Draft OpenID v.Next Discovery working group charter
Phillip Hallam-Baker
hallam at gmail.com
Wed Apr 14 16:38:24 UTC 2010
That is certainly not my understanding of the TAG position, which I
have discussed with Tim and most of the TAG members.
The TAG has been (understandably) suspicious of a set of proposals
intended to make URN's 'resolvable'. This is an argument that goes
back 20 years and I don't think Tim's position has changed very much
over that time.
Originally there were only URLs, then there was an argument made that
some identifiers would be resolvable and others not and the concept of
URNs and URLs was proposed as distinct categories distinguishable by
syntax. For reasons that remain unexplained it was then insisted that
URNs have a different syntax to URNs and that a resolution
infrastructure be defined for them. Then it became apparent that what
at least half the URN working group was really attempting to invent
was a better URL that would somehow guarantee resolution into the
distant future.
I think that subsequent history has pretty much vindicated Tim's
original view that none of the proposed location schemes actually
improve upon HTTP in the ways proposed. But what is being talked about
here is not a replacement for HTTP as the URN schemes were intended to
be.
As for there being an 'ietf' LRDD specification. They are not
currently a chartered IETF working group. Their documents do not point
to the existence of a mailing list or other mechanism for collecting
comment. It is not an IETF specification, it is an individual
submission.
The OpenID community has done a very impressive job of insulating
itself from the rest of the standards making world. Every time someone
has tried to interact with OpenID they have been told that decisions
have already been taken.
This might be a realistic position if OpenID was gaining ground. But
the fact is that OpenID is loosing mindshare to Twitter and Facebook.
On Wed, Apr 14, 2010 at 11:08 AM, John Bradley <john.bradley at wingaa.com> wrote:
> Philip,
>
> It is fine for you to take pot shots at XRI, however those are the only people sympathetic to your position who are working on this.
>
> The decisions taken by LRDD happened outside of the XRI TC.
>
> I understand your point about DNS, however in the discussions with Sir Tim and others at the W3C using DNS for anything other than http was also a non starter. The TAG is opposed to using anything other than http URI to mane things to prevent fragmentation of the namespace. It is well documented on the TAG list. LRDD is trying to follow that principal however flawed.
>
> This is not the LRDD list. So some of your comments are best put to them directly.
>
> If the W3C wants to address this they are welcome to unfortunately most of us are excluded from the W3C process.
>
> You are welcome to ride the horse but don't expect a lot of company.
>
> The topic is the openID discovery WG charter.
>
> I am happy to include considering multiple options.
> eg using SRV records to discover the signed host-meta XRD for a DNS Authority.
> Something I personally argued for.
>
> We could consider re-using the existing OASIS spec for retrieving meta-data for an entityID, that is used in SAML, WS-Fed 1.2, and openID in Shibboleth.
>
> I am willing to consider them alongside of the IETF LRDD spec.
>
> However I am a realist. Many of the people in this openID WG participated in the IETF work.
> Competing proposals will be a hard sell. You need to realize that and contribute to the WG if you want to influence the outcome.
>
> I suspect that a snippy note from Sir Tim will have less influence on the openID membership than it did on OASIS.
> (PS David Orchard should get the credit for torpedoing XRI 2.0)
>
> Regards
> John B.
>
>
>
> On 2010-04-14, at 8:47 AM, Phillip Hallam-Baker wrote:
>
>> I would certainly not argue for DNSSEC in its current form, in fact I
>> was pointing out the serious issues with DNSSEC at RSA this year. At
>> the moment there is no protocol for getting your zone key into DNSSEC,
>> so the idea that it is imminent is rather optimistic. One way to look
>> at the situation is that the same people who proposed the failed PEM
>> PKI scheme have proposed the same architecture and got to the same
>> point they did with PEM.
>>
>>
>> XRI is the only OASIS TC to have failed to gain approval for its
>> specifications from the membership. It was rejected specifically
>> because Sir Tim Berners-Lee and the W3C TAG argued against it as an
>> unnecessary fragmentation of the naming space.
>>
>> Describing it as 'moving forward' as if it was a train that could pull
>> OpenID in its wake is optimistic in the extreme. A more realistic
>> assessment is that XRI is essentially dead for all purposes and OpenID
>> is the only remaining chance for resurrection.
>>
>> A technical proposal that ignores an existing infrastructure that is
>> open, deployed and used by every Internet user in favor of one that is
>> unproven is tilting at wind mills. I see no reason to think that XRI
>> is going to be any different to UDDI, RealNames, X.500, AOL corporate
>> names or any of the other directory schemes that have come and gone.
>> Remember the days when companies would mention their AOL keyword in
>> ads? Not seen that for a decade now. There was no shortage of people
>> running round telling me why UDDI was going to be the biggest thing
>> ever and how it was amazingly great in vague and unspecified terms.
>> UDDI had Microsoft and IBM behind it pushing it, and it still went
>> nowhere.
>>
>> I see no reason to doubt that XRI will go the same way as X.500. The
>> directory system will never actually have a funeral, but cease to be
>> an operative concept. Meanwhile some of the infrastructure originally
>> intended to support the directory (XRD) will continue on its own.
>>
>>
>> Saying that "OpenID is about identity, not trust" might be more
>> meaningful if we had solid consensus on what was meant by identity or
>> what is meant by trust.
>>
>> In my view the one key to establishing an identity scheme is to
>> develop a uniform identifier space where there is a widespread
>> consensus as to what the authoritative interpretation of a name should
>> be. There are two basic designs that can be employed for that purpose,
>> the first is to use an identifier that is indexical such that it
>> serves as a locator for at least some attributes associated with the
>> identifier. The second is to use a non-indexical identifier that does
>> not support location.
>>
>> Since one of the features we want in the OpenID scheme is that the
>> authorized subject of an identifier have the ability to authenticated
>> a claim to being the subject of the assertion, it seems that we are
>> going to be talking about an identifier that is indexical with respect
>> to authenticating the subject's claim of use. So we need a discovery
>> scheme that maps an identifier to a resource that can verify the
>> subject claim.
>>
>> I do not see the possibility of any other form of discovery being complete.
>>
>> For example, I have a private address book on my machine here that
>> makes assertions about the subject of the identifier
>> 'Michael.Jones at microsoft.com'. There is no imaginable architecture
>> (outside the NSA) that could be developed that is going to make those
>> identifiers discoverable unless I choose to make them so.
>>
>> That does not matter though, if I want my assertions to be public, I
>> am going to take some steps towards publishing them. For example, I
>> may have a blog with a comment section and I make have a section that
>> contains a comment that I purport was posted by Michael. In that case
>> I am going to gloss over some RDFa markup to that effect.
>>
>>
>> On Wed, Apr 14, 2010 at 1:48 AM, SitG Admin
>> <sysadmin at shadowsinthegarden.com> wrote:
>>>> Five years ago, the OpenID world was making a lot of arguments
>>>> premised on the need to move very quickly.
>>>
>>> I'm mindful of "OpenID is about identity, not trust", here.
>>>
>>> Perhaps the advantage is to be flexible with which trust system OpenID is
>>> attached to; rather than relying on DNS, developers who don't trust it (or
>>> the PKI in DNSSEC) can try something else instead. Kind of pessimistic to
>>> anticipate failure, that way, but I see it as them trying Webfinger now
>>> because they have the most support for it (internally), and others are free
>>> to work on their own favored trust systems. (I know XRI is moving forward;
>>> I've been looking a bit at how Tor might integrate with OpenID on the rest
>>> of the web even *without* going through XRI.)
>>>
>>> -Shade
>>>
>>
>>
>>
>> --
>> --
>> New Website: http://hallambaker.com/
>> View Quantum of Stupid podcasts, Tuesday and Thursday each week,
>> http://quantumofstupid.com/
>> _______________________________________________
>> specs mailing list
>> specs at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs
>
>
--
--
New Website: http://hallambaker.com/
View Quantum of Stupid podcasts, Tuesday and Thursday each week,
http://quantumofstupid.com/
More information about the specs
mailing list