[OpenID board] Why Connect?

Chris Messina chris.messina at gmail.com
Tue May 25 03:09:14 UTC 2010


On Mon, May 24, 2010 at 7:11 PM, Eran Hammer-Lahav <eran at hueniverse.com>wrote:

>
>
> > -----Original Message-----
> > From: openid-specs-bounces at lists.openid.net [mailto:openid-specs-
> > bounces at lists.openid.net] On Behalf Of Dick Hardt
> > Sent: Monday, May 24, 2010 6:29 PM
>
> > Connect is Discovery + OAuth 2.0 + a standard identity API.
> > ...
>
> Labelling this as OpenID seems to be hijacking the OpenID brand.
>
> And this is where you got it all wrong! Labeling this as OpenID is giving
> the OpenID brand once last chance to offer something useful and meaningful
> that developers actually use.
>
> Calling it OAuth Connect would result in hijacking the community. I'm
> clearly willing to do that (though my presence here should indicate my
> interest in saving the OpenID brand). The question is, is this something the
> OpenID community and board wants to risk?
>

Since I came up with the "OpenID Connect" terminology, I think I have some
say in what I intended by it!

First, Dick is essentially correct when he describes OpenID Connect as
"Discovery
+ OAuth 2.0 + a standard identity API". However, I would layer in the
ability to use OAuth tokens to achieve deeper integrations in ways that are
currently undefined... something that OpenID 2.0 doesn't easily provide
for.

Second — and I've said this for a long time — OpenID is less about any
particular technological solution and more about providing pragmatic
solutions that move the industry forward, and create opportunities to
leverage cross-site identity and profile. This is a piece of what OpenID
originally set out to achieve and should be retained in subsequent
iterations. I didn't call OpenID Connect OpenID 3.0 because I don't know
that it SHOULD be v3.0 — as in the next version of the protocol — but I do
know that there's a market demand for a fairly straight-forward protocol
that makes incremental improvements over today's status quo.

Third, v.Next may take years to evolve and develop. Or it may take months.
No one really knows — and the outcome will be contingent upon the leader of
v.Next driving forward both implementations and consensus (no easy task!).
In the meantime, proprietary solutions are leading the industry —
marginalizing OpenID's place in the conversation. Comparing the traffic
between OpenID and "Facebook Connect" — the latter has gained considerable
ground in a short amount of time, and that's only likely to increase if we
don't continually improve our "product":

http://google.com/trends?q=openid%2C+%22facebook+connect%22&ctab=0&geo=all&date=all&sort=1

Fourth, on that point — the needs for the consumer web (of today) seems
somewhat at odds with what appears to me to be the needs of the enterprise
web. I am not entirely clear which needs are driving the scope of inquiry
for v.Next, but it seems like that latter. If that is the case, I worry that
v.Next will result in a product that is not palatable for the consumer web
marketplace, and given how much momentum there is there, OpenID will lose
any ground it has whatsoever in the common story about internet identity.

<rant>

Finally, some personal context.

I recall that there was a moment when I was about to get my hands dirty in
the OpenID community, despite the crazy community politics. This was
probably in late 2006. I was pushing hard to make the OpenID brand mean
something — and to turn it into a consumer brand that people might someday
recognize when traversing the web. There seemed to be little interest in
this idea, and so I decided to do my own advocacy outside the community. As
a result of that work, it became clear to me that OpenID 2.0 only solved
half the problem — that is, sign in within the browser; it failed to address
the API or client cases.

Once this realization took hold — and became a primary obstacle in the way
of getting Ma.gnolia and Twitter to adopt OpenID — a small number of folks
decided to get together to create a solution for this problem — borrowing
from existing implementations that we found in the wild. This was the start
of the OpenAuth project:

http://groups.google.com/group/openauth/browse_thread/thread/dff591a279522d06

At the time, I decided firmly to NOT deal with identity, since that was what
OpenID was for, and I presumed that the OpenID community would continue to
mature on its own while our little break-off group went and created what you
now call "OAuth".

I also specifically didn't want to bring OAuth to OpenID because it struck
me as dysfunctional and not outcome-orientated.

Once OAuth 1.0 was out, I decided that it was time to return to the OpenID
community [1] and continue pushing forward, since now I could "sell" OpenID
to the likes of Twitter and Ma.gnolia [2]. Except in the meantime, OAuth had
become this really great solution to the problem of data access which
indirectly (even accidentally!) solved the pertinent identity problem for
people since the first payload that was usually delivered over OAuth
included various profile attributes.

Fast forward another year or so and we have OAuth 2.0, some solid advances
on a discovery protocol, and yet little improvement in the foundational
OpenID technology. I feel like history is repeating. I want OpenID Connect
to be a technology that is produced within the OpenID WG process — and I
want the OIDF to have a market-driven product to sell! I really don't want
to have to wait another year or two to get to v.Next while the world
continue to move away from us! As a long time advocate of OpenID and as an
independent community-elected board member, we can't keep letting these
opportunities pass us by, or let them get mired in process and bureaucracy.

With David's proposal — the OIDF should have embraced this offering as a
model for other people — to write something coherent that addresses a need,
that can then be taken through the WG process to iron out any security
issues or obvious omissions... and turned into a spec quickly, painlessly...
and in a way that develops a host of complementary solutions to the many,
many internet identity problems that are vexing the industry.

Instead it seems like we're trying to solve every identity problem with
v.Next (or at least explore all those that are known) and I'm extremely
worried that by the time web come up with something that "everyone" agrees
on, the world will indeed have moved on. I'm of course willing to be
reasoned with on my impressions, but this is why I think OpenID Connect — as
its own individual WG — is actually a very good thing for the OIDF — and its
future.

</rant>

This is already in TL;DR territory, so I'll just quit my ranting there.

Chris

[1]
http://factoryjoe.com/blog/2008/12/05/announcing-my-candidacy-for-the-board-of-the-openid-foundation/
[2]
http://factoryjoe.com/blog/2007/12/06/oauth-10-openid-20-and-up-next-diso/

-- 
Chris Messina
Open Web Advocate, Google

Personal: http://factoryjoe.com
Follow me on Buzz: http://buzz.google.com/chrismessina
...or Twitter: http://twitter.com/chrismessina

This email is:   [ ] shareable    [X] ask first   [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-board/attachments/20100524/e9bc4991/attachment-0001.html>


More information about the board mailing list