<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.apple-style-span
        {mso-style-name:apple-style-span;}
span.EmailStyle19
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>

<div>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Andrew Arnott
[mailto:andrewarnott@gmail.com] <br>
<b>Sent:</b> Monday, April 13, 2009 8:55 PM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> Kenneth Kron; oauth; openid General<br>
<b>Subject:</b> Re: [OpenID] Facebook wildfire spreading of OpenID<o:p></o:p></span></p>

</div>

</div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<p class=MsoNormal>Peter, my parents' responses inline.<br clear=all>
<o:p></o:p></p>

<div>

<blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>

<div>

<div>

<p><span style='font-size:11.0pt;color:#1F497D'>What is openid&#8217;s core
value, for a parent?</span><o:p></o:p></p>

<p><span class=apple-style-span><span style='font-size:11.5pt;color:#1F497D'>Here
is a few of the spins I&#8217;ve heard over the last 2 years:</span></span><o:p></o:p></p>

<p style='margin-left:1.0in;text-indent:-.5in'><span style='font-size:11.0pt;
color:#1F497D'>1</span><span style='font-size:7.0pt;color:#1F497D'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span><span style='font-size:11.0pt;color:#1F497D'>Urls are so magical that
your openid URL means you don&#8217;t need multiple passwords</span><o:p></o:p></p>

</div>

</div>

</blockquote>

<div>

<p class=MsoNormal>What?&nbsp;<o:p></o:p></p>

<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></i></b></p>

<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>[Peter Williams] Yes &#8211; the &#8220;url&#8221; hyptothesis. Because
openid is all based on the URL, websso will now work and be widely adopted (where
it doesn&#8217;t and won&#8217;t when the subject&#8217;s id is expressed in
any other form other than a URL).<o:p></o:p></span></i></b></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

</div>

<blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>

<div>

<div>

<p style='margin-left:1.0in;text-indent:-.5in'><span style='font-size:11.0pt;
color:#1F497D'>2</span><span style='font-size:7.0pt;color:#1F497D'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span><span style='font-size:11.0pt;color:#1F497D'>Addresses commenting spam</span><o:p></o:p></p>

</div>

</div>

</blockquote>

<div>

<p class=MsoNormal>What?&nbsp;<o:p></o:p></p>

<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></i></b></p>

<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>&nbsp;[Peter Williams] &nbsp;yes, Ive heard it said that a motive
for the original authenticated comments application of openid is was to ensure
that only trusted commentators (i.e. the comment is supported by an trustworthy
assertion) would have the privilege of posting public comments &#8211; so a
blog would not be filled with comment spam.<o:p></o:p></span></i></b></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

</div>

<blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>

<div>

<div>

<p style='margin-left:1.0in;text-indent:-.5in'><span style='font-size:11.0pt;
color:#1F497D'>3</span><span style='font-size:7.0pt;color:#1F497D'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span><span style='font-size:11.0pt;color:#1F497D'>Brings PGP&#8217;s web of
trust to life, though linkup with ebay-reputation systems</span><o:p></o:p></p>

</div>

</div>

</blockquote>

<div>

<p class=MsoNormal>Huh?&nbsp;<o:p></o:p></p>

<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></i></b></p>

<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>&nbsp;[Peter Williams] yes +1, -19, ++4. Ive heard it said that
the trust model that openid will evolve to (seeing as https is not really
openid-friendly) will exploit reputation frameworks. Associated with an
assertion will be a reputation, shared in RP affiliation communities. openid becomes
viable when reputation becomes a managed infrastructure. (OASIS even chartered a
group to focus on this, if I recall).<o:p></o:p></span></i></b></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

</div>

<blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>

<div>

<div>

<p style='margin-left:1.0in;text-indent:-.5in'><span style='font-size:11.0pt;
color:#1F497D'>4</span><span style='font-size:7.0pt;color:#1F497D'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span><span style='font-size:11.0pt;color:#1F497D'>Easy signup to new accounts</span><o:p></o:p></p>

</div>

</div>

</blockquote>

<div>

<p class=MsoNormal>Oh! &nbsp;Cool.&nbsp;<o:p></o:p></p>

<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></i></b></p>

<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>[Peter Williams] &nbsp;yes. I&#8217;ve heard to explained that RP&#8217;s
will perform identity management, and during signup attribute from an OP will
be transferred to the new account at the RP. I&#8217;ve also heard the
opposite: the best and &#8220;most promising&#8221; RPs will not maintain
accounts, have no local login, and ONLY ever create sessions in response to an
openid assertion.<o:p></o:p></span></i></b></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

</div>

<blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>

<div>

<div>

<p style='margin-left:1.0in;text-indent:-.5in'><span style='font-size:11.0pt;
color:#1F497D'>5</span><span style='font-size:7.0pt;color:#1F497D'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span><span style='font-size:11.0pt;color:#1F497D'>Get portability of
identity, like with your phone number</span><o:p></o:p></p>

</div>

</div>

</blockquote>

<div>

<p class=MsoNormal>Umm... phone number I know. &nbsp;But what's portable
identity?&nbsp;<o:p></o:p></p>

<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></i></b></p>

<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>[Peter Williams] &nbsp;I heard it said that openid was all about
ensuring that having bound an openid to an RP to get some service, one could then
migrate from one assertion making party to another, and there would be no
impact on your relationship with that RP. This is like having the relatively
new right to transfer a phone number between carriers, rather than the older world
in which carriers captured subscribers because there erected a barrier to
exiting their plan (you lost your contacts, as the phone number &#8220;belonged
to&#8221; the carrier, not you)</span></i></b><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p>

</div>

<blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>

<div>

<div>

<p style='margin-left:1.0in;text-indent:-.5in'><span style='font-size:11.0pt;
color:#1F497D'>6</span><span style='font-size:7.0pt;color:#1F497D'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span><span style='font-size:11.0pt;color:#1F497D'>Addresses privacy policies
&nbsp;through explicit consent</span><o:p></o:p></p>

</div>

</div>

</blockquote>

<div>

<p class=MsoNormal>um... privacy is good.<o:p></o:p></p>

<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></i></b></p>

<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>[Peter Williams] I&#8217;ve heard it said that openid is ONLY
about the browser world, as ONLY in the browser world do you get UI that facilitates
explicit management of consent &#8211;and a point at which one can control
which attributes are release to which (more or less trusted) parties (under your
personal privacy regime). ONLY if there is &#8220;special&#8221; class of ui
can openid work project the security one needs, and it MUST involve address
bars.<o:p></o:p></span></i></b></p>

<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></i></b></p>

<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></i></b></p>

<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Yes.. all those things above have been hinted at as being among
the unique &#8220;value points&#8221; of openid (vs any other websso scheme).
Most of them reflect social benefits, or convenience features.<o:p></o:p></span></i></b></p>

<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></i></b></p>

<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></i></b></p>

<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I forgot another common claim, earlier, of course. The Openid movement
[generally] solves phishing.<o:p></o:p></span></i></b></p>

<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></i></b></p>

<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></i></b></p>

<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></i></b></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

</div>

</div>

</div>

</div>

</body>

</html>