[OIDFSC] FW: Proposal to create the TX working group

Nat Sakimura sakimura at gmail.com
Thu Jan 1 03:06:39 UTC 2009 

Hi David,
Since I am in the new years holiday (just when you got back from your
holiday...), I will just comment on a few things inline to supplement Henrik
and Drummond's comments.

On Wed, Dec 31, 2008 at 5:33 PM, David Recordon <recordond at gmail.com> wrote:

> Hi Nat,
> I read Josh's email as agreeing with Mike's statement of:
>
>> The OpenID Specifications Council recommends that members reject this
>> proposal to create a working group because the charter is excessively broad,
>> it seems to propose the creation of new mechanisms that unnecessarily create
>> new ways to do accomplish existing tasks, such as digital signatures, and it
>> the proposal is not sufficiently clear on whether it builds upon existing
>> mechanisms such as AX 1.0 in a compatible manner, or whether it requires
>> breaking changes to these underlying protocols.
>
>
I think it is very clear that it builds upon AX. Whether additional message
portion goes into AX 2.0 or CX depends on how AX2.0 (as the AX 2.0 charter
being drafted, it goes in there) evolves.


> While you have clarified that you don't intend to create a new XML
> signature mechanism, OAuth describes a mechanism to use public keys to sign
> these sorts of parameters.  Signatures aside, as Mike said other aspects of
> the charter seem quite broad and it is unclear how it will build upon AX 1.0
> and other underlying existing OpenID technologies.
>

I am expecting OAuth style signature is coming into AuthN 2.1. Then, CX
would use it. OAuth signature per se has to be profiled into OpenID to be
used in OpenID message signing anyways, so just referencing OAuth is not
quite adequate.


>
> Given the draft charter at
> http://wiki.openid.net/Working_Groups%3AContract_Exchange_1:
> 1) The purpose of producing a series of extensions seems too broad.  OpenID
> was born on the idea of doing one simple thing and we've seen success with
> OpenID and related technologies when they are made up of small pieces
> loosely joined.  OpenID Authentication 2.0 broke this rule in some areas and
> we're now seeing the repercussions of doing so.
>

"Series of " is there to allow the possibility of modularization. It might
become clear at a later day when WG work progressed more that it could be
refactored into more than one specification. (For example, I believe that
AuthN 2.0 could have been modularized into Discovery, Assertion format,
Signature, and Messaging protocol, and PAPE could have been into two
modules.) It is hard to know if such modularization is really desirable at
the outset. Thus, I have thrown in the word "series of." Not allowing it
would tend to build a monolithic spec., which is exactly what you are trying
to avoid now.


>
>
> 2) In what jurisdictions are these contracts legally binding?  Is
> "arbitrary parties to create and exchange a mutually-digitally-signed
> legally binding 'contract'" a justifiable statement or should it be toned
> down?  It should also be kept in mind that since OpenID's creation it has
> been very clear that OpenID does not provide trust, but rather trust can be
> built on top of identity.  I'm not saying that OpenID should never deal with
> trust, just trying to understand if this Working Group intends to change how
> OpenID currently does not create this form of trust.
>
> 3) The purpose says that the Working Group intends to possibly extend AX
> and create a series of specifications.
>

 Extending AX actually was what was suggested at IIW with Dick.
Subsequently, it was moved to AX 2.0 WG proposal.
See Out of scope section. It states:

OpenID AX 2.0 was moved out to another WG, which includes the following
pre-requsite for this WG.

   - Request/Response type message "Exchange"
   - Direct Communication method in both direction (OP<->RP)

It does not seem prudent to give a Working Group the ability to arbitrarily
> extend an existing extension or create an unlimited number of
> specifications.
>

It is not. The WG is bound by the scope. The WG may decide to break up its
scoped output into smaller pieces for modularity purpose (that's what is
routinely done in OASIS etc.), but overall output is MUST be TIGHTER than
the scope.



>
> 4) The Scope section is still not clear as to what the Working Group will
> actually be producing.  I would prefer to see the section rewritten, maybe
> mimicking the structure currently being considered for the specification.
>
> As to if you wish to force this proposal forward, I do not believe that it
> currently has sufficient support within the OpenID community to succeed and
> that its broad scope contravenes the community's purpose.  This is why I'm
> really hoping that the proposal can be refined to something which will be
> successful that a broad community can get behind!
>
> --David
>
> On Tue, Dec 30, 2008 at 9:03 PM, Nat Sakimura <sakimura at gmail.com> wrote:
>
>> Hi Josh,
>>
>> To which statement did you agree?
>>
>> There has been a several things that has been pointed out, but I think I
>> have answered to them.
>>
>> For example, for XML Sig, I have stated that this spec is not for XML,
>> etc.
>> For modularization, yes, that is a possibility but a scope needs to be
>> able to cover a field that it requires, even if it ends up not covering that
>> field.
>> It is impossible to widen the scope though narrowing it down at a later
>> date is easy.
>>
>> Unfortunately, I have not heard back any concrete response for amendments.
>> It would be more constructive to have those.
>>
>> Also, if you are giving advise to the membership an recommendation for not
>> approving it, you need to state the reasons concretely.
>>
>> It needs to be one of
>>
>> (a)    an incomplete Proposal (i.e., failure to comply with §4.1);
>> (b)    a determination that the proposal contravenes the OpenID
>> community's purpose;
>> (c)    a determination that the proposed WG does not have sufficient
>> support to succeed
>>          or to deliver proposed deliverables within projected completion
>> dates; or
>> (d)    a  determination that the proposal is likely to cause legal
>> liability for the OIDF or others.
>>
>> and should state why the proposal falls into one of the criteria
>> concretely and accountably.
>>
>> Regards,
>>
>> =nat
>>
>> On Wed, Dec 31, 2008 at 7:58 AM, Josh Hoyt <josh at janrain.com> wrote:
>>
>>> On Tue, Dec 30, 2008 at 12:17 PM, Mike Jones
>>> <Michael.Jones at microsoft.com> wrote:
>>> > I realize it was Christmas week but it's been a week and we've heard
>>> nothing
>>> > from any of the other specs council members on this proposal (or the
>>> other
>>> > one as well).
>>>
>>> I agree with the statement that you made about this proposal.
>>>
>>> Josh
>>>
>>
>>
>>
>> --
>> Nat Sakimura (=nat)
>> http://www.sakimura.org/en/
>>
>
>


-- 
Nat Sakimura (=nat)
http://www.sakimura.org/en/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20090101/3e429ac8/attachment.htm

More information about the specs mailing list