[OpenID] OAuth SPs don't have to be your OpenID OP

Peter Williams pwilliams at rapattoni.com
Sat Apr 4 17:00:08 UTC 2009


Make sure your CDS is not mandatory - but a optional metadata locator service that is EASILY replaced and augmented (much like X.500 locator service was doing, in the OSI tradition).

There must be a means to use your PDS in peer-peer mode, normally. Otherwise, one has just shifted the central control point around, from CAs, to OPs, to discovery points. What you don’t what is a centralized discovery/locator service that will become like the DNS in EV-grade PKI - the gating factor on whether or not one can interwork (after one has to pay VeriSign its domain registration tax).

Whoever runs it (rather like Neustar-run ENUM-based call-control agents for phone networks) gets too much power. Though such centralization may make sense for telco (e.g. what Neustar do for a living), its less clear its appropriate for web culture, and web-based voip and presence.

Give a business long-term monopoly power, a firm will inevitable abuse it. It’s a law of capitalism.

> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of santrajan
> Sent: Saturday, April 04, 2009 9:10 AM
> To: general at openid.net
> Subject: Re: [OpenID] OAuth SPs don't have to be your OpenID OP
>
>
> Cool! So it will just require some javascript I presume. How fast you
> think
> this can be implemented?
>
> Chris Messina wrote:
> >
> > On Sat, Apr 4, 2009 at 11:23 AM, santrajan <santrajan at gmail.com>
> wrote:
> >
> >>
> >> Exactly! To quote from that doc.
> >> "The suggested approach involves two new systems that we refer to as
> the
> >> CDS
> >> (Central Discovery Service) & PDS (Personal Discovery Service).  The
> only
> >> job of the CDS is to indicate the location of the user's PDS. "
> >>
> >> Something like this for OpenID.
> >>
> >
> > Right. This was what we discussed at the OpenID Design Workshop —
> that
> > such
> > a PDS system could hint to the browser what OP the current user uses
> — and
> > nothing more — to enable a generic "Sign in" button for the web w/o
> having
> > to support the Nascar screen of logo-buttons that will surely emerge
> with
> > the proliferation of directed identity and OPs.
> >
> > Chris
> >
> >
> >>
> >>
> >> Chris Messina wrote:
> >> >
> >> > On Sat, Apr 4, 2009 at 10:57 AM, santrajan <santrajan at gmail.com>
> wrote:
> >> >
> >> >>
> >> >> Yes but the consumer registration is still required right? I mean
> it
> >> >> wouldn't
> >> >> work without the OAuth key?
> >> >
> >> >
> >> > Auto-registration is a possibility. It's not unlike the
> association
> >> that
> >> > takes place in OpenID on the fly, to the best of my [limited]
> >> knowledge.
> >> >
> >> >
> >> >> Regarding centralized discovery I was thinking of a centralized
> >> >> repository
> >> >> for identities that will allow discovery and manage trust.
> >> >>
> >> >
> >> > You mean like Passport or Facebook? I'm not sure I understand what
> >> you're
> >> > proposing. Centralization is against the model and design of the
> web
> >> > (albeit, DNS is pretty much centralized discovery/resolution).
> >> >
> >> > Have you read about the Personal Discovery Service?
> >> >
> >> > http://sites.google.com/site/oauthgoog/Home/pds
> >> >
> >> > Chris
> >> >
> >> >
> >>
> >
> > --
> > Chris Messina
> > Citizen-Participant &
> >  Open Web Advocate
> >
> > factoryjoe.com // diso-project.org // vidoop.com
> > This email is:   [ ] bloggable    [X] ask first   [ ] private
> >
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general
> >
> >
>
> --
> View this message in context: http://www.nabble.com/OAuth-SPs-don%27t-
> have-to-be-your-OpenID-OP-tp22879703p22885000.html
> Sent from the OpenID - General mailing list archive at Nabble.com.
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general


More information about the general mailing list