Anyone seen xauth.org?

Chris Messina chris.messina at gmail.com
Tue Apr 20 06:22:28 UTC 2010


On Mon, Apr 19, 2010 at 8:38 PM, Nate Klingenstein <ndk at internet2.edu>wrote:

>
> This service, again, does many things we're uncomfortable with: stores
> active user sessions at third parties, stores trust lists on behalf of third
> parties, tightly couples a specific discovery service to the rest of the
> federated identity infrastructure, and contingent on other checks, it could
> present its users' bearer tokens/sessions, if those are represented by
> extenders' XAuth tokens.
>
> As I mentioned earlier, I can think of ways I could leverage XAuth to avoid
> some of those drawbacks, but not others.  I'm not against trusted services:
> they're important and necessary for infrastructure.  I'm not suggesting any
> of those attacks is probable.  But it means xauth.org would have to be an
> immensely trusted and well-governed service, and federated identity
> infrastructure would be much more centralized than it is today.
>
> So, having it randomly pop up from Meebo based on a bunch of ideas floated
> by Google with absolutely no information about governance, ownership,
> security measures, etc. gives me the willies.  Address some of those things,
> confirm that the appropriation I described earlier is okay, and I'll feel a
> little better, maybe even like this could be useful.
>
> The place to address these issues is on the XAuth list:

http://groups.google.com/group/xauth

The issues you raise are all the right ones, and the answers are not well
formulated yet.

That said, Meebo demonstrated a very strong desire to be able to move "at a
startup's pace" and really just get something out to demonstrate a concept
in practice (to a new audience, I suppose!) and then iterate from here.

Less than perfect, yes, but ideal for making progress and forcing these
conversations into concrete outcomes.

Chris

-- 
Chris Messina
Open Web Advocate, Google

Personal: http://factoryjoe.com
Follow me on Buzz: http://buzz.google.com/chrismessina
...or Twitter: http://twitter.com/chrismessina

This email is:   [ ] shareable    [X] ask first   [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100419/4090e744/attachment.htm>


More information about the specs mailing list