[OpenID] OAuth SPs don't have to be your OpenID OP

Peter Williams pwilliams at rapattoni.com
Sat Apr 4 16:27:03 UTC 2009


I'm supportive of OUATH stack and OpenID stack cooperating closely. What I don't want is to change the core model of openid - the UCI part.

In User-centric OpenID, there are already rather too many signals that certain OPs are intending to run a policy-based "management regime" for the web similar to how Facebook runs its "plugin providers." That is: the plugins cannot even "exist" without Facebook, and are subject to Facebook's rules on how identities are managed and how personal attributes flow. Now, while that control model works quite naturally in the Facebook world (since it's a voluntary portal-plugin model), does it work for the web - where OPs and RPs are peers?

We also have to look at Microsoft's own (WS-Fed and now SAML2) profile work (and *probably* OpenID/OAUTH work) - remembering that they have an established profile of websso aimed at DRM enforcement - at the attribute level. The attributes are not owned by users SPECIFICALLY in this profile world; they  are the property of the OP. The only role the user has is one of using the OP as an agent; and the only role the RP has is to remotely enforce the OPs control regime. In this world, should the user ask the RP to do X with his/her attributes , the answer will be no - as the RP will not even have the technical means to circumvent the OPs policy, due to the DRM controls wrapped around their handling of the SAML/OpenID attributes. How that world would handle the notion that n OPs could link in parallel to a single RP account - and thus neither would have exclusive control over the projection  of the user store at the RP - I don't know!

Now, I would not really object to any of the above even in the embodiment of OpenID+OAUTH  vs SAML+IGF if I saw a balance: between TTP OPs (much like the SSL world as TTP-class CAs like VeriSign), and non-TTP OPs (much like the SSL world a half billion self-signed, unmanaged CAs operated by users in their homes).

But I don't see much evidence of the non TTP OP emerging, beyond the JanRain efforts - where they were making good architectural progress in outsourcing OP functions to anyone.



From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Andrew Arnott
Sent: Friday, April 03, 2009 9:25 PM
To: santrajan
Cc: general at openid.net
Subject: Re: [OpenID] OAuth SPs don't have to be your OpenID OP

Why should OpenID support OAuth at all? OpenID can stand on its own. All
OpenID needs to do is address the concerns of RP's and users.

Why?  Because in your own words "OpenID needs to ... address the concerns of RPs and users".  OAuth protects users, and aids RPs.  Yes, OpenID and OAuth can and do stand on their own.  But if they are to be used together, it can be confusing and cumbersome to users unless we work to streamline the process.

Pure and simple.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090404/87f668fb/attachment-0002.htm>


More information about the general mailing list