[OpenID] Changes to the OpenID Foundation member page login

Peter Williams pwilliams at rapattoni.com
Sun Dec 7 04:55:31 UTC 2008


I could not get to the part of payment (for registration) without passing by the (unacceptable) agreement terms.

Out of interest, is there a debit/credit-card payment option? And is the Foundation PCI compliant (and has it attested to compliance)?

There are of course proper means to avoid needing to audit/validate the storage/transmittal/processing systems as being PCI compliant - including using explicit framing solutions by payment gateways. Is this what the foundation does? Who is the vendor of the payment gateway, and does the Foundation have its own merchant id?? Who is the Acquiring bank (if any), and how was it selected?




From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of David Recordon
Sent: Saturday, December 06, 2008 9:08 PM
To: Brian Kissel
Cc: general at openid.net
Subject: Re: [OpenID] Changes to the OpenID Foundation member page login

Hey Brian,
Thanks for more of the backstory here.  A few questions:

1) How was the decision made to use RPX versus investing the energy to update the Rails plugin?  My understanding is that Mike Jones was also unaware of the decision to use RPX.  I believe that personally I would have also chosen to use RPX so that it would be working a week sooner.  That said, if the OpenID Foundation can't make OpenID 2.0 fully work in Rails it seems prudent for the Foundation to help the community fix this problem.  I would be happy to see the Foundation provide monetary support in updating the Rails plugin to be in the state that it should for the entire community after the election problem was fixed.

2) Did JanRain ask the Foundation to purchase an SSL certificate (I generally buy them for around $50/year)?  Just as cops aren't allowed to accept free coffee and doughnuts from convenience stores (since it makes the cops prefer that store to others in their patrol zones) is there not a concern that in providing a free service to the Foundation that the Foundation might prefer JanRain to other vendors?  If the Foundation truly believes that RPX is the best solution here, taking into account the cost, then it feels like we should be paying for it in one way or another.

3) Does Peat, one of the contractors working for Refresh Media who has been building the membership/election tool, also have some form of employment with JanRain?  If so, why did you never disclose this and was this started before or after Refresh Media began work on the membership/election tool?

Thanks,
--David

On Dec 6, 2008, at 2:12 PM, Brian Kissel wrote:


Hello All,

Thanks to everyone for the feedback on the changes on OpenID login on the OpenID.net website.

First, our apologies with the trust root problem that originally pointed to an RPX affiliated trust root.  That problem has been fixed.  Here's the background for anyone who has questions.

Refresh Media is the contractor that the OIDF hired to design and implement the polling and elections platforms.  Several weeks ago after an OIDF meeting we decided we wanted to make sure that the polling and elections platform were going to be operational in time for an end of the year election.  At the time Bill Washburn was incapacitated due to some medical problems, so I volunteered to work with Mike Jones and Refresh Media to make sure the system was operational in time for the elections.

After the nominations had started, Refresh Media was having problems getting OpenID to work for login on the OIDF website:

"Our experience with the "official" Rails plugins for OpenID authentication has been pretty bad over the last two months.  Specifically, it's been a struggle to get it up to speed with the OpenID 2.0 spec, most significantly adding support for i-names and directed identity.  There would have been probably another week of development required to overhaul the plugin, but there wasn't enough time to do a proper job for the board elections.  JanRain offered RPX as an alternative to get us up and running more quickly.  We sent Bill Washburn an e-mail in to check to make sure this was a reasonable approach, but after not hearing back from him made the switch when the situation became urgent."

The first implementation of RPX was our free RPX Basic version, which uses the RPX-affiliated trust root since using our Plus or Pro offerings would have required buying a separate SSL cert.  After some OIDF members expressed concern with the RPX-affiliated trust root, JanRain paid at its own cost to get a new cert and upgraded the implementation to the Plus, again at no fee to the OIDF.

So the system should be working well now, if not please let us know.

With respect to whether it's appropriate to be using RPX on the OIDF website or not,  it appears that there has been a diversity of opinion.  Some of the membership has applauded the improvements in ease of use and reliability, some have concerns about using any vendor products on the official OIDF site.    I will point out that there is no mention of JanRain nor RPX on the implementation on the OIDF login implementation.  If, after having now fixed the trust root problem, there is still a desire to remove RPX we can certainly do that but Refresh Media will still have to fix the initial problems that it was addressing.

If a diversity of opinion remains, we could use our newly implemented polling survey tool to see what the majority of the members would like to see happen.

Cheers,

Brian
==============
Brian Kissel
Cell: 503.866.4424
Fax: 503.296.5502

From: general-bounces at openid.net<mailto:general-bounces at openid.net> [mailto:general-bounces at openid.net] On Behalf Of David Recordon
Sent: Friday, December 05, 2008 11:31 AM
To: Chris Messina
Cc: general at openid.net<mailto:general at openid.net>
Subject: Re: [OpenID] Changes to the OpenID Foundation member page login

Agreed with Chris here.  I don't inherently have a problem with using RPX since it does provide value, but the trust root needs to be fixed and far more transparency added by the Foundation when choosing to use a vendor's product.

I'm also concerned about some of the optics when it comes to JanRain.  As far as I can tell JanRain has started a consulting engagement when one of the developers the OpenID Foundation retained to build the membership and elections tool.  The elections tool now has JanRain's solution in it.

Given Brian Kissel's growing involvement in the Foundation the past few months I would have expected him to disclose this as the CEO of JanRain especially as he's currently running for a *community* board seat in the election.

As to the developer himself, I have no idea if he has a NDA with JanRain that might have prevented this, if he did disclose it to the committee of the Foundation that engaged him, or what.  I'm much less concerned about his role in all of this as I'm sure in both engagements he's just doing what he's being paid to do.

--David

On Dec 5, 2008, at 11:08 AM, Chris Messina wrote:



On Fri, Dec 5, 2008 at 11:00 AM, Steven Livingstone-Perez <weblivz at hotmail.com<mailto:weblivz at hotmail.com>> wrote:
I don't really have much of a say on this (other than being a new member)
and you may 100% disagree with me, but IMHO there *is* an argument that in
using best of breed products we can demonstrate the power of OpenID to users
... compared with the cost/effort to implement something that already does a
really good job.

No argument there. Making OpenID seem awesome (or live up to its promised awesomeness) isn't really something that I'm questioning.

This kind of experience can be done without the use of a vendor product, though, but requires quite a bit more work and time.


I do understand the endorsement aspect, but on the other hand the UX is the
biggest issue OpenID seems to have at the moment and it seems to me that
using such products (so long as they are donated as such and not specific
long term to any one company) can only be a positive thing.

Therein lies the rub. I'm not arguing against using RPX, but for concealing it in the trust root (since currently people end up trusting *.rpxnow.com<http://rpxnow.com> rather than openid.net<http://openid.net> - thereby creating a long term situation that's hard to switch from (without users having to *reassociate*)) and for getting some transparency into how the decision to use RPX was made.

I agree with Eran that the experience is better -- but let's not set a poor precedent in the interest of expediency.

Chris

--
Chris Messina
Citizen-Participant &
 Open Technology Advocate-at-Large
factoryjoe.com<http://factoryjoe.com> # diso-project.org<http://diso-project.org>
citizenagency.com<http://citizenagency.com> # vidoop.com<http://vidoop.com>
This email is:   [ ] bloggable    [X] ask first   [ ] private
_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general



__________ Information from ESET NOD32 Antivirus, version of virus signature database 3667 (20081205) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


__________ Information from ESET NOD32 Antivirus, version of virus signature database 3668 (20081206) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081206/96930522/attachment-0002.htm>


More information about the general mailing list