[OpenID] Is Ignoring Attribute Exchange a strategic error?

Dick Hardt dick at sxip.com
Thu Jan 18 17:49:50 UTC 2007 

First let's make sure we are not confusing the OpenID Exchange  
proposal from Martin and the OpenID Attribute Exchange proposal.[1] (AX)

AX is why Sxip joined OpenID. SSO is nice for sites, but what we have  
found they really want, and should be clear to the OpenID community  
since SREG was created, is moving identity attributes.

OpenID has provided an SSO solution for almost two years, but it is  
not widely deployed at this point in time. When demoing OpenID, it is  
challenging to find examples besides LiveJournal and Zooomr where  
OpenID is front and center. I take this as an indication that SSO is  
not compelling enough.

OpenID does NOT solve phishing, in fact if the OP is not implemented  
well, it can make phishing easier as pointed out in Kim Cameron's  
blog [2].

The InfoCard model provides rich attribute exchange, the Liberty SAML  
profiles provide attribute exchange, why  will people embrace OpenID  
if attribute exchange is not available?

AX is a simple, clean specification with an extensible schema  
mechanism. It is easy to code. It is easy to deploy. It is easy to  
grock given the name/value design pattern of OpenID.

Now I agree we don't want to cram lots of complexity into OpenID, but  
I think the extension model allows people to extend OpenID and if  
they gain wide acceptance, they can be considered part of the  
"standard". This model has been proven over and over again in  
computing. Perl 5 with modules, Firefox with addons.

Having said this, I may be a lone voice in the OpenID community.  
Perhaps the vast majority people here don't care about attribute  
exchange and I should take my marbles and play somewhere else!

-- Dick


[1] http://openid.net/specs/openid-attribute-exchange-1_0-04.html
[2] http://www.identityblog.com/?p=649



On 18-Jan-07, at 8:32 AM, Scott Kveton wrote:

> Hi Bob,
>
> I'm finally catching up after my mail client ate itself earlier  
> this week.
>
>> I know this will sound like heresy... However, I would like to say  
>> that I'm
>> very concerned that OpenID may get more complex than is good for  
>> it before it
>> is widely accepted. The initial implementations of OpenID  
>> (LiveJournal, etc.)
>> have done one thing -- support login to multiple sites with a  
>> single identity
>> -- and done it reasonably well. Thus, as all identity systems  
>> must, OpenID has
>> started with means to establish and assert numerical identity  
>> ( i.e. the
>> property that distinguishes one entity from all others and permits
>> "counting."). In providing portable numerical identity, OpenID has
>> accomplished a great deal and provides something (like SSO) that  
>> will be
>> valued by many users.
>
> Definitely not heresy.  You're absolutely right.  The biggest  
> strength of
> OpenID has been the singular focus on doing one thing well.
>
>> I suggest (although I'm not sure I have much hope that the  
>> suggestion will be
>> taken up) that the "OpenID Community" should do its best to resist  
>> the
>> temptation to add new capabilities to what is already there until  
>> after there
>> is substantial acceptance of what is there now. We've waited too  
>> long to get a
>> decent identity system in place and I'm sure we're all frustrated  
>> and anxious
>> to deploy as much technology as we can as fast as we can. But, the  
>> reality is
>> that going slow, one step at a time, is probably more likely to be  
>> the path to
>> success. Others have tried -- and failed -- to deliver "complete"  
>> solutions to
>> the identity problem in the past. Let's not follow that well trod  
>> path.
>>
>> I think we should be putting 100% of our efforts into talking every
>> significant online property to accept OpenID for "login identity"  
>> and on
>> working out solutions to the various phishing, spoofing, etc.  
>> issues. The goal
>> should be to reduce, as much as possible, objections to adopting  
>> the base
>> capabilities so that we can have a solid, widely deployed base on  
>> which to
>> build other capabilities. Once we get to the point where the base  
>> is broadly
>> known to the general user (even your grandmother), that is the  
>> time to push
>> ahead with more stuff. Let's build on a solid foundation... Let's  
>> not move too
>> much faster than the market.
>
> Extremely well said.
>
> There are infinite possibilities with OpenID and things we can  
> layer on top
> of it.  However, the game is not "won" yet ... Its not  
> ubiquitous ... There
> is a lot of momentum here but that doesn't mean every idea we come  
> up with
> will be supported across every host/site.  That means poor user  
> experience
> and failure of the platform.
>
> The first half of 2007 should (IMHO) should be focused on getting  
> OpenID
> Authentication out to the masses and on every single site and  
> integrated in
> every project we can find.  If we focus our efforts up-the-stack,  
> OpenID
> will lose the momentum that it has had and we'll be back at square  
> one.
>
> I like the idea of doing one thing and doing it really, really well.
> Diversifying now could be catastrophic for us.
>
> Just my $0.02,
>
> - Scott
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>

More information about the general mailing list