<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div>Thanks for the replies Dick.</div><div><br></div><div>On Jun 5, 2010, at 7:35 AM, Dick Hardt wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>OAuth standardizes an existing design pattern that had numerous proprietary implementations. Of course it will get "adopted" -- the design pattern is already implemented. People implement OAuth because they want to get access to APIs at a resource. Sure, some of those APIs provide identity data, but it is NOT a distributed identity system.<br></div></blockquote><div><br></div><div>Agreed. Of course it will get adopted, and it does not by itself provide a distributed identity system.</div><br><blockquote type="cite"><div>It is NOT a distributed identity system. If you can make discovery work for OAuth, then you can make it work for OpenID. OAuth implementations today do NOT have discovery.</div></blockquote><div><br></div><div>Agreed. OAuth does not say anything about discovery. That's why it would need to be added in a separate spec.</div><div><br></div><blockquote type="cite"><div>OAuth 2.0 does NOT solve the problems that OpenID was trying to solve.</div></blockquote><div><br></div><div>OAuth does not solve ALL of the problems of OpenID, but it does solve SOME. From the OpenID website, "OpenID allows you to use an existing account to sign in to multiple websites, without needing to create new passwords." That's the same goal that's accomplished by the myriad proprietary providers out there today, and if many independent companies are choosing OAuth to solve that problem, then it makes sense to build on top of what's working. Of course OAuth does not address the decentralized nature of OpenID by itself, but it could easily be adapted with a separate spec to accommodate them.</div><div><br></div><div>Look, I'm not saying I have all the answers, but it's okay, because at this point we aren't voting on a spec. The proposal is just to form a working group, for crying out loud - an email list where we can discuss using OAuth to advance OpenID, share implementations.</div><div><br></div><div>You said that you think that even considering using OAuth "<span class="Apple-style-span" style="font-size: 16px; font-family: 'Times New Roman', serif; ">contravenes the OIDF Foundation's stated mission." </span><font class="Apple-style-span" face="Helvetica, serif">One of the stated missions of the OpenID Foundation is to "supporting expanded adoption of OpenID". If OAuth is going to become a widely adopted internet technology, then it seems plausible that building on top of OAuth could dramatically increase OpenID adoption. Putting up roadblocks this early in the process prevents innovation when it needs to happen most.</font></div><div><font class="Apple-style-span" face="Helvetica, serif"><br></font></div><div><font class="Apple-style-span" face="Helvetica, serif">- Luke</font></div></div><br></body></html>