[OpenID board] Why Connect?

Tue May 25 02:22:57 UTC 2010

On 2010-05-24, at 7:01 PM, Eran Hammer-Lahav wrote:

> 
> 
>> -----Original Message-----
>> From: Dick Hardt [mailto:dick.hardt at gmail.com]
>> Sent: Monday, May 24, 2010 6:20 PM
>> To: Eran Hammer-Lahav
>> Cc: Allen Tom; David Recordon; Joseph Smarr; OpenID Board (public);
>> openid-specs at lists.openid.net
>> Subject: Re: [OpenID board] Why Connect?
>> 
>> 
>> On 2010-05-24, at 6:08 PM, Eran Hammer-Lahav wrote:
>> 
>>> The question is:
>>> 
>>> Is the OIDF interested in taking the lead in building an identity layer for
>> OAuth 2.0?
>>> 
>>> I'm willing to bet that if the answer is no, it will be the beginning of the end
>> for OpenID. OAuth 2.0 + identity will fully cover the OpenID 2.0 use cases in a
>> cleaner, more secure way.
>> 
>> OpenID Connect as currently envisioned misses many of the internet identity
>> use cases.
> 
> And covers most of the ones desired by those currently implementing OpenID. For those using OpenID 2.0 today, this proposal offers a full and significantly better replacement. This proposal is 100% market-driven, which is not something I can say about OpenID now or in the past. This proposal is driven by developers, providers, and end users.

I agree this is better than OpenID 2.0 for many use cases. I can see how it is an obvious evolution for how OAuth is used to gather identity information. I also think Connect has not holistically looked at what the broader internet identity problems are, and is painting itself into an architecture corner.

As a creator of the OAuth hammer, I can see you view this as an OAuth nail. I don't see it that way.

> 
>>> 
>>> This is very much an issue of timing. If the problem is the name, call it the
>> "OAuth Identity Framework",
>> 
>> OpenID Connect has very little to do with OpenID, and lots to do with OAuth.
>> That sounds like a better name.
> 
> True if you define OpenID as nothing but a protocol. But if that is your definition, I think OpenID best days are behind it. People don't care about protocols, they care about products. I think it would be a mistake for the OpenID foundation to let OAuth take over such a huge chunk of the current OpenID use cases.

I see OpenID as a solution for the Internet Identity Problem.  agree that many have viewed OpenID as a protocol, and one that was good enough. OpenID v.Next is queuing up to provide a holistic solution. The process for v.Next was started a couple months ago. As you know, these things take time.