IRC Log for #openid on 2008-07-16
Timestamps are in UTC.
- [00:21:52] * mtrichardson (n=michaelr@70.99.220.242) Quit ()
- [00:36:13] * shigeta (n=shigeta@124.32.114.226) has joined #openid
- [01:00:45] * CarlFK (n=carl@76.29.25.210) Quit (Read error: 104 (Connection reset by peer))
- [01:11:05] * MacTed (n=Thud@twentyfourmullen.hsd1.ma.comcast.net) has joined #openid
- [01:11:05] <jibot>
MacTed is a Technology Evangelist from http://www.openlinksw.com/ and a Troublemaker from Way Back
- [01:28:19] <samsm>
You could start talking and hopefully an answer will eventually brew. :)
- [01:29:46] <gsm4>
samsm, was that directed at my post from about an hour and a half ago?
- [01:29:56] <samsm>
Yes :)
- [01:30:27] <gsm4>
well, I was having issues submitting a patch for the MySQLStore class
- [01:31:02] <samsm>
Ok, that's pretty specific.
- [01:31:15] <gsm4>
since the tests failed on a new "darcs get" after I added a method to the class (which shouldn't happen from what I would expect)
- [01:31:58] <samsm>
They passed before you added the method, I assume?
- [01:32:55] <gsm4>
didn't try... they auto-ran on doing a darcs record...
- [02:24:11] * SunWuKung (n=SunWuKun@S01060016cbc4c705.vc.shawcable.net) Quit ()
- [02:54:46] * TedThibodeauJr (n=Thud@twentyfourmullen.hsd1.ma.comcast.net) has joined #openid
- [02:54:47] <jibot>
TedThibodeauJr is a Technology Evangelist from http://www.openlinksw.com/ and a Troublemaker from Way Back
- [03:03:53] * MacTed (n=Thud@twentyfourmullen.hsd1.ma.comcast.net) Quit (Read error: 110 (Connection timed out))
- [03:26:29] * tjohns (n=tjohns@adsl-76-202-197-22.dsl.pltn13.sbcglobal.net) has joined #openid
- [03:31:06] * flaccid (n=flaccid@203-219-68-83.static.tpgi.com.au) has joined #openid
- [03:31:06] <jibot>
flaccid is an OpenID enthusiast
- [03:35:36] <andersfeder>
is anyone online who can tell me about non-interactive openid operation?
- [03:36:25] <andersfeder>
in particular: http://openid.net/pipermail/specs/2008-July/002343.html
- [03:42:19] * gsm4 (n=gsm4@starnix-laptop.visitor.iastate.edu) Quit ("Leaving")
- [04:02:21] <tjohns>
OpenID, as designed, cannot be completely non-interactive. There's too much potential for abuse if the user didn't get a chance to accept/deny a request.
- [04:03:35] <tjohns>
Now, as for using OpenID in non-browser applications, that may be possible (for example, Kerberos implements much of this, but has too strict a trust model for use outside the enterprise)
- [04:03:43] <tjohns>
However, there hasn't been much work on it.
- [04:04:13] <tjohns>
It's been something I've wanted to work on for a while now, but haven't had much free time the last few months.
- [04:05:24] <tjohns>
OpenID is community driven, so if you want to work on an extension, just bring it up on the mailing lists.
- [04:10:48] * woid (n=woid@akcent.ok.cz) has joined #openid
- [04:28:22] <keturn>
thing about OpenID is, if you accept all OpenIDs, you have no idea what interaction will or won't be required, because that's entirely up to provider policy
- [04:28:57] <keturn>
if you need some specific API on the authentication interaction, you are talking about something that is no-longer-quite-OpenID
- [04:29:40] <keturn>
maybe it would make sense for OpenID providers to provide that service in addition to OpenID, but it'd be a distinct feature.
- [04:29:51] <flaccid>
non-interactive openid sounds more like authorisation as well
- [04:31:07] * woid (n=woid@akcent.ok.cz) Quit (Remote closed the connection)
- [04:42:22] <andersfeder>
sorry, i was away, but my idea was some standard extension for openid providers that would allow them to accept non-interactive logins explicitly
- [04:43:21] <andersfeder>
i imagine it could be a service type in the XRDS document
- [04:45:17] <andersfeder>
(or an actual extension as per section 12 of the openid 2 spec)
- [04:50:27] <andersfeder>
i.e. the non-browser application asks for non-interactive login, the provider requests (say) a verified client certificate, the application does whats necessary to respond with the corresponding verified client certificate, and the provider lets the application know if that certificate successfully authenticates the given openid identifier
- [04:52:24] <andersfeder>
this way one could use his openid for host-local access control - the localhost would request your certificate (and possibly a passphrase) and ask the openid provider to determine if everything is good
- [04:55:02] <andersfeder>
i think it would fall under the umbrella of OpenID (rather than be a new standard altogether) since it would pointless to ask the user to create one identifier for OpenID and then a distinct identifier for non-interactive or non-browser identification
- [04:58:01] * peace-keeper (n=markus@chello084114169104.2.15.vie.surfer.at) has joined #openid
- [05:10:16] <tjohns>
It sounds to me like you just described X.509. :)
- [05:10:26] <tjohns>
Though, there's no mechanism to create that certificate.
- [05:10:39] <andersfeder>
X.509 is a login method?
- [05:10:57] <tjohns>
Well, it's a certificate standard, but it can be used for login.
- [05:11:01] <andersfeder>
ok
- [05:11:08] <tjohns>
Client-side SSL certificates
- [05:11:13] <andersfeder>
right
- [05:11:20] <tjohns>
So, the part that's missing...
- [05:12:17] <tjohns>
The application would have to create a cert, and the OpenID provider would have to sign it, then return it to the application.
- [05:13:07] <tjohns>
There's mechanisms to do all of this automatically, but they're all browser based (as far as I know).
- [05:13:47] <andersfeder>
but this certificate would only have to be created once per provider, right?
- [05:13:57] <andersfeder>
not once per application?
- [05:14:23] <andersfeder>
i could use the same certificate for multiple applications
- [05:14:52] <andersfeder>
if it only has to be created once per provider, browser based creation would be ok, imo
- [05:15:57] <andersfeder>
as long as there is a process for non-browser verification that the certificate is associated with a given OID
- [05:17:39] <andersfeder>
the 'assocation to given OID' part is what would distinguish this process from standard X.509
- [05:32:25] <tjohns>
It could be once per provider, if you had a way to share it between applications.
- [05:32:55] <tjohns>
(You'd want the certificate to expire after a while, too, just in case.)
- [05:33:20] <tjohns>
Association to a given OID is actually pretty straightforward
- [05:33:53] <tjohns>
The CN is just the user's OID. The OP just becomes a lightweight CA.
- [05:34:51] <tjohns>
Most of the work is on getting the cert to applications, and sharing the cert between applications (if you wanted to go that route -- I'm of the opinion that even per-application certificates aren't that bad if they're long lived)
- [05:35:04] <tjohns>
I've actually put a lot of thought into this, believe it or not. :)
- [05:35:36] <tjohns>
I was trying to find out a way to get Subversion to work with OpenID, and what I came up with looked a lot like this.
- [05:45:38] <andersfeder>
tjohns: i see, interesting ...
- [05:48:41] <andersfeder>
tjohns: so what we would need is a standard way for the app to discover the X.509 cert for a given OID?
- [05:48:58] <tjohns>
Yes.
- [05:49:23] <tjohns>
Keeping in mind that the cert is stored locally.
- [05:52:36] * dw (n=dw@unaffiliated/dw) Quit (Read error: 104 (Connection reset by peer))
- [05:52:53] <andersfeder>
tjohns: the private key portion is at least? as far as i remember, a X.509 cert can contain just the public key?
- [05:53:12] <andersfeder>
so if the OP stored this public key cert ... and presented it on request for a given OID .. the app could locate the corresponding private key cert in its local store ... ?
- [05:53:38] * dw (n=dw@gw.dmw.me.uk) has joined #openid
- [05:55:13] * shigeta_ (n=shigeta@124.32.114.226) has joined #openid
- [05:58:50] <tjohns>
All of that is already specified in the client-side SSL specification.
- [05:59:17] <tjohns>
If I remember right, the way it works is that the server just asks the client to identify itself. The client then can choose any cert it wants.
- [06:00:27] <tjohns>
There's no need for the server to store public certs.
- [06:00:31] <andersfeder>
ok
- [06:00:59] <tjohns>
The client would give the server a public cert that contains the CN (the user's OID) and a signature from the server. That's enough for the server to know that it should trust it.
- [06:01:36] <andersfeder>
right
- [06:04:55] <andersfeder>
so the problem is then how to force the OP to authenticate the user with client-side SSL?
- [06:12:11] <tjohns>
Well, since this isn't really OpenID anymore, you could just send the user to a different URL. If they go there, follow the standard client-side auth protocol.
- [06:12:14] <tjohns>
Or instead...
- [06:12:34] <tjohns>
Just send the client cert to the consumer directly. Cut the OP out of the loop entirely.
- [06:12:39] * shigeta (n=shigeta@124.32.114.226) Quit (Read error: 110 (Connection timed out))
- [06:12:51] <tjohns>
Since the OP already signed the client's cert, there's really no need to involve the OP again.
- [06:13:05] <tjohns>
Then just have the OP publish it's signing key somewhere the consumer can access it.
- [06:14:09] <andersfeder>
ok ..
- [06:17:15] <andersfeder>
by the OP's signing key .. you mean the public key of the private key used to sign the users certificate? ... isnt this key included in the certificate?
- [06:18:26] <andersfeder>
oh sorry .. see what you mean now ..
- [06:19:53] <andersfeder>
the consumer needs a way to verify that the signing key does indeed belong to the provider of the given OID
- [06:28:15] <andersfeder>
but i guess this was what i meant with public certs ... if the provider publish a public cert per OID, this cert would cointain the public signing key .. if the consumer retrieve the public cert for the given OID, it can verify that the used (private) cert is valid .. ?
- [06:28:26] <andersfeder>
*contain
- [06:43:25] * lopnor (n=lopnor@nat.soffritto.org) Quit (Read error: 110 (Connection timed out))
- [06:48:06] * stub (n=stub@ppp-58-8-9-240.revip2.asianet.co.th) has joined #openid
- [06:51:29] * lopnor (n=lopnor@nat.soffritto.org) has joined #openid
- [07:29:34] * bortzmeyer (i=bortzmey@batilda.nic.fr) has joined #openid
- [07:41:10] * xpo (n=xpo@bgl93-2-82-226-41-47.fbx.proxad.net) Quit ()
- [07:43:06] * SunWuKung (n=SunWuKun@S01060016cbc4c705.vc.shawcable.net) has joined #openid
- [08:00:12] * woid (n=woid@akcent.ok.cz) has joined #openid
- [08:03:27] * MrTopf (i=hidden-u@oecher.info) has joined #openid
- [08:11:31] * xpo (n=xpo@nat/af83/x-116298a258c84b50) has joined #openid
- [08:13:44] <tjohns>
The OP could publish it's key, and it would provide the same level of assurance as standard (HTTP-only) OpenID.
- [08:14:20] <tjohns>
Or HTTPS, if the OP has a server-side, globally recognized SSL key (which it should, hopefully)
- [08:15:01] <tjohns>
There's really no need to publish certs on the OP for every user. That's one of the really nice things about X.509 -- might as well take advantage of it.
- [09:07:29] * xpo_air (n=xpo@nat/af83/x-a599c82b040e0b36) has joined #openid
- [09:07:55] * xpo (n=xpo@nat/af83/x-116298a258c84b50) Quit (Read error: 104 (Connection reset by peer))
- [10:01:50] * tjohns (n=tjohns@adsl-76-202-197-22.dsl.pltn13.sbcglobal.net) Quit ()
- [10:28:40] * xpo_air is now known as xpo
- [11:13:08] * stub (n=stub@canonical/launchpad/stub) Quit ("Leaving.")
- [12:21:48] * TedThibodeauJr is now known as MacTed
- [12:24:16] * MacTed (n=Thud@twentyfourmullen.hsd1.ma.comcast.net) Quit ()
- [12:55:35] * andersfeder (n=feder@x1-6-00-0e-2e-63-4c-cb.k415.webspeed.dk) Quit ("Leaving.")
- [13:11:40] * burzum (n=burzum@b2.e6.354a.static.theplanet.com) has left #openid
- [13:26:54] * MacTed (n=Thud@63.119.36.36) has joined #openid
- [13:26:55] <jibot>
MacTed is a Technology Evangelist from http://www.openlinksw.com/ and a Troublemaker from Way Back
- [14:04:42] * shigeta_ (n=shigeta@124.32.114.226) Quit (Read error: 110 (Connection timed out))
- [14:25:21] * stub (n=stub@ppp-58-8-9-240.revip2.asianet.co.th) has joined #openid
- [15:12:43] * bortzmeyer (i=bortzmey@batilda.nic.fr) has left #openid
- [15:16:47] * jpwatts (n=joel@c-98-200-119-206.hsd1.tx.comcast.net) has joined #openid
- [15:17:27] * jpwatts (n=joel@c-98-200-119-206.hsd1.tx.comcast.net) Quit (Client Quit)
- [15:29:06] * stub (n=stub@canonical/launchpad/stub) Quit (Connection timed out)
- [15:29:50] * stub (n=stub@ppp-58-8-15-215.revip2.asianet.co.th) has joined #openid
- [15:29:53] * stub (n=stub@canonical/launchpad/stub) Quit (Remote closed the connection)
- [15:44:33] * shigeta (n=shigeta@70.36.100.220.dy.bbexcite.jp) has joined #openid
- [16:27:26] * xpo (n=xpo@nat/af83/x-a599c82b040e0b36) Quit (No route to host)
- [16:29:06] * mtrichardson (n=michaelr@70.99.220.242) has joined #openid
- [16:36:05] * shigeta (n=shigeta@70.36.100.220.dy.bbexcite.jp) Quit ()
- [17:07:54] * MrTopf (i=hidden-u@oecher.info) Quit ("deconstructing...")
- [17:16:48] * en4rab (n=chatzill@87.82.64.119) has joined #openid
- [18:23:42] * jpwatts (n=joel@c-98-200-119-206.hsd1.tx.comcast.net) has joined #openid
- [19:02:02] * SunWuKung (n=SunWuKun@S01060016cbc4c705.vc.shawcable.net) Quit ()
- [19:23:55] * radiotonix (n=toni@77-57-217-151.dclient.hispeed.ch) has joined #openid
- [19:24:36] * SunWuKung (n=SunWuKun@S01060016cbc4c705.vc.shawcable.net) has joined #openid
- [19:24:41] * radiotonix (n=toni@77-57-217-151.dclient.hispeed.ch) has left #openid
- [19:43:38] * gsm4 (n=gsm4@starnix-laptop.visitor.iastate.edu) has joined #openid
- [20:07:25] * en4rab (n=chatzill@87.82.64.119) Quit ("ChatZilla 0.9.83 [Firefox 2.0.0.15/2008062306]")
- [20:10:19] * xpo (n=xpo@bgl93-2-82-226-41-47.fbx.proxad.net) has joined #openid
- [20:19:05] * peace-keeper (n=markus@chello084114169104.2.15.vie.surfer.at) Quit (Read error: 110 (Connection timed out))
- [20:19:26] * MostafaDaneshvar (n=chatzill@217.219.95.36) has joined #openid
- [20:43:17] * MrTopf (n=cs@pD9EBE81D.dip.t-dialin.net) has joined #openid
- [20:49:08] * mtrichardson (n=michaelr@70.99.220.242) Quit ()
- [20:57:11] * MacTed (n=Thud@63.119.36.36) Quit ()
- [20:57:12] * SunWuKung (n=SunWuKun@S01060016cbc4c705.vc.shawcable.net) Quit ()
- [20:58:28] * SunWuKung (n=SunWuKun@S01060016cbc4c705.vc.shawcable.net) has joined #openid
- [21:04:34] * Didac (n=Nightmar@34.Red-83-43-197.dynamicIP.rima-tde.net) Quit ("http://niorcs.com · tecnologia lliure per a un món lliure")
- [21:16:36] * mtrichardson (n=michaelr@dsl093-039-218.pdx1.dsl.speakeasy.net) has joined #openid
- [21:21:58] * MostafaDaneshvar (n=chatzill@217.219.95.36) Quit ("ChatZilla 0.9.83 [Firefox 3.0b5/2008043010]")
- [22:47:42] * MacTed (n=Thud@twentyfourmullen.hsd1.ma.comcast.net) has joined #openid
- [22:47:43] <jibot>
MacTed is a Technology Evangelist from http://www.openlinksw.com/ and a Troublemaker from Way Back
- [22:52:51] * mtrichardson (n=michaelr@dsl093-039-218.pdx1.dsl.speakeasy.net) Quit ()
- [23:16:47] * MrTopf (n=cs@pD9EBE81D.dip.t-dialin.net) Quit ("deconstructing...")
These logs were automatically created by OpenIDlogbot on
chat.freenode.net
using a modified version of the Java IRC LogBot.