XAuth critiques

John Panzer jpanzer at google.com
Tue Jun 8 08:19:21 UTC 2010


On Mon, Jun 7, 2010 at 9:19 PM, Phillip Hallam-Baker <hallam at gmail.com>wrote:

> As often happens in these debates, we have a proposal that has an
> acknowledged issue that we are being told isn't an issue because the
> developers don't see it as an issue.
>
>
Actually, what's happening is that people are re-raising objections that
were discussed back in April and ignoring the answers that were given then.
 It's fine to disagree with the answers, but it's polite to acknowledge that
answers have been given and, ideally, attempt to refute them instead of
pretending the answers don't exist.


> I really take offense when I raise an issue and someone says 'that
> does not matter to anyone' or 'that issue has been dealt with'. The
> one issue that I have never found it difficult to get the industry to
> agree on is the necessity of ensuring that no party gains a
> proprietary leverage in a communication protocol.
>

Please read the blog posts.  It's very difficult to even discover what
different people consider to be "the problem".  Shouting "privacy!" doesn't
actually move the discussion forward.


>
>
> I don't see how the promise that the issue will be fixed in future
> changes anything. Either the centralization is easy to eliminate from
> the protocol or it isn't. And if it is easy to eliminate then why
> introduce it in the first place?
>

Pleaser read the blog posts; I think I've explained the reasoning in fair
detail.  It is easy to eliminate once you convince browser vendors to do so;
a world where XAuth is already widely deployed is much more conducive to
doing this than one where it is not.


>
> The starting point for identity in my view is that I have to entirely
> own my name. There cannot be any entity that can use the investment I
> make in my name to extract rent at a future date. No corporation, no
> not-for-profit, no non-profit, no industry group. Nothing.
>
> Then you are going to be running your own IdP, and you need not opt in to
XAuth.  Problem solved.


> The reason I tolerate DNS is that the operation of the DNS does not
> depend on a single entity regardless of what ICANN might try to get
> you to believe because ICANN does not have control over the country
> code domains. Some of the country code domains still refuse to pay the
> scutage demanded by ICANN for inclusion in the root.
>
> ICANN is tolerable because the various components are sufficiently
> independent and sufficiently loosely bound that if push comes to shove
> and ICANN was to attempt to defect, the entire stack of cards would
> collapse. The root would fracture. That is not a property that any of
> the proposed alternatives have.
>
>
> The names that the users want to use are username at domain.name
>
> There is no need for any discovery infrastructure other than the DNS
> to resolve such names and no application discovery infrastructure
> offers the same technical capabilities such as failover through SRV
> records as the DNS does.
>
> But we keep coming back to this model because driving traffic through
> a central node creates business models for the party controlling that
> node that the VC community thinks they understand.
>

Since there is ~no traffic going through xauth.org in any of the
implementations, I'm not clear how this is relevant.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100608/e570a4f4/attachment.html>


More information about the specs mailing list