[OpenID] OAuth SPs don't have to be your OpenID OP

Sat Apr 4 17:35:41 UTC 2009

There is not a single initiative happening in openid today that didn't already happen in the mid 80s, in ISO.

OpenID Auth is just a protocol, the kind that was supposed to emerge and deliver the standard service according to whatever market forces wanted of some bit pattern and integration technologies (e.g. REST, or SOAP, or whatever happens next). Of course any protocol defined in the 80s would be irrelevant by late 80s, as would its replacement by late 90s. OpenID Auth v2.1 will look "quaint", within just 3 years!

For certain of the directory service services, you could and should be using 80-era OSI remote operations, ldap, SAML atttributequeries, or AX. Its irrelevant, which bit pattern you use. The hard part is designing for scalable infrastructure that can address the politics necessary for voluntary yet effective interworking. Protocol design is easy in comparison to that.

Yes SSL's CA world (one of the outputs of that 80s conception) was one of the hardest problems to solve, as national sovereignty issues were paramount, folks were wrapped up in coldwar metaphors about military control, distributing strong crypto was illegal (somehow we didn't get arrested), spying on the MCI/AT&T backbone system and Western Union telegrams was not supposed to disucssed, and all data interception was supposed to managed in covert fashion by a network of specially indoctrinated CISSPs, who could be "trusted". But, dsoute all that: the web did found it ways and folks with all sorts of different agendas and opinions DO get along - in a social problem much more difficult than that facing websso.

The critical issue is : don't get too religious about your particular bit patterns. It's only a stupid machine going klunk. The hard part is people, and their (trust) needs. One you get all controlling about your model of trust, folks just stop adopt the bit patterns.

> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of santrajan
> Sent: Saturday, April 04, 2009 10:23 AM
> To: general at openid.net
> Subject: Re: [OpenID] OAuth SPs don't have to be your OpenID OP
>
>
> These kind of problems have been worked out before. Particularly for
> digital
> signatures if i remember right. So I dont think it would be a major
> problem
> this time around.
>
> Would we find a test system running soon?
>
> Chris Messina wrote:
> >
> >
> > Of course, you might find some resistance from various international
> > bodies
> > unless you're adept at balancing the politics of centralized systems
> > against
> > the desire for national sovereignty.
> >
> > Chris
> >
> > On Sat, Apr 4, 2009 at 12:35 PM, santrajan <santrajan at gmail.com>
> wrote:
> >
> >>
> >> This is really a no-brainer. Somebody should really just go ahead
> and
> >> implement it. Forget about waiting for anything.
> >>
> >>
> >> Chris Messina wrote:
> >
> >
>
> --
> View this message in context: http://www.nabble.com/OAuth-SPs-don%27t-
> have-to-be-your-OpenID-OP-tp22879703p22885711.html
> Sent from the OpenID - General mailing list archive at Nabble.com.
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general