The problem with OpenID (TAKE 2)

SitG Admin sysadmin at shadowsinthegarden.com
Mon May 17 19:52:46 UTC 2010 

>I m unable to parse this statement.

As noted in the OpenID Connect intro, define "identity" so that 
everyone can agree on the same definition. Until then, expect to 
misunderstand unless you are prepared to interpret loosely - i.e., 
anticipate that you will be seeing different uses of the term and 
DEAL with it by actively looking for what makes more sense whenever 
it doesn't make perfect sense already.

>As with many other aspects of OpenID it appears that supposition
>substitutes for fact. Oh lets casually mention some difficult problems
>/ controversial solutions and hope that those discourage argument. I
>am sorry, but for me, merely invoking the Trusted Computing Group is
>not an argument.

Tough then, because it wasn't MEANT to be. I assume the intelligence 
of the people on this list to be such that, if I merely *refer to* a 
given area, they can remember (or research) the area in question, 
bringing in the surrounding arguments as additional matters of 
consideration. Oh, sure, I *could* spend a lot more time explicating 
everything in all its exhaustive detail, but since that would mean 
insulting their intelligence and catering to the lowest denominator, 
I prefer to elaborate as called upon to do so.

If you want to have a serious discussion, ask me a question, don't 
just try to establish strawmen (of the debate variety). If you want 
to see the worst in OpenID, which your attitude reveals an 
inclination to do, you will continue to perceive (the "appearances" 
of) supposition substituting for fact, and any other uncharitable 
interpretation your mind can come up with. If you continue to do so, 
I'll respond exactly as I have in the past when such individuals 
intrude upon constructive situations: flip them the bird and walk 
away.

>For the purposes of OpenID there are two points at which we might use
>PKI as an authentication technology, if we have fred at example.com we
>can assign a public key to Fred or we can assign the key to the domain

The first is beyond our means to have all current users adopt. Also, 
my understanding of Santosh's proposal was that asymmetric crypto be 
*mandated* by the OpenID spec; at that point, it would no longer be 
an optional feature of some OP's. Furthermore, the assertion would 
still be signed by the *OP*, which doesn't provide identity (as I 
define it), because OpenID hasn't provided that in the first place 
(it only provides a method of *trust* for the OP, and RP's must 
assume "identity" associated with a URI).

-Shade

More information about the specs mailing list