[OpenID] Changes to the OpenID Foundation member page login

[David Recordon]

Hey Brian,
Thanks for more of the backstory here.  A few questions:

1) How was the decision made to use RPX versus investing the energy to  
update the Rails plugin?  My understanding is that Mike Jones was also  
unaware of the decision to use RPX.  I believe that personally I would  
have also chosen to use RPX so that it would be working a week  
sooner.  That said, if the OpenID Foundation can't make OpenID 2.0  
fully work in Rails it seems prudent for the Foundation to help the  
community fix this problem.  I would be happy to see the Foundation  
provide monetary support in updating the Rails plugin to be in the  
state that it should for the entire community after the election  
problem was fixed.

2) Did JanRain ask the Foundation to purchase an SSL certificate (I  
generally buy them for around $50/year)?  Just as cops aren't allowed  
to accept free coffee and doughnuts from convenience stores (since it  
makes the cops prefer that store to others in their patrol zones) is  
there not a concern that in providing a free service to the Foundation  
that the Foundation might prefer JanRain to other vendors?  If the  
Foundation truly believes that RPX is the best solution here, taking  
into account the cost, then it feels like we should be paying for it  
in one way or another.

3) Does Peat, one of the contractors working for Refresh Media who has  
been building the membership/election tool, also have some form of  
employment with JanRain?  If so, why did you never disclose this and  
was this started before or after Refresh Media began work on the  
membership/election tool?

Thanks,
--David

On Dec 6, 2008, at 2:12 PM, Brian Kissel wrote:

> Hello All,
>
> Thanks to everyone for the feedback on the changes on OpenID login  
> on the OpenID.net website.
>
> First, our apologies with the trust root problem that originally  
> pointed to an RPX affiliated trust root.  That problem has been  
> fixed.  Here’s the background for anyone who has questions.
>
> Refresh Media is the contractor that the OIDF hired to design and  
> implement the polling and elections platforms.  Several weeks ago  
> after an OIDF meeting we decided we wanted to make sure that the  
> polling and elections platform were going to be operational in time  
> for an end of the year election.  At the time Bill Washburn was  
> incapacitated due to some medical problems, so I volunteered to work  
> with Mike Jones and Refresh Media to make sure the system was  
> operational in time for the elections.
>
> After the nominations had started, Refresh Media was having problems  
> getting OpenID to work for login on the OIDF website:
>
> “Our experience with the "official" Rails plugins for OpenID  
> authentication has been pretty bad over the last two months.   
> Specifically, it's been a struggle to get it up to speed with the  
> OpenID 2.0 spec, most significantly adding support for i-names and  
> directed identity.  There would have been probably another week of  
> development required to overhaul the plugin, but there wasn't enough  
> time to do a proper job for the board elections.  JanRain offered  
> RPX as an alternative to get us up and running more quickly.  We  
> sent Bill Washburn an e-mail in to check to make sure this was a  
> reasonable approach, but after not hearing back from him made the  
> switch when the situation became urgent.”
>
> The first implementation of RPX was our free RPX Basic version,  
> which uses the RPX-affiliated trust root since using our Plus or Pro  
> offerings would have required buying a separate SSL cert.  After  
> some OIDF members expressed concern with the RPX-affiliated trust  
> root, JanRain paid at its own cost to get a new cert and upgraded  
> the implementation to the Plus, again at no fee to the OIDF.
>
> So the system should be working well now, if not please let us know.
>
> With respect to whether it’s appropriate to be using RPX on the OIDF  
> website or not,  it appears that there has been a diversity of  
> opinion.  Some of the membership has applauded the improvements in  
> ease of use and reliability, some have concerns about using any  
> vendor products on the official OIDF site.    I will point out that  
> there is no mention of JanRain nor RPX on the implementation on the  
> OIDF login implementation.  If, after having now fixed the trust  
> root problem, there is still a desire to remove RPX we can certainly  
> do that but Refresh Media will still have to fix the initial  
> problems that it was addressing.
>
> If a diversity of opinion remains, we could use our newly  
> implemented polling survey tool to see what the majority of the  
> members would like to see happen.
>
> Cheers,
>
> Brian
> ==============
> Brian Kissel
> Cell: 503.866.4424
> Fax: 503.296.5502
>
> From: general-bounces at openid.net [mailto:general-bounces at openid.net]  
> On Behalf Of David Recordon
> Sent: Friday, December 05, 2008 11:31 AM
> To: Chris Messina
> Cc: general at openid.net
> Subject: Re: [OpenID] Changes to the OpenID Foundation member page  
> login
>
> Agreed with Chris here.  I don't inherently have a problem with  
> using RPX since it does provide value, but the trust root needs to  
> be fixed and far more transparency added by the Foundation when  
> choosing to use a vendor's product.
>
> I'm also concerned about some of the optics when it comes to  
> JanRain.  As far as I can tell JanRain has started a consulting  
> engagement when one of the developers the OpenID Foundation retained  
> to build the membership and elections tool.  The elections tool now  
> has JanRain's solution in it.
>
> Given Brian Kissel's growing involvement in the Foundation the past  
> few months I would have expected him to disclose this as the CEO of  
> JanRain especially as he's currently running for a *community* board  
> seat in the election.
>
> As to the developer himself, I have no idea if he has a NDA with  
> JanRain that might have prevented this, if he did disclose it to the  
> committee of the Foundation that engaged him, or what.  I'm much  
> less concerned about his role in all of this as I'm sure in both  
> engagements he's just doing what he's being paid to do.
>
> --David
>
> On Dec 5, 2008, at 11:08 AM, Chris Messina wrote:
>
>
> On Fri, Dec 5, 2008 at 11:00 AM, Steven Livingstone-Perez <weblivz at hotmail.com 
> > wrote:
> I don't really have much of a say on this (other than being a new  
> member)
> and you may 100% disagree with me, but IMHO there *is* an argument  
> that in
> using best of breed products we can demonstrate the power of OpenID  
> to users
> ... compared with the cost/effort to implement something that  
> already does a
> really good job.
>
> No argument there. Making OpenID seem awesome (or live up to its  
> promised awesomeness) isn't really something that I'm questioning.
>
> This kind of experience can be done without the use of a vendor  
> product, though, but requires quite a bit more work and time.
>
>
> I do understand the endorsement aspect, but on the other hand the UX  
> is the
> biggest issue OpenID seems to have at the moment and it seems to me  
> that
> using such products (so long as they are donated as such and not  
> specific
> long term to any one company) can only be a positive thing.
>
> Therein lies the rub. I'm not arguing against using RPX, but for  
> concealing it in the trust root (since currently people end up  
> trusting *.rpxnow.com rather than openid.net — thereby creating a  
> long term situation that's hard to switch from (without users having  
> to *reassociate*)) and for getting some transparency into how the  
> decision to use RPX was made.
>
> I agree with Eran that the experience is better -- but let's not set  
> a poor precedent in the interest of expediency.
>
> Chris
>
> -- 
> Chris Messina
> Citizen-Participant &
>  Open Technology Advocate-at-Large
> factoryjoe.com # diso-project.org
> citizenagency.com # vidoop.com
> This email is:   [ ] bloggable    [X] ask first   [ ] private
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus  
> signature database 3667 (20081205) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus  
> signature database 3668 (20081206) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081206/7f0a9687/attachment-0002.htm>