[OpenID - Eu] Mission Statement

Martin Paljak martin at paljak.pri.ee
Fri Jun 1 18:58:53 UTC 2007


On 01.06.2007, at 21:01, Andrew Tomlinson wrote:

> It isn't about trust it is about marketing and publicity - despite  
> being
> just a technology the OpenID community will have to deal with  
> damage caused
> by rogue implementations.

Well, It all depends on the context. Dealing with damage - I guess  
most readers are from EU but you could compare the damage management  
with National Rifle Association in US banging "guns don't kill  
people, people kill people, we as manufacturers don't care" what is  
actually very true.

Marketing OpenID would be like marketing guns - the good guys see  
them as a way to protect themselves from bad guys (if used  
correctly), the bad guys see them as a really easy way to rob good guys.

You trust guns when given to police or military (assuming you trust  
these institutions) but run away when you see an 'immigrant' at some  
'dark' 'suburban' location with 'something that looks like a rifle'.

OpenID community should deal with the publicity and damage control  
because most people *assume* trust and safety and security from  
anything that deals even remotely with authentication, identification  
or something similar.

OpenID, as technology, is much like guns  - it doesn't do anything  
itself, it doesn't build or assert trust per se. It's all in the  
users and consumers (or relaying parties). If you trust  the given  
relaying party to let you operate with a given openid - it is  
probably OK for you. The same goes for marketing - it is easy to  
market OpenID to possible providers - just take a library and put it  
on top of your existing usernames and passwords table and off you go  
- it can't hurt your business if somebody logs on to jyte.com using  
an OpenID with 'aol.com' in it. It is good marketing and AOL has  
nothing to lose (AOL will remain in control of the usernames and  
passwords). Just like gun producers are OK with some % of guns being  
used to kill people - they don't care.

It is up to the *consumer* to make the decision 'is there enough  
trust for aol.com OpenID?' If the consumer is OK with it - why should  
the user care until he can get his things done on that site and move  
on? Every site accepting OpenID-s probably will have different  
security policies, different trust policies, different goals.

I guess it is difficult to deal with the trust concept before  
services like botbouncer.com are actually deployed, openid black/ 
whitelists actually emerge, some semantic is assumed from OpenID URL- 
s (take open.id.ee or sun.com) and so on.

So yes - marketing should be THE thing to deal with. Marketing to  
site owners to design their sites and applications differently. To  
take the user centric approach and move away from 'usernames and  
passwords in a database table' approach. The main reason users buy  
OpenID is 'I don't have to remember more passwords!'. There are  
countless ways to introduce newer identification schemes for users  
(that provide some semantics to the identity) as well as  
authentication mechanisms to attach to existing OpenID-s.

You have the chance to read some similar hubba-bubba-bubble talk  
about OpenID in my blog (address in the signature), some in English  
some in Estonian.


IMHO, the mission statement of OID EU should include something  
similar to:

* Promote open, identity centric system design concepts.  
(interlinking personal data with the help of OpenID, all the FOAF/XFN/ 
friends camp)
* Advocate privacy aware web systems - ones that are OK with as  
little data about you as possible. Ones that maybe require no  
'registration' but you can just log on.
* Teach both users as well as website owners on practical issues  
relating to trust, privacy,

-- 
Martin Paljak
http://martin.paljak.pri.ee





More information about the eu mailing list