gmane.comp.web.openid.general

Re: [OpenID] Announcement : the presentasion on "NetCommons add-on module seminer"

Toshiya TSURU — 2012-05-09T00:32:04

Hi Nat,

情報有難うございます！

I read the page :
http://openid.net/connect/

and also  taking a look at the draft's!


On Tue, May 8, 2012 at 6:08 PM, Nat Sakimura <sakimura< at >gmail.com> wrote:

Re: [OpenID] Private Federation solution using OpenID

John Bradley — 2012-05-08T15:29:06

There are specs available on the OIDF website.

I would not recommend you doing it yourself.  There are a number of existing open source libraries to start from, or commercial products that can integrate to your AD or other internal directory.

Building not yourself without proper testing may not have a happy security outcome.

You also need to check with the SaaS provider to see what they support, some may still only support SAML.

John B.

On 2012-05-08, at 11:08 AM, Matheus Eduardo Bonifacio Morais wrote:


_______________________________________________
general mailing list
general< at >lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general

Re: [OpenID] Private Federation solution using OpenID

Matheus Eduardo Bonifacio Morais — 2012-05-08T15:08:25

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for your reply John, the scenario is exactly what you described.
We will be the OpenID provider and the SaaS will be the relying party.
Do you know if there is some documentation already written on how to
implement an OpenID provider from scratch? I mean, just the auth
specification should be enough?

Thanks.

Em 08-05-2012 11:48, John Bradley escreveu:
Esta mensagem é somente para uso do destinatário informado e pode conter
informações privilegiadas, proprietárias, ou privadas. Se você recebeu
esta mensagem por engano, por favor notifique o remetente imediatamente
e apague a original. Qualquer uso deste email é proibido.
This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you have
received it in error, please notify the sender immediately and delete
the original. Any other use of the email by you is prohibited.
_______________________________________________
general mailing list
general< at >lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general

- --
Classificação da Informação: Uso Interno

Matheus Morais
Infraestrutura de TI
Confederação SICREDI – Porto Alegre
51 3358-4700 ramal 7190

www.sicredi.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPqTboAAoJEJaxmh5NVUojYkAH/30F8Cs4r5m8PqNrrpWLKAo8
4VWC5DUK6mo9LUTmgcfTagFLqa766LrsBWiiV3dSPX0DYLz6B/DQKsw+7gz9VMhU
/shlz7omd5Mxl48o7x+uaxj7ufF0SdlgH20QlAj7D06GdqLXy81A2+uvql/87Xrz
8UgEKq+VQTi4p740xBKmonM0FpLTIsapQ3YOO/0Ul/zeFM1Q7rmBZfyOD3BRemPf
0jKjZcAnUHeUmV8R1per5k8ebjSlgIy/+3258VYy3LN5GYR+FHUj1kF4F4OKvVOg
TQLVtg797tic20nSmZwQ1vLyYcDxhmO5RoHK2uYSeH1SbcCKQYGIpmytpWLmjWQ=
=dTXs
-----END PGP SIGNATURE-----=
Esta mensagem é somente para uso do destinatário informado e pode conter informações privilegiadas, proprietárias, ou privadas. Se você recebeu esta mensagem por engano, por favor notifique o remetente imediatamente e apague a original. Qualquer uso deste email é proibido.
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.

Re: [OpenID] Private Federation solution using OpenID

John Bradley — 2012-05-08T14:48:20

If the SaaS provider is the RP and your company is the OP there is nothing that requires you to release any attributes to the SaaS provider via openID.

I don't think there is anything to stop you from doing that.

John B.

On 2012-05-08, at 10:18 AM, Matheus Eduardo Bonifacio Morais wrote:


_______________________________________________
general mailing list
general< at >lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general

[OpenID] Private Federation solution using OpenID

Matheus Eduardo Bonifacio Morais — 2012-05-08T14:18:57

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there,

I work for a company which is looking for a federation solution to
SaaS applications used internally by the employees. For our use case
is mandatory that the user data could keep in private and the SaaS
provider must not have access to it. I was thinking to use OpenID
because is well written and the most important part, it is an
open-standard. For what I understood by reading the protocol
specification, this is not a goal of OpenID.

I would like to know if is possible to implement that kind of solution
and If I'm not hurting the main project goals as long as I will not
allow everyone to sign-in using an OpenID compatible account.

Thanks.

- -- 

Matheus Morais
Infraestrutura de TI
Confederação SICREDI ? Porto Alegre
51 3358-4700 ramal 7190

www.sicredi.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPqStQAAoJEJaxmh5NVUojoIcH/j7TLBPjfPZ1FXneJVU6UZ/Q
bq06dx/uMlLt6702jvV+QhnkZvRdJDHPxkNjGYoUZCEu9lxLkddCMp/o6WiFvR7A
oQZ8TDxlHmPzXf3Su3fb8kPnIvY6YmzP3ldjGl3XKXDXUs4bFnrrCNP3zE40Seut
rzHtUoltWB7Q/Hv9a5Q8/dHhkSbPZVQVdDsd6JJpc8o0zMOEtoi2ncjIcbhNZyah
8Vy0gbeW6+futbAIJTFcfQtxr8hxRwcK7EqcyOv6f01IsD50UI+8KKbqEUMgBp90
xhf4yOYGCc/F6cnJWCJBF4QuZpIblRGUiCJ+7o29nGkTax09+Qo3CdMewZ4tbRo=
=attP
-----END PGP SIGNATURE-----
Esta mensagem é somente para uso do destinatário informado e pode conter informações privilegiadas, proprietárias, ou privadas. Se você recebeu esta mensagem por engano, por favor notifique o remetente imediatamente e apague a original. Qualquer uso deste email é proibido. 
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.

Re: [OpenID] Announcement : the presentasion on "NetCommons add-on module seminer"

Nat Sakimura — 2012-05-08T09:08:06

So, is that OpenID 2.0 or Connect?

Nat Sakimura

On 2012/05/08, at 6:21, Toshiya TSURU <turutosiya< at >gmail.com> wrote:

[OpenID] Announcement : the presentasion on "NetCommons add-onmodule seminer"

Toshiya TSURU — 2012-05-08T04:21:10

Hi

In my recnt work, I' ve done implementing OpenId OP/RP into NetCommons
and Mediawiki.
NetCommons is a Open Source LMS/CMS developed by NII(National
Institute of Informatics of Japan).
And Mediawiki is .... what you know, wiki system.

As a result of that work, I'll have a presentation at the seminer
named "NetCommons add-on module seminer" at 16th, Jun.
In the presentation, I'll be talking about What is OpenID, How to
implement it, and New topics about OpenID.

Does anyone has suggestions What is hot or What is new about OpenID?
please let me know.

Re: [OpenID] OpenID Connect Wins 2012 European Identity and Cloud Award

Mike Jones — 2012-04-18T17:45:47

Also announced at http://openid.net/2012/04/18/openid-connect-wins-2012-european-identity-and-cloud-award/.

From: openid-general-bounces< at >lists.openid.net [mailto:openid-general-bounces< at >lists.openid.net] On Behalf Of Don Thibeau
Sent: Wednesday, April 18, 2012 10:34 AM
To: general OpenID.com
Subject: [OpenID] OpenID Connect Wins 2012 European Identity and Cloud Award

OpenID Connect Wins 2012 European Identity and Cloud Award

Today at the European Identity and Cloud Conference<http://www.id-conf.com/events/eic2012> it was announced that OpenID Connect<http://openid.net/connect/> has won the 2012 European Identity and Cloud Award for "Best Innovation / New Standard". The OpenID Foundation and the Connect working group members want to thank Kuppinger Cole<http://www.kuppingercole.com/> for this prestigious award and their vote of confidence in the significance of OpenID Connect.

Dave Kearns of Kuppinger Cole said this about the award:

"I'm pleased that Kuppinger Cole has granted OpenID Connect the award for Best Innovation/New Standard this year. What's most impressive is that this elegantly simple design resulted from the cooperation of such a diverse global set of contributors. I expect OpenID Connect to have a substantial positive impact on usable, secure identity solutions both for traditional computing platforms and mobile devices. My congratulations to the OpenID Foundation!"

The application presented by the OpenID Foundation that resulted in the award follows.

European Identity & Cloud Awards 2012
Project company:

OpenID Foundation

Award category:

Best Innovation / New Standard in Information Security

1) Name of the Standard

OpenID Connect

2) Brief description of the Standard

OpenID Connect is a simple JSON/REST-based interoperable identity protocol built on top of the OAuth 2.0 family of specifications. Its design philosophy is "make simple things simple and make complicated things possible".

While OAuth 2.0 is a generic access authorization delegation protocol, thus enabling the transfer of arbitrary data, it does not define ways to authenticate users or communicate information about them. OpenID Connect provides a secure, flexible, and interoperable identity layer on top of OAuth 2.0 so that digital identities can be easily used across sites and applications. While enabling a default set of common claims about the user (such as name, e-mail address, and a user identifier enabling SSO) to be easily employed, OpenID Connect also enables participants to exchange any claims relevant to their application using simple JSON-based data structures.

As it is based in OAuth 2.0, OpenID Connect reaches beyond the Web. OpenID Connect brings identity interactions to "apps" and "native applications" on both smart phones and traditional computing devices, in addition to Web sites.

From a security perspective, OpenID Connect was built to be able to gracefully range from the low security levels typically employed for social networks to medium security levels needed for business applications to high security requirements needed for many government applications. OpenID Connect spans this wide range of applications by using JSON-based digital signature and encryption standards.

From a privacy perspective, OpenID Connect allows the selective sharing of attributes with user consent. It also enables the use of pairwise pseudonymous identifiers, thereby avoiding correlations as appropriate.

From a business perspective, OpenID Connect meets business needs for the use of claims from multiple Claims Providers in a single context (rather than a single Identity Provider being the source of all claims for any given interaction). It enables the use of Aggregated Claims, where signed claim values can be collected and passed on by OpenID Providers and the use of Distributed Claims, where claims are passed by reference, rather than by value, and dynamically retrieved by Relying Parties.

From a design perspective, OpenID Connect's modular design enables flexible deployments. Implementations can use only the components they need, while still remaining interoperable. For instance, "Discovery" and "Dynamic Client Registration" can used in deployments where OpenID Providers can be chosen dynamically, whereas they aren't needed if the site or application uses only a fixed set of OpenID Providers.

Unlike the previous version of OpenID, user identities can be e-mail addresses that people already have and know, rather than being URLs that most people have difficulty using.

3) Who is contributing to the standard?

OpenID Connect was developed in an OpenID Foundation working group. OpenID working groups are open to all free of charge who sign the IPR Contribution agreement. Contributors include a diverse international representation of industry and independent technology leaders: AOL, Deutsche Telecom, Facebook, Google, Microsoft, Mitre Corporation, mixi, Nomura Research Institute, PayPal, Salesforce, Yahoo! Japan, and others.

4) When is it expected to be finalized?

OpenID Connect is in the Implementer's Draft review period. That stage is similar to the DIS (Draft International Standard) phase of the ISO process. The approval vote will complete on February 15, 2012. The OpenID Connect specifications are expected to be competed in the second half of 2012.

5) What are the key Identity management objectives?

  *   Interoperability
  *   Security
  *   Ease of deployment
  *   Flexibility
  *   Wide support of devices
  *   Enabling Claims Providers to be distinct from Identity Providers

6) Does the standard exceed key objectives?

Yes.

7) Are there live deployments?

Yes. e.g., Google, Gakunin (Japanese Universities Network), Nikkei Newspaper, etc.

Mature deployments are under way by working group participants.

8) Does the deployment touch customers/consumers/citizens? If so, what benefit(s) is the application delivering to customers/consumers/citizens?

  *   More secure and familiar online interactions
  *   Easier to use authentication and attribute sharing

9) Does the deployment successfully address one of more of the following identity issues? If so, please provide brief examples.

  *   Help prevent/reduce identity theft? Yes.
  *   Help address ease of use issues? Yes.
  *   Help meet regulatory requirement? Yes.
  *   Meet unique vertical market objectives? Yes.

10) Why should this standard win the European Identity/Cloud Award?

OpenID Connect is a significant advance in digital identity that:

  1.  is simple to build and deploy, being based upon existing JSON/REST standards,
  2.  spans both Web and native applications, including mobile "apps",
  3.  has wide support from major cloud service providers, enterprise companies, and social networking companies,
  4.  helps combat identity theft by reducing the number of passwords in use,
  5.  enables new Web based services and expands existing online markets,
  6.  spurs global economic growth by enabling simple and secure exchange of verified attributes from multiple sources at Internet scale.

OpenID Connect is an important contribution to a safer, privacy protecting, and easy to use computing environment that spans the cloud, the Web, enterprises, and mobile applications and has broad industry backing. For these reasons, OpenID Connect merits the 2012 European Identity/Cloud Award.

Don Thibeau
The OpenID Foundation<http://openid.net>

_______________________________________________
general mailing list
general< at >lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general

[OpenID] OpenID Connect Wins 2012 European Identity and Cloud Award

Don Thibeau — 2012-04-18T17:33:58

OpenID Connect Wins 2012 European Identity and Cloud Award

Today at the European Identity and Cloud Conference it was announced that OpenID Connect has won the 2012 European Identity and Cloud Award for “Best Innovation / New Standard”. The OpenID Foundation and the Connect working group members want to thank Kuppinger Cole for this prestigious award and their vote of confidence in the significance of OpenID Connect.

Dave Kearns of Kuppinger Cole said this about the award:

“I’m pleased that Kuppinger Cole has granted OpenID Connect the award for Best Innovation/New Standard this year. What’s most impressive is that this elegantly simple design resulted from the cooperation of such a diverse global set of contributors. I expect OpenID Connect to have a substantial positive impact on usable, secure identity solutions both for traditional computing platforms and mobile devices. My congratulations to the OpenID Foundation!”

The application presented by the OpenID Foundation that resulted in the award follows.

European Identity & Cloud Awards 2012

Project company:
OpenID Foundation
Award category:
Best Innovation / New Standard in Information Security
1) Name of the Standard

OpenID Connect

2) Brief description of the Standard

OpenID Connect is a simple JSON/REST-based interoperable identity protocol built on top of the OAuth 2.0 family of specifications. Its design philosophy is “make simple things simple and make complicated things possible”.

While OAuth 2.0 is a generic access authorization delegation protocol, thus enabling the transfer of arbitrary data, it does not define ways to authenticate users or communicate information about them. OpenID Connect provides a secure, flexible, and interoperable identity layer on top of OAuth 2.0 so that digital identities can be easily used across sites and applications. While enabling a default set of common claims about the user (such as name, e-mail address, and a user identifier enabling SSO) to be easily employed, OpenID Connect also enables participants to exchange any claims relevant to their application using simple JSON-based data structures.

As it is based in OAuth 2.0, OpenID Connect reaches beyond the Web. OpenID Connect brings identity interactions to “apps” and “native applications” on both smart phones and traditional computing devices, in addition to Web sites.

From a security perspective, OpenID Connect was built to be able to gracefully range from the low security levels typically employed for social networks to medium security levels needed for business applications to high security requirements needed for many government applications. OpenID Connect spans this wide range of applications by using JSON-based digital signature and encryption standards.

From a privacy perspective, OpenID Connect allows the selective sharing of attributes with user consent. It also enables the use of pairwise pseudonymous identifiers, thereby avoiding correlations as appropriate.

From a business perspective, OpenID Connect meets business needs for the use of claims from multiple Claims Providers in a single context (rather than a single Identity Provider being the source of all claims for any given interaction). It enables the use of Aggregated Claims, where signed claim values can be collected and passed on by OpenID Providers and the use of Distributed Claims, where claims are passed by reference, rather than by value, and dynamically retrieved by Relying Parties.

From a design perspective, OpenID Connect’s modular design enables flexible deployments. Implementations can use only the components they need, while still remaining interoperable. For instance, “Discovery” and “Dynamic Client Registration” can used in deployments where OpenID Providers can be chosen dynamically, whereas they aren’t needed if the site or application uses only a fixed set of OpenID Providers.

Unlike the previous version of OpenID, user identities can be e-mail addresses that people already have and know, rather than being URLs that most people have difficulty using.

3) Who is contributing to the standard?

OpenID Connect was developed in an OpenID Foundation working group. OpenID working groups are open to all free of charge who sign the IPR Contribution agreement. Contributors include a diverse international representation of industry and independent technology leaders: AOL, Deutsche Telecom, Facebook, Google, Microsoft, Mitre Corporation, mixi, Nomura Research Institute, PayPal, Salesforce, Yahoo! Japan, and others.

4) When is it expected to be finalized?

OpenID Connect is in the Implementer’s Draft review period. That stage is similar to the DIS (Draft International Standard) phase of the ISO process. The approval vote will complete on February 15, 2012. The OpenID Connect specifications are expected to be competed in the second half of 2012.

5) What are the key Identity management objectives?

Interoperability
Security
Ease of deployment
Flexibility
Wide support of devices
Enabling Claims Providers to be distinct from Identity Providers
6) Does the standard exceed key objectives?

Yes.

7) Are there live deployments?

Yes. e.g., Google, Gakunin (Japanese Universities Network), Nikkei Newspaper, etc.

Mature deployments are under way by working group participants.

8) Does the deployment touch customers/consumers/citizens? If so, what benefit(s) is the application delivering to customers/consumers/citizens?

More secure and familiar online interactions
Easier to use authentication and attribute sharing
9) Does the deployment successfully address one of more of the following identity issues? If so, please provide brief examples.

Help prevent/reduce identity theft? Yes.
Help address ease of use issues? Yes.
Help meet regulatory requirement? Yes.
Meet unique vertical market objectives? Yes.
10) Why should this standard win the European Identity/Cloud Award?

OpenID Connect is a significant advance in digital identity that:

is simple to build and deploy, being based upon existing JSON/REST standards,
spans both Web and native applications, including mobile “apps”,
has wide support from major cloud service providers, enterprise companies, and social networking companies,
helps combat identity theft by reducing the number of passwords in use,
enables new Web based services and expands existing online markets,
spurs global economic growth by enabling simple and secure exchange of verified attributes from multiple sources at Internet scale.
OpenID Connect is an important contribution to a safer, privacy protecting, and easy to use computing environment that spans the cloud, the Web, enterprises, and mobile applications and has broad industry backing. For these reasons, OpenID Connect merits the 2012 European Identity/Cloud Award.

Don Thibeau
The OpenID Foundation

_______________________________________________
general mailing list
general< at >lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general

Re: [OpenID] How to login in gmail with my other OpenID

Eric Sachs — 2012-04-10T15:57:07

You might want to experiment with the features described in these two
documents:

   - https://support.google.com/accounts/bin/topic.py?hl=en&topic=1204325
   - https://sites.google.com/site/gitooldocs/experiment---account-chooser<https://support.google.com/accounts/bin/topic.py?hl=en&topic=1204325>


However the main need is still improvement in the general usability of
federation login.  If you are interested you could follow the efforts of
the account chooser working group:

https://sites.google.com/site/oidfacwg/cdsdemo



On Tue, Apr 10, 2012 at 6:38 AM, Andrew Arnott <andrewarnott< at >gmail.com>wrote:

Re: [OpenID] How to login in gmail with my other OpenID

Andrew Arnott — 2012-04-10T13:38:05

That would require that Google act as an OpenID relying party, which it
doesn't, sadly.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


On Tue, Apr 10, 2012 at 4:40 AM, Mitaka <mitakataka< at >mail.bg> wrote:

_______________________________________________
general mailing list
general< at >lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general

[OpenID] How to login in gmail with my other OpenID

Mitaka — 2012-04-10T11:40:02

Hi I'm concerned with my privacy and security, so I like the idea of
OpenID accounts and I have a question:

If I have OpenID account, how I can login in gmail with it? Because I
want to use other OpenID, not the Google one...

[OpenID] Here, let me take that URL for you

SitG Admin — 2012-04-09T11:20:10

What happens if I notice someone enabling OpenID (with delegation) in 
their page's headers, but get to account creation before they do? I'm 
admittedly confused by the myopenid.com signup process (just looking 
at its first page, here), but if someone else beats me to 
registration, will myopenid.com let me create a *second* account 
which works just as well as the first? Perhaps prove my control of 
the domain through OP-supplied nonces that show up in my OpenID 
headers later, to keep Eve from simply creating another account? Is 
the myopenid.com Username configurable (it doesn't say), or am I 
forever stuck with what Eve put there? (I'm beginning to think that 
it would be simpler if we just never let me alter my page headers 
until I had signed up with a provider. But then we have to create the 
infrastructure to let OP's control what HTML code I can put on my own 
webpages, so that doesn't seem practical either. The current 
arrangement seems to be "say nothing, lest actively discouraging it 
give users the wrong idea".)

I'm looking at ClaimID's login/signup page, too. This is where I 
first began thinking of including the headers before a site was 
ready: for a movement that professes to care about "no registration", 
it sure seems kind of odd (to me) that the first thing we ask for 
(from users) is registration. (Sigh.) This is a bit of an impediment 
to my flow, from the tech end; if I'm going to sign up for an OpenID 
provider, why can't I do so with *my* OpenID? (Because, um, I don't 
*have* one yet? I do, but let's pretend that I don't.) I had somehow 
imagined it to be more streamlined: I add headers, and the provider 
confirms this. They see me coming (with redirect headers), they give 
me a deferral landing page that explains *why* they can't simply 
authenticate me straightaway, and *this* is where they tell me why 
they need various bits of information, and what they won't be able to 
do if I can't provide them with it. Of course, the real-internet 
*need* for this signup flow is negligible, I think - how many users 
*start* with adding headers to their page, instead of learning about 
OpenID through one of the many other channels?

Also, there's the security risk of committing to your provider before 
you've established credentials with them, which may tip off an alert 
adversary (or anyone crawling your blog often enough to notice the 
*moment* you update it) that it's time to go sign up for an account 
before you do. Automation might make this a more feasible attack, but 
I still don't see it as a serious concern. I'm more bothered by the 
idea that someone might DoS a particular user by continually 
registering for the most popular providers, in their name, and thus 
always "obstructing the doorway" with their own (unguessable) 
password.

-Shade

Re: [OpenID] OpenID in SMTP/IMAP/XMPP/etc

Simon Josefsson — 2012-04-05T03:26:09

That's the next step...  the current mechanisms specifies OPENID/SAML20
as SASL and GSS-API mechanism, federating them is needed but is on a
higher level.

/Simon

Lewis Adam-CAL022 <Adam.Lewis< at >motorolasolutions.com> writes:

  do
 als
  ge

Re: [OpenID] OpenID in SMTP/IMAP/XMPP/etc

Lewis Adam-CAL022 — 2012-04-05T01:58:07

Hi Simon, are you working on this within the context of the abfab working group?

-adam

-----Original Message-----
From: openid-general-bounces< at >lists.openid.net [mailto:openid-general-bounces< at >lists.openid.net] On Behalf Of Simon Josefsson
Sent: Tuesday, April 03, 2012 7:17 AM
To: Peter Williams
Cc: general< at >openid.net
Subject: Re: [OpenID] OpenID in SMTP/IMAP/XMPP/etc

The "why" is indeed to get rid of the password exchange in
SMTP/IMAP/XMPP/etc.  There is nothing more or less to it than that.  I
strongly believe that if we want to make it easy to use OpenID (or SAML,
or any authentication technology) it must support non-web technology.

/Simon

Peter Williams <home_pw< at >msn.com> writes:

 do
 ls
 ge
_______________________________________________
general mailing list
general< at >lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general

Re: [OpenID] OpenID in SMTP/IMAP/XMPP/etc

Nat Sakimura — 2012-04-03T22:31:37

+1

On Tue, Apr 3, 2012 at 9:17 PM, Simon Josefsson <simon< at >josefsson.org> wrote:

Re: [OpenID] OpenID in SMTP/IMAP/XMPP/etc

Simon Josefsson — 2012-04-03T12:17:23

The "why" is indeed to get rid of the password exchange in
SMTP/IMAP/XMPP/etc.  There is nothing more or less to it than that.  I
strongly believe that if we want to make it easy to use OpenID (or SAML,
or any authentication technology) it must support non-web technology.

/Simon

Peter Williams <home_pw< at >msn.com> writes:

 do
 ls
 ge

Re: [OpenID] OpenID in SMTP/IMAP/XMPP/etc

Simon Josefsson — 2012-04-03T12:11:18


I'd like to implement that as well, eventually.  However, I don't see
how that enables OpenID?  It is OAuth.  It may enable OpenID Connect,
but there is still a large deployment of OpenID 2.0.

/Simon

Re: [OpenID] OpenID in SMTP/IMAP/XMPP/etc

Nat Sakimura — 2012-04-01T08:37:36

Indeed, and we talk about it from time to time in and out if the WG.

I am hoping that the new web crypto wg at w3c may become a first step
towards  it.

=nat via iPhone

On 2012/04/01, at 2:50, Peter Williams <home_pw< at >msn.com> wrote:

[OpenID] windows 8 tablet, and openid

Peter Williams — 2012-03-31T18:41:13

ok Ill admit that we never "deployed" openid (as an IDP). I do have a nice codeplex project that is built on the 4windows openid library, that nicely emulates myopenid. But, Ive never had "need" to use it. We will see why below.

As an SP, we can accept openid messages from Google, Yahoo, myopenid and openlink4webid (courtesy of the Microsoft Azure openid->ws-fedp bridge). Today, a nice demo has folks with Google crdentials using them to land on Joomla (that we properly ws-fedp enabled). Joomla plugins (wordpress and all its plugins, and JomSocial) then round out the user-centric experience.

Since we bought into microsoft STS (passive) concept, the path from Google to Joomla actually wanders by other STSs, transparently. these create web-sessions in passing (and control flows, or add/transform claims). For exmaple, our realty authz claims inserted by an intermediated STS are mapped onto Joomla groups - which drives the flow in what is a now a 100% claims-drive website. Since folks have a google (and other sessions), mere hyperlinks from the SP site back to "pages" on the IDP sites (googe social, realty MLS, assocition-CRM) get folks a mashed-up webapp experience - without us acting an an openid token issuer. You already have those sessions!

But, none of this gets me to the windows 8 tablet. The above is the web that was.

What one thing can I do, for modern openid, in a windows 8 tablet world - that showcases openid (connect)?

I probably have about 1 shot at inserting openid (connect) into a first release of a realty website tuned specifically to tablet-interaction dynamics. What can I do?

There must be zero politics (dont sell me governance). There must be no strange .net languages (install Boo runtime on the tablet). There must be no third-party managed nascar array (full of politics and "control" of RP by IDPs issues). And, ideally, it would somehow showcase why openid is relevant to the device-centric "paradigm shift" - why openind is so totally relevant to a tablet-based UI concept (that looks like and behaves nothing like its PC desktop rendition).

Re: [OpenID] OpenID in SMTP/IMAP/XMPP/etc

Peter Williams — 2012-03-31T17:49:56

You stated is what it does (alongside lots of other GSS API methods wrapped by SASL, to do the same GSS defined mechanism/service). It said nothing more than the original annoucement (SASL now does openid auth, too, wrapped in GSS API constructs)

 

But why does it need to exist?

 

What is the distinguishing feature?

 

is it assurance, perhaps (since GSS is a gatekeeper on OS-mediated asurance for security mechanisms, typically).

 

For example, webby openid did something better than SAML2, properly using discovery of metadata to drive such as openid delegation, allow for failover or renaming of IDP endpoint domains, etc etc. And, it all used webby expression of such metadata (rel headers, or an XML file on an https or XRI resolver endpoint). This was "why" it did something distinct from SAML2's authReq protocol as delivered in practice (with which openid is functionally identical "at the GSS level"). The openid/oauth went a bit further, for API access to IDP followup-services (post-authn)

 

 

The thing that originally attracted me to openid (in its webby incarnation) was the "vitality" of the infrastructure vision (not the bits on the wire protocol). This came from the merger of interests, in the XRI and YADIS come-together. Pre-semantic web, blogging looked to get us quite some distance along machine-readable, self-healing infrastructure - with a user-centric twinge even - at low cost (no long w3c arguments, on the nature of life or the imposition of a common reference model due to some German philosopher who died in 1850 before the phone was invented).

 

 

Now what is the opeind "auth protocol" bringing to the SASL world?

 


perhaps its just that one password challenge at an IDP now ALSO address accessing the IMAP mailbox (and that is the "why"). If so... fine. Is there any more to it "in the vision"?

 

we heard that much of the going-forward openid activity is focussed on the "device-centric" web (vs the browser-centric web). And... architecture was evolving to address this new focus. Perhaps the GSS/SASL is a part of that "vision" where not only are we/you accomodating new client-access devices, but non-webby services too (the IMAP mailbox, etc).

 

(I cannot help feeling that openid - the technology - would really benefit from merging properly with SSL - defining a fourth "openid" certificate-type and/or sub-protocol on the SSL bearer - designed to tied two tunnels together in a 3-corner model. Thus would be so much better than all this endless glueware)

 

 

 


----------------------------------------
&#62; From&#58; simon&#64;josefsson.org&#13;&#10;&#62; To&#58; home_pw&#64;msn.com&#13;&#10;&#62; CC&#58; sakimura&#64;gmail.com&#59; general&#64;openid.net&#13;&#10;&#62; Subject&#58; Re&#58; OpenID in SMTP/IMAP/XMPP/etc&#13;&#10;&#62; Date&#58; Sat, 31 Mar 2012 09&#58;44&#58;01 &#43;0200&#13;&#10;&#62;&#13;&#10;&#62; It allows clients to authenticate against servers using OpenID for&#13;&#10;&#62; protocols that uses SASL. That includes SMTP, IMAP, XMPP and so on. So&#13;&#10;&#62; far OpenID has been for web login only, but this changes that.&#13;&#10;&#62;&#13;&#10;&#62; /Simon&#13;&#10;&#62;&#13;&#10;&#62; Peter Williams &#60;home_pw&#64;msn.com&#62; writes&#58;&#13;&#10;&#62;&#13;&#10;&#62; &#62; Why does it need to exist&#63;&#13;&#10;&#62; &#62;&#13;&#10;&#62; &#62; What does it do
  that 156 other gss methods do not do&#63;&#13;&#10;&#62; &#62;&#13;&#10;&#62; &#62; Sent from my iPhone&#13;&#10;&#62; &#62;&#13;&#10;&#62; &#62; On Mar 29, 2012, at 11&#58;17 PM, &#34;Nat 
 Sakimura&#34; &#60;sakimura&#64;gmail.com&#62; wrote&#58;&#13;&#10;&#62; &#62;&#13;&#10;&#62; &#62;&#62; Great news&#33;&#13;&#10;&#62; &#62;&#62;&#13;&#10;&#62; &#62;&#62; I will have a look at it.&#13;&#10;&#62; &#62;&#62;&#13;&#10;&#62; &#62;&#62; Cheers,&#13;&#10;&#62; &#62;&#62;&#13;&#10;&#62; &#62;&#62; Nat&#13;&#10;&#62; &#62;&#62;&#13;&#10;&#62; &#62;&#62; On Thu, Mar 29, 2012 at 4&#58;29 AM, Simon Josefsson &#60;simon&#64;josefsson.org&#62; wrote&#58;&#13;&#10;&#62; &#62;&#62; Hi folks&#33;&#13;&#10;&#62; &#62;&#62;&#13;&#10;&#62; &#62;&#62; I have been working on the IETF draft for OpenID in SASL&#58;&#13;&#10;&#62; &#62;&#62;&#13;&#10;&#62; &#62;&#62; https&#58;//tools.ietf.org/html/draft-ietf-kitten-sasl-openid-08&#13;&#10;&#62; &#62;&#62;&#13;&#10;&#62; &#62;&#62; and now als
 o implemented it in GNU SASL, see this writeup&#58;&#13;&#10;&#62; &#62;&#62;&#13;&#10;&#62; &#62;&#62; https&#58;//lists.gnu.org/archive/html/help-gsasl/2012-03/msg00004.html&#13;&#10;&#62;
  &#62;&#62;&#13;&#10;&#62; &#62;&#62; I wanted to reach out to the OpenID community to find people who want to&#13;&#10;&#62; &#62;&#62; work on implementing/deploying this. If you have some interest in&#13;&#10;&#62; &#62;&#62; implementing OpenID support for your SASL-based application &#40;SMTP, IMAP,&#13;&#10;&#62; &#62;&#62; XMPP, etc&#41; let me know and I will try to help.&#13;&#10;&#62; &#62;&#62;&#13;&#10;&#62; &#62;&#62; If anyone else has implemented the OPENID20 mechanism, I would also love&#13;&#10;&#62; &#62;&#62; to do interop testing.&#13;&#10;&#62; &#62;&#62;&#13;&#10;&#62; &#62;&#62; Cheers,&#13;&#10;&#62; &#62;&#62; /Simon&#13;&#10;&#62; &#62;&#62; _______________________________________________&#13;&#10;&#62; &#62;&#62; general mailing list&#13;&#10;&#62; &#62;&#62; ge
 neral&#64;lists.openid.net&#13;&#10;&#62; &#62;&#62; http&#58;//lists.openid.net/mailman/listinfo/openid-general&#13;&#10;&#62; &#62;&#62;&#13;&#10;&#62; &#62;&#62;&#13;&#10;&#62; &#62;&#62;
 &#13;&#10;&#62; &#62;&#62; --&#13;&#10;&#62; &#62;&#62; Nat Sakimura &#40;&#61;nat&#41;&#13;&#10;&#62; &#62;&#62; Chairman, OpenID Foundation&#13;&#10;&#62; &#62;&#62; http&#58;//nat.sakimura.org/&#13;&#10;&#62; &#62;&#62; &#64;_nat_en&#13;&#10;&#62; &#62;&#62;&#13;&#10;&#62; &#62;&#62; _______________________________________________&#13;&#10;&#62; &#62;&#62; general mailing list&#13;&#10;&#62; &#62;&#62; general&#64;lists.openid.net&#13;&#10;&#62; &#62;&#62; http&#58;//lists.openid.net/mailman/listinfo/openid-general&#13;&#10;