[OpenID] Changes to the OpenID Foundation member page login

[Brian Kissel]

Hello All,

Thanks to everyone for the feedback on the changes on OpenID login on the OpenID.net website.

First, our apologies with the trust root problem that originally pointed to an RPX affiliated trust root.  That problem has been fixed.  Here's the background for anyone who has questions.

Refresh Media is the contractor that the OIDF hired to design and implement the polling and elections platforms.  Several weeks ago after an OIDF meeting we decided we wanted to make sure that the polling and elections platform were going to be operational in time for an end of the year election.  At the time Bill Washburn was incapacitated due to some medical problems, so I volunteered to work with Mike Jones and Refresh Media to make sure the system was operational in time for the elections.

After the nominations had started, Refresh Media was having problems getting OpenID to work for login on the OIDF website:

"Our experience with the "official" Rails plugins for OpenID authentication has been pretty bad over the last two months.  Specifically, it's been a struggle to get it up to speed with the OpenID 2.0 spec, most significantly adding support for i-names and directed identity.  There would have been probably another week of development required to overhaul the plugin, but there wasn't enough time to do a proper job for the board elections.  JanRain offered RPX as an alternative to get us up and running more quickly.  We sent Bill Washburn an e-mail in to check to make sure this was a reasonable approach, but after not hearing back from him made the switch when the situation became urgent."

The first implementation of RPX was our free RPX Basic version, which uses the RPX-affiliated trust root since using our Plus or Pro offerings would have required buying a separate SSL cert.  After some OIDF members expressed concern with the RPX-affiliated trust root, JanRain paid at its own cost to get a new cert and upgraded the implementation to the Plus, again at no fee to the OIDF.

So the system should be working well now, if not please let us know.

With respect to whether it's appropriate to be using RPX on the OIDF website or not,  it appears that there has been a diversity of opinion.  Some of the membership has applauded the improvements in ease of use and reliability, some have concerns about using any vendor products on the official OIDF site.    I will point out that there is no mention of JanRain nor RPX on the implementation on the OIDF login implementation.  If, after having now fixed the trust root problem, there is still a desire to remove RPX we can certainly do that but Refresh Media will still have to fix the initial problems that it was addressing.

If a diversity of opinion remains, we could use our newly implemented polling survey tool to see what the majority of the members would like to see happen.

Cheers,

Brian
==============
Brian Kissel
Cell: 503.866.4424
Fax: 503.296.5502

From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of David Recordon
Sent: Friday, December 05, 2008 11:31 AM
To: Chris Messina
Cc: general at openid.net
Subject: Re: [OpenID] Changes to the OpenID Foundation member page login

Agreed with Chris here.  I don't inherently have a problem with using RPX since it does provide value, but the trust root needs to be fixed and far more transparency added by the Foundation when choosing to use a vendor's product.

I'm also concerned about some of the optics when it comes to JanRain.  As far as I can tell JanRain has started a consulting engagement when one of the developers the OpenID Foundation retained to build the membership and elections tool.  The elections tool now has JanRain's solution in it.

Given Brian Kissel's growing involvement in the Foundation the past few months I would have expected him to disclose this as the CEO of JanRain especially as he's currently running for a *community* board seat in the election.

As to the developer himself, I have no idea if he has a NDA with JanRain that might have prevented this, if he did disclose it to the committee of the Foundation that engaged him, or what.  I'm much less concerned about his role in all of this as I'm sure in both engagements he's just doing what he's being paid to do.

--David

On Dec 5, 2008, at 11:08 AM, Chris Messina wrote:


On Fri, Dec 5, 2008 at 11:00 AM, Steven Livingstone-Perez <weblivz at hotmail.com<mailto:weblivz at hotmail.com>> wrote:
I don't really have much of a say on this (other than being a new member)
and you may 100% disagree with me, but IMHO there *is* an argument that in
using best of breed products we can demonstrate the power of OpenID to users
... compared with the cost/effort to implement something that already does a
really good job.

No argument there. Making OpenID seem awesome (or live up to its promised awesomeness) isn't really something that I'm questioning.

This kind of experience can be done without the use of a vendor product, though, but requires quite a bit more work and time.


I do understand the endorsement aspect, but on the other hand the UX is the
biggest issue OpenID seems to have at the moment and it seems to me that
using such products (so long as they are donated as such and not specific
long term to any one company) can only be a positive thing.

Therein lies the rub. I'm not arguing against using RPX, but for concealing it in the trust root (since currently people end up trusting *.rpxnow.com<http://rpxnow.com> rather than openid.net<http://openid.net> - thereby creating a long term situation that's hard to switch from (without users having to *reassociate*)) and for getting some transparency into how the decision to use RPX was made.

I agree with Eran that the experience is better -- but let's not set a poor precedent in the interest of expediency.

Chris

--
Chris Messina
Citizen-Participant &
 Open Technology Advocate-at-Large
factoryjoe.com<http://factoryjoe.com> # diso-project.org<http://diso-project.org>
citizenagency.com<http://citizenagency.com> # vidoop.com<http://vidoop.com>
This email is:   [ ] bloggable    [X] ask first   [ ] private
_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general



__________ Information from ESET NOD32 Antivirus, version of virus signature database 3667 (20081205) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


__________ Information from ESET NOD32 Antivirus, version of virus signature database 3668 (20081206) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081206/37474b87/attachment-0002.htm>