[OpenID] is openid 2.0 a lightweight identity system?

Simon Willison simon at simonwillison.net
Fri Feb 9 08:18:50 UTC 2007


On 2/9/07, Johannes Ernst <jernst+openid.net at netmesh.us> wrote:
> This is a misunderstanding. XRDS is crucial if OpenID ever wants to
> grow beyond authentication, because it captures the meta-data that's
> needed to say which service types are available and where for a given
> identifier (aka OpenID URL).

That's exactly the kind of answer I was looking for. Now help me understand:

1. How XRDS helps OpenID grow beyond authentication.
2. Why OpenID growing beyond authentication is a good idea - what kind
of additional problems does that let us solve?
3. Why can't those problems be solved as separate extensions to the
OpenID spec? Is it really necessary for XRDS to be in core OpenID -
does it act as a kind of plug-in mechanism without which extending
OpenID would be significantly less likely to achieve consensus, for
example?

One of my favourite things about the original OpenID spec was that it
took one very small problem - authentication over the Web - and /just/
solved that, in the same vein as the Unix philosophy of building small
tools that only do one thing.

The first paragraph of the OpenID 2.0 spec states the following:

"""
OpenID Authentication provides a way to prove that an end user
controls an Identifier. It does this without the Relying Party needing
access to end user credentials such as a password or to other
sensitive information such as an email address.
"""

There's nothing there about growing beyond authentication or meta-data
about service types. I'll be completely honest here: I don't
understand what "service type" or "service" actually means. The OpenID
2.0 spec doesn't help me here - as far as I can tell, a "service" is
anything that fits in an <xrd:Service> element.

The YADIS spec has an implementor's glossary, but isn't actually any
more useful as it recursively defines a "Service" as "A service
provided by a Yadis Resource" and a "Yadis Resource" as "A computer
software process (or system of processes)
that provides oneYadis Protocol".

The XRI Resolution spec does only slightly better, defining "Service
Endpoints" as "descriptors of concrete URIs at which network services
are available for the
target resource".

I'm now three specs in and I still don't know what a service is! I'm
obviously missing something critically important here.

Since I don't like complaining about things without at least trying to
offer a solution, here are my first proposed questions for an OpenID
FAQ:

1. When the OpenID / Yadis / XRI Resolution specifications talk about
a "service", what do they mean? Are they all talking about the same
concept?

2. Why is XRDS a useful component of the OpenID 2.0 specification?

3. If XRDS' main function is to allow OpenID to grow beyond
authentication, how does that fit with the stated aim of solving just
one part of the overall authentication problem? Is that aim still part
of the OpenID philosophy?

Question 3 isn't really suitable for an FAQ, but I'd personally love
to know the answer. Maybe OpenID 2.0 needs an updated philosophy
statement.

Cheers,

Simon



More information about the general mailing list