[OpenID board] Connect WG

Brian Kissel bkissel at janrain.com
Sun Jun 6 18:00:12 UTC 2010


Santosh, these personal attacks are inappropriate for this forum as you have
been notified many times in the past.  Please desist or be prepared to lose
the privilege of participating in the dialog.



Cheers,


Brian

*___________*

* *

*Brian Kissel <http://www.linkedin.com/pub/0/10/254>*

CEO - JanRain, Inc.

bkissel at janrain.com

Mobile: 503.342.2668 | Fax: 503.296.5502

519 SW 3rd Ave. Suite 600  Portland, OR 97204



*Increase registrations, engage users, and grow your brand with RPX.  Learn
more at **www.rpxnow.com*



*From:* openid-board-bounces at lists.openid.net [mailto:
openid-board-bounces at lists.openid.net] *On Behalf Of *Santosh Rajan
*Sent:* Sunday, June 06, 2010 1:51 AM
*To:* openid-board at lists.openid.net
*Subject:* Re: [OpenID board] Connect WG



Questions/answers inline

On Sun, Jun 6, 2010 at 11:46 AM, Chris Messina <chris.messina at gmail.com>
wrote:


On Sat, Jun 5, 2010 at 9:18 PM, Santosh Rajan <santrajan at gmail.com> wrote:

Hi Chris,



After reading your post below. I have a couple of questions.



1) Instead of calling, the next version of OpenID, as suggested by you
earlier "OpenID.Connect". Why don't we call it "OpenID.TWITFACE". That would
be more appropriate. Do you agree?



No, I don't agree.





I am glad you don't agree. We are both in agreement on this one point.











 2) Who are you working for? If I remember correctly, you are currently
employed by Google?



I am employed by Google and thus I receive a paycheck from Google.



Great! Now that you are discussing your paycheck in public, What Good Have
you done for Google?











However, I was elected to serve the OpenID Foundation board by the community
for a two year term.



Right! So did those people who voted for you, know that you were going to
join Google before those 2 years were up? No they didn't!. So don';t talk
about this any more!











My role on the board is as an advocate for the community and its interests.
If I were put on the board to fill Google's seat, I would advocate for
Google's position. I hope that members of the OpenID community have the
ability to distinguish between both entities, and when I'm speaking at the
behest of one or the other.





Do we have to take this kind of "neither here nor there nonsense anymore?"







If I can keep these two sets of interests separate — sometimes aligned,
sometimes not — I hope others can as well.





Yeah right! "Your others have already gone into hiding!"









Chris







On Sat, Jun 5, 2010 at 11:17 PM, Chris Messina <chris.messina at gmail.com>
wrote:

On Sat, Jun 5, 2010 at 7:35 AM, Dick Hardt <dick.hardt at gmail.com> wrote:


OAuth 2.0 does NOT solve the problems that OpenID was trying to solve. It is
NOT a distributed identity system. If you can make discovery work for OAuth,
then you can make it work for OpenID. OAuth implementations today do NOT
have discovery.



Perhaps standards groups like the OpenID Foundation operate in a slightly
different marketplace-twilight zone, but I'm curious how we define our
customers — and how that definition should or shouldn't affect the work that
gets done.



For example, Luke — representing Facebook — is saying that there's not been
sufficient adoption of OpenID over the past several years, and for the use
cases that I've cared most about, I would agree with that assessment. It is
not the case that OpenID hasn't been adopted — but that OpenID simply isn't
the only game in town anymore, and that the market demand in the consumer
space was unearthed and capitalized on by the likes of Facebook and Twitter,
and NOT the many other OpenID providers.



Facebook is saying that they want to work through the OpenID Foundation to
help develop a technology solution that is more like what the market has
already adopted — but that adds in discovery to aid in decentralizing
identity, at least in a very primitive way (hence the Connect proposal).



Dick, you seem to be saying that OAuth is not a distributed identity system,
but that if discovery were defined for it (along with auto-registration of
clients), then it would be useful as a distributed identity technology. Am I
getting that right?



I think the divide here comes down to whether the OIDF should be focused on
what the market demands and is willing to adopt *today*, or instead on the
set of technologies that may enable distributed identity solutions
*tomorrow*.



My fear — which has been consistent — is that if we don't respond to the
market's desires today (represented by Facebook, Yahoo, and other's
comments) then we won't be part of the conversation when potential adopters
are looking for better solutions tomorrow.



So, if we spin out the Connect proposal — or cause it so much friction that
it can't effectively proceed here — then by the time the ill-named v.Next
proposal is completed (with all of the "necessary" use cases addressed), the
world may have moved on, and the Foundation proven irrelevant. I don't see
it as an all-or-nothing situation, but as others have said, there will be an
identity piece baked into OAuth sooner than later, and if that  work doesn't
happen within the OIDF, we're going to be pitching a product that no one has
really said that they want, or are currently signing up to implement, based
on the lack of clarity in the description of v.Next today, whereas there are
already working prototypes of the Connect proposal in the wild.



There needs to be a bridge between OpenID 2.0 — which is a perfectly fine
solution for many use cases today — and the next iterations of OpenID 2.x
and beyond.



Chris



-- Dick


On 2010-06-04, at 11:14 PM, Luke Shepard wrote:

> We have complained for years in the OpenID community that we don't see
enough adoption. That we don't have a great mobile story. That the spec is
too complicated. That relying parties can't get the attributes they want.
The fact is that most of the major identity providers have adopted or are
planning to adopt OAuth 2.0 largely because it solves many of those
problems.
>
> I believe in OpenID. I believe in the concept of a decentralized identity.
I think the OpenID Foundation, by bringing together myriad companies and
individuals, is in a unique position to really help bring cohesive,
standardized technology - but only if it responds to the realities of the
marketplace.
>
> My main goal is to see the next generation of identity technology built. A
secondary goal is that it is built within the OpenID Foundation. I don't
know what the technology will look like exactly - both Nat's and David's
proposals have merit. I think the best way to figure out the tech is to
implement it, experiment, and try it out in production. I think the wrong
way to make it happen is to bicker over the exact wording of the working
group before it's even started.
>
> As Allen said, this work will happen - must happen. The main question to
the OpenID Foundation is whether it wants to encourage innovation or drift
into irrelevance.
>
> On Jun 4, 2010, at 10:08 PM, Dick Hardt wrote:
>
>> Hi Allen
>>
>> Thanks for the response. My point in this email is that at the end of the
meeting, it was agreed that Connect was not going to be done in the OIDF,
which means the WG proposal would be withdrawn. With you and David agreeing
on the specs council call that Connect should be a WG, that goes counter to
what we had concluded at the meeting.
>>
>> Note that I was not the one to suggest that Connect was not going to be
in the OIDF, but since that was what everyone had agreed to, there was no
point in talking about how it would be done in the OIDF.
>>
>> -- Dick
>>
>>
>> On 2010-06-04, at 8:58 PM, Allen Tom wrote:
>>
>>>
>>> Hi Dick,
>>>
>>> Although I might not have expressed this as strongly as I should have
last Friday, I believe that we should be working on an identity layer for
OAuth2 within the OIDF.
>>>
>>> Yahoo will definitely be implementing this, and I would expect that all
other OAuth SPs to do the same. It would definitely simplify things if we
could have a single standard interface that can do everything that OpenID
2.0 +AX+Hybrid can do today, and also be extensible to be used for future
services and even for OP specific proprietary APIs as well.
>>>
>>> I expect that an OAuth based identity layer would be widely implemented
and far more widely used than OpenID, making OpenID largely irrelevant.
Therefore, I think it's in the OIDFs best interest to back this imitative.
>>>
>>> However, on Friday, I did get the impression that there is not sufficent
consensus to move forward. If that's still the case, then there's no point
forcing the issue. The work is going to get done either way.
>>>
>>> Hope that clarifies things
>>> Allen
>>>
>>>
>>> On Jun 4, 2010, at 7:24 PM, Dick Hardt <dick.hardt at gmail.com> wrote:
>>>
>>>> David, Chris, Joseph, Allen
>>>>
>>>> When we met last Friday to discuss how Connect and v.Next would work
together, the four of you had agreed that it would be best doing the Connect
work outside the OIDF. I had come to the meeting to talk about how we would
merge or align the efforts, but since there was consensus to do it outside,
we did not discuss.
>>>>
>>>> From actions I have seen today, it seems that there has been a change
since then and that you are planning on working on Connect per the original
charter. As emailed separately, I have concerns with the charter as drafted.
>>>>
>>>> I am very disappointed that I learn about your change in mind by seeing
postings on public mailing lists.
>>>>
>>>> WTF?
>>>>
>>>> -- Dick
>>
>> _______________________________________________
>> board mailing list
>> board at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-board
>
>
> _______________________________________________
> board mailing list
> board at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-board

_______________________________________________
board mailing list
board at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board




-- 
Chris Messina
Open Web Advocate, Google

Personal: http://factoryjoe.com
Follow me on Buzz: http://buzz.google.com/chrismessina
...or Twitter: http://twitter.com/chrismessina

This email is:   [ ] shareable    [X] ask first   [ ] private

_______________________________________________
board mailing list
board at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board



  --
http://hi.im/santosh


_______________________________________________
board mailing list
board at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board




-- 
Chris Messina
Open Web Advocate, Google

Personal: http://factoryjoe.com
Follow me on Buzz: http://buzz.google.com/chrismessina
...or Twitter: http://twitter.com/chrismessina

This email is:   [ ] shareable    [X] ask first   [ ] private


_______________________________________________
board mailing list
board at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-board




-- 
http://hi.im/santosh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-board/attachments/20100606/fa81fcfc/attachment-0001.html>


More information about the board mailing list