IRC Log for #openid on 2008-07-16

Timestamps are in UTC.

  1. [00:21:52] * mtrichardson (n=michaelr@70.99.220.242) Quit ()
  2. [00:36:13] * shigeta (n=shigeta@124.32.114.226) has joined #openid
  3. [01:00:45] * CarlFK (n=carl@76.29.25.210) Quit (Read error: 104 (Connection reset by peer))
  4. [01:11:05] * MacTed (n=Thud@twentyfourmullen.hsd1.ma.comcast.net) has joined #openid
  5. [01:11:05] <jibot> MacTed is a Technology Evangelist from http://www.openlinksw.com/ and a Troublemaker from Way Back
  6. [01:28:19] <samsm> You could start talking and hopefully an answer will eventually brew. :)
  7. [01:29:46] <gsm4> samsm, was that directed at my post from about an hour and a half ago?
  8. [01:29:56] <samsm> Yes :)
  9. [01:30:27] <gsm4> well, I was having issues submitting a patch for the MySQLStore class
  10. [01:31:02] <samsm> Ok, that's pretty specific.
  11. [01:31:15] <gsm4> since the tests failed on a new "darcs get" after I added a method to the class (which shouldn't happen from what I would expect)
  12. [01:31:58] <samsm> They passed before you added the method, I assume?
  13. [01:32:55] <gsm4> didn't try... they auto-ran on doing a darcs record...
  14. [02:24:11] * SunWuKung (n=SunWuKun@S01060016cbc4c705.vc.shawcable.net) Quit ()
  15. [02:54:46] * TedThibodeauJr (n=Thud@twentyfourmullen.hsd1.ma.comcast.net) has joined #openid
  16. [02:54:47] <jibot> TedThibodeauJr is a Technology Evangelist from http://www.openlinksw.com/ and a Troublemaker from Way Back
  17. [03:03:53] * MacTed (n=Thud@twentyfourmullen.hsd1.ma.comcast.net) Quit (Read error: 110 (Connection timed out))
  18. [03:26:29] * tjohns (n=tjohns@adsl-76-202-197-22.dsl.pltn13.sbcglobal.net) has joined #openid
  19. [03:31:06] * flaccid (n=flaccid@203-219-68-83.static.tpgi.com.au) has joined #openid
  20. [03:31:06] <jibot> flaccid is an OpenID enthusiast
  21. [03:35:36] <andersfeder> is anyone online who can tell me about non-interactive openid operation?
  22. [03:36:25] <andersfeder> in particular: http://openid.net/pipermail/specs/2008-July/002343.html
  23. [03:42:19] * gsm4 (n=gsm4@starnix-laptop.visitor.iastate.edu) Quit ("Leaving")
  24. [04:02:21] <tjohns> OpenID, as designed, cannot be completely non-interactive. There's too much potential for abuse if the user didn't get a chance to accept/deny a request.
  25. [04:03:35] <tjohns> Now, as for using OpenID in non-browser applications, that may be possible (for example, Kerberos implements much of this, but has too strict a trust model for use outside the enterprise)
  26. [04:03:43] <tjohns> However, there hasn't been much work on it.
  27. [04:04:13] <tjohns> It's been something I've wanted to work on for a while now, but haven't had much free time the last few months.
  28. [04:05:24] <tjohns> OpenID is community driven, so if you want to work on an extension, just bring it up on the mailing lists.
  29. [04:10:48] * woid (n=woid@akcent.ok.cz) has joined #openid
  30. [04:28:22] <keturn> thing about OpenID is, if you accept all OpenIDs, you have no idea what interaction will or won't be required, because that's entirely up to provider policy
  31. [04:28:57] <keturn> if you need some specific API on the authentication interaction, you are talking about something that is no-longer-quite-OpenID
  32. [04:29:40] <keturn> maybe it would make sense for OpenID providers to provide that service in addition to OpenID, but it'd be a distinct feature.
  33. [04:29:51] <flaccid> non-interactive openid sounds more like authorisation as well
  34. [04:31:07] * woid (n=woid@akcent.ok.cz) Quit (Remote closed the connection)
  35. [04:42:22] <andersfeder> sorry, i was away, but my idea was some standard extension for openid providers that would allow them to accept non-interactive logins explicitly
  36. [04:43:21] <andersfeder> i imagine it could be a service type in the XRDS document
  37. [04:45:17] <andersfeder> (or an actual extension as per section 12 of the openid 2 spec)
  38. [04:50:27] <andersfeder> i.e. the non-browser application asks for non-interactive login, the provider requests (say) a verified client certificate, the application does whats necessary to respond with the corresponding verified client certificate, and the provider lets the application know if that certificate successfully authenticates the given openid identifier
  39. [04:52:24] <andersfeder> this way one could use his openid for host-local access control - the localhost would request your certificate (and possibly a passphrase) and ask the openid provider to determine if everything is good
  40. [04:55:02] <andersfeder> i think it would fall under the umbrella of OpenID (rather than be a new standard altogether) since it would pointless to ask the user to create one identifier for OpenID and then a distinct identifier for non-interactive or non-browser identification
  41. [04:58:01] * peace-keeper (n=markus@chello084114169104.2.15.vie.surfer.at) has joined #openid
  42. [05:10:16] <tjohns> It sounds to me like you just described X.509. :)
  43. [05:10:26] <tjohns> Though, there's no mechanism to create that certificate.
  44. [05:10:39] <andersfeder> X.509 is a login method?
  45. [05:10:57] <tjohns> Well, it's a certificate standard, but it can be used for login.
  46. [05:11:01] <andersfeder> ok
  47. [05:11:08] <tjohns> Client-side SSL certificates
  48. [05:11:13] <andersfeder> right
  49. [05:11:20] <tjohns> So, the part that's missing...
  50. [05:12:17] <tjohns> The application would have to create a cert, and the OpenID provider would have to sign it, then return it to the application.
  51. [05:13:07] <tjohns> There's mechanisms to do all of this automatically, but they're all browser based (as far as I know).
  52. [05:13:47] <andersfeder> but this certificate would only have to be created once per provider, right?
  53. [05:13:57] <andersfeder> not once per application?
  54. [05:14:23] <andersfeder> i could use the same certificate for multiple applications
  55. [05:14:52] <andersfeder> if it only has to be created once per provider, browser based creation would be ok, imo
  56. [05:15:57] <andersfeder> as long as there is a process for non-browser verification that the certificate is associated with a given OID
  57. [05:17:39] <andersfeder> the 'assocation to given OID' part is what would distinguish this process from standard X.509
  58. [05:32:25] <tjohns> It could be once per provider, if you had a way to share it between applications.
  59. [05:32:55] <tjohns> (You'd want the certificate to expire after a while, too, just in case.)
  60. [05:33:20] <tjohns> Association to a given OID is actually pretty straightforward
  61. [05:33:53] <tjohns> The CN is just the user's OID. The OP just becomes a lightweight CA.
  62. [05:34:51] <tjohns> Most of the work is on getting the cert to applications, and sharing the cert between applications (if you wanted to go that route -- I'm of the opinion that even per-application certificates aren't that bad if they're long lived)
  63. [05:35:04] <tjohns> I've actually put a lot of thought into this, believe it or not. :)
  64. [05:35:36] <tjohns> I was trying to find out a way to get Subversion to work with OpenID, and what I came up with looked a lot like this.
  65. [05:45:38] <andersfeder> tjohns: i see, interesting ...
  66. [05:48:41] <andersfeder> tjohns: so what we would need is a standard way for the app to discover the X.509 cert for a given OID?
  67. [05:48:58] <tjohns> Yes.
  68. [05:49:23] <tjohns> Keeping in mind that the cert is stored locally.
  69. [05:52:36] * dw (n=dw@unaffiliated/dw) Quit (Read error: 104 (Connection reset by peer))
  70. [05:52:53] <andersfeder> tjohns: the private key portion is at least? as far as i remember, a X.509 cert can contain just the public key?
  71. [05:53:12] <andersfeder> so if the OP stored this public key cert ... and presented it on request for a given OID .. the app could locate the corresponding private key cert in its local store ... ?
  72. [05:53:38] * dw (n=dw@gw.dmw.me.uk) has joined #openid
  73. [05:55:13] * shigeta_ (n=shigeta@124.32.114.226) has joined #openid
  74. [05:58:50] <tjohns> All of that is already specified in the client-side SSL specification.
  75. [05:59:17] <tjohns> If I remember right, the way it works is that the server just asks the client to identify itself. The client then can choose any cert it wants.
  76. [06:00:27] <tjohns> There's no need for the server to store public certs.
  77. [06:00:31] <andersfeder> ok
  78. [06:00:59] <tjohns> The client would give the server a public cert that contains the CN (the user's OID) and a signature from the server. That's enough for the server to know that it should trust it.
  79. [06:01:36] <andersfeder> right
  80. [06:04:55] <andersfeder> so the problem is then how to force the OP to authenticate the user with client-side SSL?
  81. [06:12:11] <tjohns> Well, since this isn't really OpenID anymore, you could just send the user to a different URL. If they go there, follow the standard client-side auth protocol.
  82. [06:12:14] <tjohns> Or instead...
  83. [06:12:34] <tjohns> Just send the client cert to the consumer directly. Cut the OP out of the loop entirely.
  84. [06:12:39] * shigeta (n=shigeta@124.32.114.226) Quit (Read error: 110 (Connection timed out))
  85. [06:12:51] <tjohns> Since the OP already signed the client's cert, there's really no need to involve the OP again.
  86. [06:13:05] <tjohns> Then just have the OP publish it's signing key somewhere the consumer can access it.
  87. [06:14:09] <andersfeder> ok ..
  88. [06:17:15] <andersfeder> by the OP's signing key .. you mean the public key of the private key used to sign the users certificate? ... isnt this key included in the certificate?
  89. [06:18:26] <andersfeder> oh sorry .. see what you mean now ..
  90. [06:19:53] <andersfeder> the consumer needs a way to verify that the signing key does indeed belong to the provider of the given OID
  91. [06:28:15] <andersfeder> but i guess this was what i meant with public certs ... if the provider publish a public cert per OID, this cert would cointain the public signing key .. if the consumer retrieve the public cert for the given OID, it can verify that the used (private) cert is valid .. ?
  92. [06:28:26] <andersfeder> *contain
  93. [06:43:25] * lopnor (n=lopnor@nat.soffritto.org) Quit (Read error: 110 (Connection timed out))
  94. [06:48:06] * stub (n=stub@ppp-58-8-9-240.revip2.asianet.co.th) has joined #openid
  95. [06:51:29] * lopnor (n=lopnor@nat.soffritto.org) has joined #openid
  96. [07:29:34] * bortzmeyer (i=bortzmey@batilda.nic.fr) has joined #openid
  97. [07:41:10] * xpo (n=xpo@bgl93-2-82-226-41-47.fbx.proxad.net) Quit ()
  98. [07:43:06] * SunWuKung (n=SunWuKun@S01060016cbc4c705.vc.shawcable.net) has joined #openid
  99. [08:00:12] * woid (n=woid@akcent.ok.cz) has joined #openid
  100. [08:03:27] * MrTopf (i=hidden-u@oecher.info) has joined #openid
  101. [08:11:31] * xpo (n=xpo@nat/af83/x-116298a258c84b50) has joined #openid
  102. [08:13:44] <tjohns> The OP could publish it's key, and it would provide the same level of assurance as standard (HTTP-only) OpenID.
  103. [08:14:20] <tjohns> Or HTTPS, if the OP has a server-side, globally recognized SSL key (which it should, hopefully)
  104. [08:15:01] <tjohns> There's really no need to publish certs on the OP for every user. That's one of the really nice things about X.509 -- might as well take advantage of it.
  105. [09:07:29] * xpo_air (n=xpo@nat/af83/x-a599c82b040e0b36) has joined #openid
  106. [09:07:55] * xpo (n=xpo@nat/af83/x-116298a258c84b50) Quit (Read error: 104 (Connection reset by peer))
  107. [10:01:50] * tjohns (n=tjohns@adsl-76-202-197-22.dsl.pltn13.sbcglobal.net) Quit ()
  108. [10:28:40] * xpo_air is now known as xpo
  109. [11:13:08] * stub (n=stub@canonical/launchpad/stub) Quit ("Leaving.")
  110. [12:21:48] * TedThibodeauJr is now known as MacTed
  111. [12:24:16] * MacTed (n=Thud@twentyfourmullen.hsd1.ma.comcast.net) Quit ()
  112. [12:55:35] * andersfeder (n=feder@x1-6-00-0e-2e-63-4c-cb.k415.webspeed.dk) Quit ("Leaving.")
  113. [13:11:40] * burzum (n=burzum@b2.e6.354a.static.theplanet.com) has left #openid
  114. [13:26:54] * MacTed (n=Thud@63.119.36.36) has joined #openid
  115. [13:26:55] <jibot> MacTed is a Technology Evangelist from http://www.openlinksw.com/ and a Troublemaker from Way Back
  116. [14:04:42] * shigeta_ (n=shigeta@124.32.114.226) Quit (Read error: 110 (Connection timed out))
  117. [14:25:21] * stub (n=stub@ppp-58-8-9-240.revip2.asianet.co.th) has joined #openid
  118. [15:12:43] * bortzmeyer (i=bortzmey@batilda.nic.fr) has left #openid
  119. [15:16:47] * jpwatts (n=joel@c-98-200-119-206.hsd1.tx.comcast.net) has joined #openid
  120. [15:17:27] * jpwatts (n=joel@c-98-200-119-206.hsd1.tx.comcast.net) Quit (Client Quit)
  121. [15:29:06] * stub (n=stub@canonical/launchpad/stub) Quit (Connection timed out)
  122. [15:29:50] * stub (n=stub@ppp-58-8-15-215.revip2.asianet.co.th) has joined #openid
  123. [15:29:53] * stub (n=stub@canonical/launchpad/stub) Quit (Remote closed the connection)
  124. [15:44:33] * shigeta (n=shigeta@70.36.100.220.dy.bbexcite.jp) has joined #openid
  125. [16:27:26] * xpo (n=xpo@nat/af83/x-a599c82b040e0b36) Quit (No route to host)
  126. [16:29:06] * mtrichardson (n=michaelr@70.99.220.242) has joined #openid
  127. [16:36:05] * shigeta (n=shigeta@70.36.100.220.dy.bbexcite.jp) Quit ()
  128. [17:07:54] * MrTopf (i=hidden-u@oecher.info) Quit ("deconstructing...")
  129. [17:16:48] * en4rab (n=chatzill@87.82.64.119) has joined #openid
  130. [18:23:42] * jpwatts (n=joel@c-98-200-119-206.hsd1.tx.comcast.net) has joined #openid
  131. [19:02:02] * SunWuKung (n=SunWuKun@S01060016cbc4c705.vc.shawcable.net) Quit ()
  132. [19:23:55] * radiotonix (n=toni@77-57-217-151.dclient.hispeed.ch) has joined #openid
  133. [19:24:36] * SunWuKung (n=SunWuKun@S01060016cbc4c705.vc.shawcable.net) has joined #openid
  134. [19:24:41] * radiotonix (n=toni@77-57-217-151.dclient.hispeed.ch) has left #openid
  135. [19:43:38] * gsm4 (n=gsm4@starnix-laptop.visitor.iastate.edu) has joined #openid
  136. [20:07:25] * en4rab (n=chatzill@87.82.64.119) Quit ("ChatZilla 0.9.83 [Firefox 2.0.0.15/2008062306]")
  137. [20:10:19] * xpo (n=xpo@bgl93-2-82-226-41-47.fbx.proxad.net) has joined #openid
  138. [20:19:05] * peace-keeper (n=markus@chello084114169104.2.15.vie.surfer.at) Quit (Read error: 110 (Connection timed out))
  139. [20:19:26] * MostafaDaneshvar (n=chatzill@217.219.95.36) has joined #openid
  140. [20:43:17] * MrTopf (n=cs@pD9EBE81D.dip.t-dialin.net) has joined #openid
  141. [20:49:08] * mtrichardson (n=michaelr@70.99.220.242) Quit ()
  142. [20:57:11] * MacTed (n=Thud@63.119.36.36) Quit ()
  143. [20:57:12] * SunWuKung (n=SunWuKun@S01060016cbc4c705.vc.shawcable.net) Quit ()
  144. [20:58:28] * SunWuKung (n=SunWuKun@S01060016cbc4c705.vc.shawcable.net) has joined #openid
  145. [21:04:34] * Didac (n=Nightmar@34.Red-83-43-197.dynamicIP.rima-tde.net) Quit ("http://niorcs.com · tecnologia lliure per a un món lliure")
  146. [21:16:36] * mtrichardson (n=michaelr@dsl093-039-218.pdx1.dsl.speakeasy.net) has joined #openid
  147. [21:21:58] * MostafaDaneshvar (n=chatzill@217.219.95.36) Quit ("ChatZilla 0.9.83 [Firefox 3.0b5/2008043010]")
  148. [22:47:42] * MacTed (n=Thud@twentyfourmullen.hsd1.ma.comcast.net) has joined #openid
  149. [22:47:43] <jibot> MacTed is a Technology Evangelist from http://www.openlinksw.com/ and a Troublemaker from Way Back
  150. [22:52:51] * mtrichardson (n=michaelr@dsl093-039-218.pdx1.dsl.speakeasy.net) Quit ()
  151. [23:16:47] * MrTopf (n=cs@pD9EBE81D.dip.t-dialin.net) Quit ("deconstructing...")

These logs were automatically created by OpenIDlogbot on chat.freenode.net using a modified version of the Java IRC LogBot.