Draft OpenID v.Next Discovery working group charter

Phillip Hallam-Baker hallam at gmail.com
Wed Apr 14 12:47:14 UTC 2010

I would certainly not argue for DNSSEC in its current form, in fact I
was pointing out the serious issues with DNSSEC at RSA this year. At
the moment there is no protocol for getting your zone key into DNSSEC,
so the idea that it is imminent is rather optimistic. One way to look
at the situation is that the same people who proposed the failed PEM
PKI scheme have proposed the same architecture and got to the same
point they did with PEM.

XRI is the only OASIS TC to have failed to gain approval for its
specifications from the membership. It was rejected specifically
because Sir Tim Berners-Lee and the W3C TAG argued against it as an
unnecessary fragmentation of the naming space.

Describing it as 'moving forward' as if it was a train that could pull
OpenID in its wake is optimistic in the extreme. A more realistic
assessment is that XRI is essentially dead for all purposes and OpenID
is the only remaining chance for resurrection.

A technical proposal that ignores an existing infrastructure that is
open, deployed and used by every Internet user in favor of one that is
unproven is tilting at wind mills. I see no reason to think that XRI
is going to be any different to UDDI, RealNames, X.500, AOL corporate
names or any of the other directory schemes that have come and gone.
Remember the days when companies would mention their AOL keyword in
ads? Not seen that for a decade now. There was no shortage of people
running round telling me why UDDI was going to be the biggest thing
ever and how it was amazingly great in vague and unspecified terms.
UDDI had Microsoft and IBM behind it pushing it, and it still went

I see no reason to doubt that XRI will go the same way as X.500. The
directory system will never actually have a funeral, but cease to be
an operative concept. Meanwhile some of the infrastructure originally
intended to support the directory (XRD) will continue on its own.

Saying that "OpenID is about identity, not trust" might be more
meaningful if we had solid consensus on what was meant by identity or
what is meant by trust.

In my view the one key to establishing an identity scheme is to
develop a uniform identifier space where there is a widespread
consensus as to what the authoritative interpretation of a name should
be. There are two basic designs that can be employed for that purpose,
the first is to use an identifier that is indexical such that it
serves as a locator for at least some attributes associated with the
identifier. The second is to use a non-indexical identifier that does
not support location.

Since one of the features we want in the OpenID scheme is that the
authorized subject of an identifier have the ability to authenticated
a claim to being the subject of the assertion, it seems that we are
going to be talking about an identifier that is indexical with respect
to authenticating the subject's claim of use. So we need a discovery
scheme that maps an identifier to a resource that can verify the
subject claim.

I do not see the possibility of any other form of discovery being complete.

For example, I have a private address book on my machine here that
makes assertions about the subject of the identifier
'Michael.Jones at microsoft.com'. There is no imaginable architecture
(outside the NSA) that could be developed that is going to make those
identifiers discoverable unless I choose to make them so.

That does not matter though, if I want my assertions to be public, I
am going to take some steps towards publishing them. For example, I
may have a blog with a comment section and I make have a section that
contains a comment that I purport was posted by Michael. In that case
I am going to gloss over some RDFa markup to that effect.

On Wed, Apr 14, 2010 at 1:48 AM, SitG Admin
<sysadmin at shadowsinthegarden.com> wrote:
>> Five years ago, the OpenID world was making a lot of arguments
>> premised on the need to move very quickly.
> I'm mindful of "OpenID is about identity, not trust", here.
> Perhaps the advantage is to be flexible with which trust system OpenID is
> attached to; rather than relying on DNS, developers who don't trust it (or
> the PKI in DNSSEC) can try something else instead. Kind of pessimistic to
> anticipate failure, that way, but I see it as them trying Webfinger now
> because they have the most support for it (internally), and others are free
> to work on their own favored trust systems. (I know XRI is moving forward;
> I've been looking a bit at how Tor might integrate with OpenID on the rest
> of the web even *without* going through XRI.)
> -Shade

New Website: http://hallambaker.com/
View Quantum of Stupid podcasts, Tuesday and Thursday each week,

More information about the specs mailing list