Draft OpenID v.Next Discovery working group charter

John Bradley john.bradley at wingaa.com
Wed Apr 14 15:08:39 UTC 2010


Philip,

It is fine for you to take pot shots at XRI, however those are the only people sympathetic to your position who are working on this.

The decisions taken by LRDD happened outside of the XRI TC.

I understand your point about DNS,  however in the discussions with Sir Tim and others at the W3C using DNS for anything other than http was also a non starter.  The TAG is opposed to using anything other than http URI to mane things to prevent fragmentation of the namespace.   It is well documented on the TAG list.   LRDD is trying to follow that principal however flawed.

This is not the LRDD list.   So some of your comments are best put to them directly.

If the W3C wants to address this they are welcome to unfortunately most of us are excluded from the W3C process.

You are welcome to ride the horse but don't expect a lot of company.   

The topic is the openID discovery WG charter.

I am happy to include considering multiple options. 
eg using SRV records to discover the signed host-meta XRD for a DNS Authority.
Something I personally argued for.  

We could consider re-using the existing OASIS spec for retrieving meta-data for an entityID, that is used in SAML, WS-Fed 1.2, and openID in Shibboleth.  

I am willing to consider them alongside of the IETF LRDD spec.

However I am a realist.  Many of the people in this openID WG participated in the IETF work.   
Competing proposals will be a hard sell.   You need to realize that and contribute to the WG if you want to influence the outcome.

I suspect that a snippy note from Sir Tim will have less influence on the openID membership than it did on OASIS.
(PS David Orchard should get the credit for torpedoing XRI 2.0)

Regards
John B.



On 2010-04-14, at 8:47 AM, Phillip Hallam-Baker wrote:

> I would certainly not argue for DNSSEC in its current form, in fact I
> was pointing out the serious issues with DNSSEC at RSA this year. At
> the moment there is no protocol for getting your zone key into DNSSEC,
> so the idea that it is imminent is rather optimistic. One way to look
> at the situation is that the same people who proposed the failed PEM
> PKI scheme have proposed the same architecture and got to the same
> point they did with PEM.
> 
> 
> XRI is the only OASIS TC to have failed to gain approval for its
> specifications from the membership. It was rejected specifically
> because Sir Tim Berners-Lee and the W3C TAG argued against it as an
> unnecessary fragmentation of the naming space.
> 
> Describing it as 'moving forward' as if it was a train that could pull
> OpenID in its wake is optimistic in the extreme. A more realistic
> assessment is that XRI is essentially dead for all purposes and OpenID
> is the only remaining chance for resurrection.
> 
> A technical proposal that ignores an existing infrastructure that is
> open, deployed and used by every Internet user in favor of one that is
> unproven is tilting at wind mills. I see no reason to think that XRI
> is going to be any different to UDDI, RealNames, X.500, AOL corporate
> names or any of the other directory schemes that have come and gone.
> Remember the days when companies would mention their AOL keyword in
> ads? Not seen that for a decade now. There was no shortage of people
> running round telling me why UDDI was going to be the biggest thing
> ever and how it was amazingly great in vague and unspecified terms.
> UDDI had Microsoft and IBM behind it pushing it, and it still went
> nowhere.
> 
> I see no reason to doubt that XRI will go the same way as X.500. The
> directory system will never actually have a funeral, but cease to be
> an operative concept. Meanwhile some of the infrastructure originally
> intended to support the directory (XRD) will continue on its own.
> 
> 
> Saying that "OpenID is about identity, not trust" might be more
> meaningful if we had solid consensus on what was meant by identity or
> what is meant by trust.
> 
> In my view the one key to establishing an identity scheme is to
> develop a uniform identifier space where there is a widespread
> consensus as to what the authoritative interpretation of a name should
> be. There are two basic designs that can be employed for that purpose,
> the first is to use an identifier that is indexical such that it
> serves as a locator for at least some attributes associated with the
> identifier. The second is to use a non-indexical identifier that does
> not support location.
> 
> Since one of the features we want in the OpenID scheme is that the
> authorized subject of an identifier have the ability to authenticated
> a claim to being the subject of the assertion, it seems that we are
> going to be talking about an identifier that is indexical with respect
> to authenticating the subject's claim of use. So we need a discovery
> scheme that maps an identifier to a resource that can verify the
> subject claim.
> 
> I do not see the possibility of any other form of discovery being complete.
> 
> For example, I have a private address book on my machine here that
> makes assertions about the subject of the identifier
> 'Michael.Jones at microsoft.com'. There is no imaginable architecture
> (outside the NSA) that could be developed that is going to make those
> identifiers discoverable unless I choose to make them so.
> 
> That does not matter though, if I want my assertions to be public, I
> am going to take some steps towards publishing them. For example, I
> may have a blog with a comment section and I make have a section that
> contains a comment that I purport was posted by Michael. In that case
> I am going to gloss over some RDFa markup to that effect.
> 
> 
> On Wed, Apr 14, 2010 at 1:48 AM, SitG Admin
> <sysadmin at shadowsinthegarden.com> wrote:
>>> Five years ago, the OpenID world was making a lot of arguments
>>> premised on the need to move very quickly.
>> 
>> I'm mindful of "OpenID is about identity, not trust", here.
>> 
>> Perhaps the advantage is to be flexible with which trust system OpenID is
>> attached to; rather than relying on DNS, developers who don't trust it (or
>> the PKI in DNSSEC) can try something else instead. Kind of pessimistic to
>> anticipate failure, that way, but I see it as them trying Webfinger now
>> because they have the most support for it (internally), and others are free
>> to work on their own favored trust systems. (I know XRI is moving forward;
>> I've been looking a bit at how Tor might integrate with OpenID on the rest
>> of the web even *without* going through XRI.)
>> 
>> -Shade
>> 
> 
> 
> 
> -- 
> -- 
> New Website: http://hallambaker.com/
> View Quantum of Stupid podcasts, Tuesday and Thursday each week,
> http://quantumofstupid.com/
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs



More information about the specs mailing list