[OpenID] Is Ignoring Attribute Exchange a strategic error?
dick at sxip.com
Thu Jan 18 22:13:32 UTC 2007
On 18-Jan-07, at 11:12 AM, Scott Kveton wrote:
>> AX is why Sxip joined OpenID. SSO is nice for sites, but what we have
>> found they really want, and should be clear to the OpenID community
>> since SREG was created, is moving identity attributes.
> I just want to be clear here as I have been in face-to-face
> meetings with
> folks and I'll say it here on the list; JanRain is totally behind
> exchange and will support it in our libraries and within the
> community. Its
> going to be critical to the long-term success of OpenID.
Good to hear you are still behind AX. You had me worried there for a
> My point from the previous email was that if we don't have a
> authentication mechanism, then anything else that follows it is moot.
I completely agree, although I view Authentication as just another
type of attribute exchange, but I digress.
>> OpenID does NOT solve phishing, in fact if the OP is not implemented
>> well, it can make phishing easier as pointed out in Kim Cameron's
>> blog .
> Hopefully some of the recent discussions we've been having with
> Mozilla and
> Microsoft can help change that.
Let me clarify my statement:
OpenID Authentication 2.0 does NOT solve phishing, and is solving it
is out of scope.
Although I lobbied for it, there is no explicit support for client
side support of OpenID Authentication 2.0.
This may be just as well, as there can be a separate specification on
this, and the thinking from various parties has advanced as of late.
I do agree that as a community we need to focus on adoption of OpenID
Authentication 2.0, (which should be done with the latest draft) --
but I think many people are looking for AX, and we should get that
out there quickly as well.
As for other specifications, my experience in the Perl community was
things really blossomed when innovation was not constrained to the
"core" . I would like to encourage people to draft and discuss
extensions to OpenID. I think this is working really well for Firefox
As much as I cringe at suggesting this, perhaps starting a new list
for those interesting in working on and participating with extensions
be created so that work on Authentication, AX and phishing can be
focussed? Any other suggestions on keeping focus while allowing
More information about the general