt [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 24, 2006 11:42 PM
To: Drummond Reed
Cc: 'Recordon, David'; specs@openid.net
Subject: Re: Yet Another Delegation Thread
Hey Drummond,
If could elaborate on the "good reaso
> Sent: Tuesday, October 24, 2006 10:07 PM
> To: Drummond Reed
> Cc: 'Recordon, David'; specs@openid.net
> Subject: Re: Yet Another Delegation Thread
>
> Thanks for the explanation Drummond. I think we need a con call on
> this topic alone ... :-)
>
> On 24-Oct-06,
Dick Hardt [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 24, 2006 10:07 PM
To: Drummond Reed
Cc: 'Recordon, David'; specs@openid.net
Subject: Re: Yet Another Delegation Thread
Thanks for the explanation Drummond. I think we need a con call on
this topic alone ... :-)
On 24-Oct
Thanks for the explanation Drummond. I think we need a con call on
this topic alone ... :-)
On 24-Oct-06, at 6:16 PM, Drummond Reed wrote:
> * But in our discussion today, Josh and David and I boiled down the
> fundamental problem with the "single identifier on the wire"
> solutions: as
> long
avid
>
> -Original Message-
> From: Dick Hardt [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 24, 2006 5:12 PM
> To: Recordon, David
> Cc: specs@openid.net
> Subject: Re: Yet Another Delegation Thread
>
> Can we have those conversations on the list so that eve
o the editor's call(s) this week.
=Drummond
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Dick Hardt
Sent: Tuesday, October 24, 2006 5:12 PM
To: Recordon, David
Cc: specs@openid.net
Subject: Re: Yet Another Delegation Thread
Can we have those con
ssage-
> From: Dick Hardt [mailto:[EMAIL PROTECTED]
> Sent: Monday, October 23, 2006 11:04 PM
> To: Drummond Reed
> Cc: Recordon, David; specs@openid.net
> Subject: Re: Yet Another Delegation Thread
>
> +1
>
> Glad to see that we have settled on one identifier parameter
gt; From: Dick Hardt [mailto:[EMAIL PROTECTED]
> Sent: Monday, October 23, 2006 11:04 PM
> To: Drummond Reed
> Cc: Recordon, David; specs@openid.net
> Subject: Re: Yet Another Delegation Thread
>
> +1
>
> Glad to see that we have settled on one identifier parameter
>
>
Dick Hardt [mailto:[EMAIL PROTECTED]
Sent: Monday, October 23, 2006 11:04 PM
To: Drummond Reed
Cc: Recordon, David; specs@openid.net
Subject: Re: Yet Another Delegation Thread
+1
Glad to see that we have settled on one identifier parameter
On 23-Oct-06, at 7:07 PM, Drummond Reed wrote:
> Here&
+1
Glad to see that we have settled on one identifier parameter
On 23-Oct-06, at 7:07 PM, Drummond Reed wrote:
> Here's another way to summarize the conclusions David and I reached
> in our
> analysis today:
>
> 1) In OpenID Authentication 1.1, if there is a difference between the
> identifier
Here's another way to summarize the conclusions David and I reached in our
analysis today:
1) In OpenID Authentication 1.1, if there is a difference between the
identifier the user wants to assert to an RP and the identifier the IdP
wants to assert for the user (lets just call them ID1 and ID2), t
41 matches
Mail list logo
