[OpenID] Facebook wildfire spreading of OpenID
pwilliams at rapattoni.com
Tue Apr 14 04:14:18 UTC 2009
From: Andrew Arnott [mailto:andrewarnott at gmail.com]
Sent: Monday, April 13, 2009 8:55 PM
To: Peter Williams
Cc: Kenneth Kron; oauth; openid General
Subject: Re: [OpenID] Facebook wildfire spreading of OpenID
Peter, my parents' responses inline.
What is openid's core value, for a parent?
Here is a few of the spins I've heard over the last 2 years:
1 Urls are so magical that your openid URL means you don't need multiple passwords
[Peter Williams] Yes - the "url" hyptothesis. Because openid is all based on the URL, websso will now work and be widely adopted (where it doesn't and won't when the subject's id is expressed in any other form other than a URL).
2 Addresses commenting spam
[Peter Williams] yes, Ive heard it said that a motive for the original authenticated comments application of openid is was to ensure that only trusted commentators (i.e. the comment is supported by an trustworthy assertion) would have the privilege of posting public comments - so a blog would not be filled with comment spam.
3 Brings PGP's web of trust to life, though linkup with ebay-reputation systems
[Peter Williams] yes +1, -19, ++4. Ive heard it said that the trust model that openid will evolve to (seeing as https is not really openid-friendly) will exploit reputation frameworks. Associated with an assertion will be a reputation, shared in RP affiliation communities. openid becomes viable when reputation becomes a managed infrastructure. (OASIS even chartered a group to focus on this, if I recall).
4 Easy signup to new accounts
[Peter Williams] yes. I've heard to explained that RP's will perform identity management, and during signup attribute from an OP will be transferred to the new account at the RP. I've also heard the opposite: the best and "most promising" RPs will not maintain accounts, have no local login, and ONLY ever create sessions in response to an openid assertion.
5 Get portability of identity, like with your phone number
Umm... phone number I know. But what's portable identity?
[Peter Williams] I heard it said that openid was all about ensuring that having bound an openid to an RP to get some service, one could then migrate from one assertion making party to another, and there would be no impact on your relationship with that RP. This is like having the relatively new right to transfer a phone number between carriers, rather than the older world in which carriers captured subscribers because there erected a barrier to exiting their plan (you lost your contacts, as the phone number "belonged to" the carrier, not you)
6 Addresses privacy policies through explicit consent
um... privacy is good.
[Peter Williams] I've heard it said that openid is ONLY about the browser world, as ONLY in the browser world do you get UI that facilitates explicit management of consent -and a point at which one can control which attributes are release to which (more or less trusted) parties (under your personal privacy regime). ONLY if there is "special" class of ui can openid work project the security one needs, and it MUST involve address bars.
Yes.. all those things above have been hinted at as being among the unique "value points" of openid (vs any other websso scheme). Most of them reflect social benefits, or convenience features.
I forgot another common claim, earlier, of course. The Openid movement [generally] solves phishing.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the general