|
»
Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)
|
View:
New views
14 Messages
—
Rating Filter:
Alert me
|
 |
|
|
|
Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)
by Santosh Rajan
::
Rate this Message:
We need to remember that XRD only addreses discovery for URL identifiers. XRD does not address email like identifiers. XRD actually has two properties.
1) generic format for resource descriptor documents (XRD documents) 2) protocol for obtaining XRD documents from HTTP(S) URIs. For email identifiers we are using only property (1) which is by and large defined, except for the signature part.
Santosh Rajan
http://santrajan.blogspot.com |
|
|
Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)
by Breno de Medeiros
::
Rate this Message:
If we start the process to form a WG for discovery now, most likely the process would only be completed in 6 months, even if there was considerable agreement and stable technologies to draw from.
Right now, there is quite a bit of momentum and excitement about Webfinger. The XRI TC is hoping to publish draft specs for XRD withing the next 30 days. Concurrently, and in particular after that, it is hoped that progress on webfinger will be speedy. Webfinger spec discussion may take place at either XRI TC or IETF. Should we just start responding to all threads about OpenID 2.x discovery by saying that the discussion is taking place at some other mailing list? On Tue, Jun 9, 2009 at 11:36 AM, David Recordon <david@...> wrote: These questions and the lack of adoption of XRD, site-meta or completion of WebFinger have all contributed to my belief that we're still just not ready to redefine how OpenID's discovery process should work. -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) _______________________________________________ specs mailing list specs@... http://openid.net/mailman/listinfo/specs |
|
|
Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)
by Allen Tom-2
::
Rate this Message:
My primary concern with changing OpenID Discovery is the upgrade path to
the new discovery mechanism. It took way too long for everyone to upgrade to OpenID 2.0, so I'd like to have a better understanding the upgrade path to OpenID 2.1 and/or the new Discovery mechanism. Allen David Recordon wrote: > Hey David, > I've been following some of the discovery work the past few months, > but don't have a clear picture if the various components are actually > solid enough to begin working with. I know XRD is moving forward, but > what's the state of site-meta > (http://tools.ietf.org/html/draft-nottingham-site-meta-01) > <http://tools.ietf.org/html/draft-nottingham-site-meta-01%29> or now > WebFinger (http://code.google.com/p/webfinger/)? > <http://code.google.com/p/webfinger/%29?> Is there something in > WebFinger which wouldn't solve OpenID discovery entirely? > > These questions and the lack of adoption of XRD, site-meta or > completion of WebFinger have all contributed to my belief that we're > still just not ready to redefine how OpenID's discovery process should > work. > > Thoughts? > > Thanks, > --David > > Begin forwarded message: > >> *From: *David Fuelling <sappenin@... <mailto:sappenin@...>> >> *Date: *June 9, 2009 10:07:20 AM PDT >> *To: *Allen Tom <atom@... <mailto:atom@...>> >> *Cc: *security@... <mailto:security@...>, >> general@... <mailto:general@...> >> *Subject: **Re: [security] OpenID Security Best Practices Doc* >> *Reply-To: *sappenin@... <mailto:sappenin@...> >> >> On Tue, Jun 9, 2009 at 5:38 AM, Allen Tom <atom@... >> <mailto:atom@...>> wrote: >> >> Is the community ready to move forward with OpenID 2.1? >> >> >> I can't necessarily speak for the community, but I'd at least like to >> move forward with the 2.1 Discovery WG. The output of that is >> expected to be a "best practices" document relating to Discovery that >> would (it is expected) be used in the regular OpenID 2.1 WG. >> >> I'm not opposed to doing all of this in parallel. >> >> >> I do believe that we really need a security best practices >> document, and it shouldn't have to wait until OpenID 2.1 is >> finalized. >> >> >> +1 >> >> >> >> Anyway, when you said you had been "nominated", it made me >> think there's some shadow process going on behind the scenes >> when it comes to these Working Groups. >> >> At the December 2008 IIW, I was either nominated or was >> volunteered to work on Security Best Practices document after I >> strongly advocated that the community write one. >> >> >> Cool. Like I said, I wasn't trying to say you shouldn't be doing >> this work. I just wanted to make sure it was "open". I wasn't at >> IIW, so that explains my disconnect. >> >> >> Am I missing something? Are there "private" WG discussions >> going on that the rest of us can't see? >> >> The security best practices document was first discussed at the >> December 2008 IIW session on OpenID 2.1, completely in the open. >> >> >> See my comment above. >> >> >> >> Or are you just "taking some initiative", as it were? >> >> Well, I'd been procrastinating for more than 6 months, but I >> think we waited long enough. More and more sites want to deploy >> OpenID, and it's about time we had a security document that >> potential implementers can read, other than just reading the >> specs, and various blog posts. >> >> >> :) -- I'm glad you've started working on this. It's important to have. >> >> >> >> -- I'm really just looking to get "in the loop" on this >> Working Group business, assuming I'm out if currently). >> >> I believe that the process requires the WG proposers to take >> their proposal to the Specifications council who will review the >> proposal and give their recommendation to the general membership >> of the OIDF to either approve or deny the request to form the WG. >> The general membership then votes on the proposal, and if the >> proposal is approved, the WG is formed. There's also a very >> painful process for the WG members to get their employers to >> approve their participation in the WG. >> >> The WG proposals that seem to be stalled right now appear to be >> OpenID 2.1, SREG 1.1, and AX 2.0. >> >> >> At least with regards to SREG 1.1 and AX 2.0, I believe that the >> proposers are waiting for their employers to approve their >> participation. Where is Dick Hardt? The OpenID world misses you! >> >> I'm not sure about the status on OpenID 2.1, but at least for >> myself, I'm more focused on the immediate goals of getting OpenID >> OAuth Hybrid and the OpenID UI Extensions finalized. >> >> >> I for one would like to move forward on the 2.1 Discovery WG. XRD >> will be a big part of that, but at this point it seems like much of >> XRD has been solidified (at least, enough for us to begin the 2.1 >> Discovery WG). >> >> >> The OpenID Wiki says that the Discovery WG proposal has been sent >> to the specs council, but I have not seen the proposal yet. >> >> >> I think this is the proposal: >> http://wiki.openid.net/OpenID-Discovery >> >> _______________________________________________ >> security mailing list >> security@... <mailto:security@...> >> http://openid.net/mailman/listinfo/security > > ------------------------------------------------------------------------ > > _______________________________________________ > specs mailing list > specs@... > http://openid.net/mailman/listinfo/specs > _______________________________________________ specs mailing list specs@... http://openid.net/mailman/listinfo/specs |
|
|
Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)
by David Fuelling
::
Rate this Message:
David,
Great questions -- see my thoughts/opinions inline... david On Tue, Jun 9, 2009 at 6:36 PM, David Recordon <david@...> wrote:
This is a valid concern. From what I can gather from the XRD discussions, it seems like the last remaining "issue" with XRD is the signature format to adopt. Other than that it seems like XRD is very close (XRI TC particpants correct me if I'm wrong -- I don't speak for the TC as I've mainly been lurking there). Granted, it will take time to get community feedback on XRD, and move through the OASIS standards mechanisms, but it seems like there's enough meat there to begin drafting a document that would outline how the OpenID community should utilize XRD (I think that's the expected deliverable from the Discovery 2.1 WG, anyway). To me, it seems like the 2.1 Discovery WG _could_ be happening in parallel. After all, the 2.1 Discovery WG is only producing a "recommendations" doc. The official 2.1 WG could choose to ignore that doc.
I'll defer to Eran on the state of site-meta. I have been participating in some preliminary (and brief) discussions on the webfinger list (see here: http://groups.google.com/group/webfinger/browse_thread/thread/7936700f02b0049b). I tend to agree with Eran about not needing to normatively specify webfinger. XRD really takes care of the entire discovery process for email addresses (we just need the intro part that says "where to look" when presented with an email-like identifier). Essentially, webfinger would be a 2 sentence spec: 1.) Look for an "@", split the identifier around the "@", and use the "domain" portion of the email to get the host-meta file. 2.) Use XRD to perform discovery on the identifier. I wouldn't be opposed to making a normative spec out of webfinger, but in my experience with EAUT and the discussions around email as an OpenID, there were some fundamental disagreements about authorities for email addresses. There's a significant camp of people that believe this information should be included in DNS. There's also a significant group of people who believe it could be located an XRD file (or, "on the web"). And some (like me) who believe it could be located in both places, with one taking precendence over the other, plus clear rules of how to behave if one authority is missing. All that to say, I think the OpenID community should take the _principles_ of webfinger, and create its own spec to deal with email addresses. The notion of getting a normative webfinger spec that satisfies every use case on the Internet (i.e., a generic webfinger spec) seems a bit unlikely to me (I could be wrong). All that to say, I think we in OpenID land should specify how _we_ treat email-like identifiers in our own normative spec, using the principles of webfinger. (whew -- sorry for being so long winded). ;)
My opinion is that we know enough to get the ball rolling. There are a lot of other outstanding issues relating to discovery than just XRD. It's a valid point, though, and I would be open to the counter-arguement that says, "we should wait till XRD, LRDD, etc are finalized before we consider them". I guess I'm more of the opinion that the 2.1 Discovery WG is going to produce a "guidance document" about 2.1 Discovery, and it seems like we know enough about XRD and its associated protocols to begin discussing and drafting that document. I guess an additional, if not bigger, question is: do we need a 2.1 Discovery WG to produce a "best practices" doc?
_______________________________________________ specs mailing list specs@... http://openid.net/mailman/listinfo/specs |
|
|
Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)
by David Fuelling
::
Rate this Message:
On Tue, Jun 9, 2009 at 7:00 PM, Santosh Rajan <santrajan@...> wrote:
This is not really true. The XRD document schema only demands that an identifier be a URI, both for the XRD document's "subject" (i.e., the canonical-id) and the XRD document's "alias" (i.e., other synonymn Identifiers). "david@..." is really the following URI: "mailto:david@...", and would work just fine in XRD. XRD Actually, XRD relies on a "well known location" to begin the Discovery process. That is the subject of a different spec called "Host Meta" (http://tools.ietf.org/html/draft-nottingham-site-meta-01). FYI, Eran has a great blog post on all of this here: http://www.hueniverse.com/hueniverse/2009/03/the-discovery-protocol-stack.html All that to say: as long as OpenID defines how to locate the "host-meta" file for a particular Identifier (like an email address), then that Identifier can work just fine with XRD, and we can then use that identifier (e.g., an email address) in the OpenID flow (some other parts of the spec would need to be adjusted for this to actually work, but you get the idea). We (the OpenID community) just need to define how this is going to happen (thus, the 2.1 Discovery WG). _______________________________________________ specs mailing list specs@... http://openid.net/mailman/listinfo/specs |
|
|
Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)
by David Fuelling
::
Rate this Message:
On Tue, Jun 9, 2009 at 7:09 PM, Breno de Medeiros <breno@...> wrote:
If we start the process to form a WG for discovery now, most likely the process would only be completed in 6 months, even if there was considerable agreement and stable technologies to draw from. Even if webfinger does become its own spec, I'm not confident it will be end up looking the same in the context of OpenID (there are thorny issues like Authority to contend with: e.g., what system is the meta-data authority for an email address? DNS? Web (Host-meta?)? Both? Something-else? I guess my opinion is that this work needs to happen in both places, so why not start it here as well. Should we just start responding to all threads about OpenID 2.x discovery by saying that the discussion is taking place at some other mailing list? Last point to reiterate: There are a lot of Discovery issues besides email addresses and XRD. See the wiki for more. _______________________________________________ specs mailing list specs@... http://openid.net/mailman/listinfo/specs |
|
|
Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)
by Breno de Medeiros
::
Rate this Message:
And I agree with you. My view is that in the absence of an OpenID discovery WG there will be _more_ uncertainty about future directions for the spec, not less.
On Tue, Jun 9, 2009 at 2:13 PM, David Fuelling <sappenin@...> wrote:
-- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) _______________________________________________ specs mailing list specs@... http://openid.net/mailman/listinfo/specs |
|
|
Re: Are the Discovery Components Done Enough?
by SitG Admin
::
Rate this Message:
>There's a significant camp of people that believe this information
>should be included in DNS. There's also a significant group of >people who believe it could be located an XRD file (or, "on the >web"). What if the discovery document says "E-mail this autoresponder address."? Should all discovery (in OpenID) be able to take place over the HTTP/HTTPS protocol, or will it be flexible enough to accept plugins for extending the base discovery method? -Shade _______________________________________________ specs mailing list specs@... http://openid.net/mailman/listinfo/specs |
|
|
Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)
by David Fuelling
::
Rate this Message:
My bad -- I errantly thought you were advocating the opposite.
On Tue, Jun 9, 2009 at 9:15 PM, Breno de Medeiros <breno@...> wrote: And I agree with you. My view is that in the absence of an OpenID discovery WG there will be _more_ uncertainty about future directions for the spec, not less. _______________________________________________ specs mailing list specs@... http://openid.net/mailman/listinfo/specs |
|
|
Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)
by David Fuelling
::
Rate this Message:
Great feedback. I took the liberty to add this to the "Discussion Points" on the wiki page.
http://wiki.openid.net/OpenID-Discovery
On Tue, Jun 9, 2009 at 8:43 PM, Allen Tom <atom@...> wrote:
My primary concern with changing OpenID Discovery is the upgrade path to the new discovery mechanism. It took way too long for everyone to upgrade to OpenID 2.0, so I'd like to have a better understanding the upgrade path to OpenID 2.1 and/or the new Discovery mechanism. _______________________________________________ specs mailing list specs@... http://openid.net/mailman/listinfo/specs |
|
|
|
|
|
Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)
by David Recordon
::
Rate this Message:
Hey Breno,
I think this is a good point and judging from this thread already, there seems to be a group of people really interested in working on discovery for OpenID. If we can frame the working group in the right way (David Fuelling framed it well as "I guess I'm more of the opinion that the 2.1 Discovery WG is going to produce a "guidance document" about 2.1 Discovery") then I think it should be a good thing. That said, let's do a really good job of defining the goals. I'll spend some time going over the wiki page WG proposal this week. --David On Jun 9, 2009, at 2:15 PM, Breno de Medeiros wrote: And I agree with you. My view is that in the absence of an OpenID discovery WG there will be _more_ uncertainty about future directions for the spec, not less. _______________________________________________ specs mailing list specs@... http://openid.net/mailman/listinfo/specs |
|
|
Re: Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)
by Breno de Medeiros
::
Rate this Message:
I am in full agreement. Indeed, the proposed charter for the WG has always indicated that the deliverable would be a guidance document, not a separate spec.
It should be up to the 2.1 authentication WG to later decide if the guidance document should be published as a separate spec, or if instead it should be incorporated in part or as a whole in the authentication core spec, or any other disposition that is suitable. I think we all understand that discovery is too close to the core that it should be standardized by the authentication WG. On the other hand, the set of problems (and scope for changes) in discovery is quite different from authentication, and that is the rationale to allow this WG to form. On Tue, Jun 9, 2009 at 3:05 PM, David Recordon <david@...> wrote:
-- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) _______________________________________________ specs mailing list specs@... http://openid.net/mailman/listinfo/specs |
| Free embeddable forum powered by Nabble | Forum Help |
