+1 to what ChrisM said, esp. where it resonates with the below.<br><br>Sharing from the narrow vista of a "potential RP", orthogonal to the arguments made on this thread, but possibly quite relevant:<br><ol><li>We wish there were one well-supported, open, widely used standard, with strong open-sourced libraries, for our www+mobile authentication & authorization needs. We want to focus on our core competence and treat auth as a black box that just works, as much as possible. We don't really care who "owns" the identities; we certainly don't want to (which is different from my personal belief that it's users who should own their identities).<br>
</li><li>We love that Facebook has gone OAUTH with "everyone else", because it's brought our world closer to #1.<br></li><li>We really like RPXNOW (it's got its share of issues), because it's brought our world closer to #1.</li>
<li>We had this fuzzy notion that OpenID might eventually become said holy grail, or be the force behind it, but on closer observation it's looking less likely to get there in any timeframe we care about.<br></li></ol>
If the implications of the above go against anyone's stance, it is not intended.<br><br>Regards,<br>--<br>Christopher T. Nguyen<br>E: <a href="mailto:ctn@actgent.us">ctn@actgent.us</a><br>W: <a href="http://rec.mn">http://rec.mn</a><br>
P: <a href="http://profiles.google.com/cactgent">http://profiles.google.com/cactgent</a><br>
<br><br><div class="gmail_quote">On Sat, Jun 5, 2010 at 10:47 AM, Chris Messina <span dir="ltr"><<a href="mailto:chris.messina@gmail.com">chris.messina@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">On Sat, Jun 5, 2010 at 7:35 AM, Dick Hardt <span dir="ltr"><<a href="mailto:dick.hardt@gmail.com" target="_blank">dick.hardt@gmail.com</a>></span> wrote:<br></div><div class="gmail_quote"><div class="im">
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<br>
OAuth 2.0 does NOT solve the problems that OpenID was trying to solve. It is NOT a distributed identity system. If you can make discovery work for OAuth, then you can make it work for OpenID. OAuth implementations today do NOT have discovery.<font color="#888888"><br>
</font></blockquote><div><br></div></div><div>Perhaps standards groups like the OpenID Foundation operate in a slightly different marketplace-twilight zone, but I'm curious how we define our customers and how that definition should or shouldn't affect the work that gets done.</div>
<div><br></div><div>For example, Luke representing Facebook is saying that there's not been sufficient adoption of OpenID over the past several years, and for the use cases that I've cared most about, I would agree with that assessment. It is not the case that OpenID hasn't been adopted but that OpenID simply isn't the only game in town anymore, and that the market demand in the consumer space was unearthed and capitalized on by the likes of Facebook and Twitter, and NOT the many other OpenID providers.</div>
<div><br></div><div>Facebook is saying that they want to work through the OpenID Foundation to help develop a technology solution that is more like what the market has already adopted but that adds in discovery to aid in decentralizing identity, at least in a very primitive way (hence the Connect proposal).</div>
<div><br></div><div>Dick, you seem to be saying that OAuth is not a distributed identity system, but that if discovery were defined for it (along with auto-registration of clients), then it would be useful as a distributed identity technology. Am I getting that right?</div>
<div><br></div><div>I think the divide here comes down to whether the OIDF should be focused on what the market demands and is willing to adopt *today*, or instead on the set of technologies that may enable distributed identity solutions *tomorrow*.</div>
<div><br></div><div>My fear which has been consistent is that if we don't respond to the market's desires today (represented by Facebook, Yahoo, and other's comments) then we won't be part of the conversation when potential adopters are looking for better solutions tomorrow.</div>
<div><br></div><div>So, if we spin out the Connect proposal or cause it so much friction that it can't effectively proceed here then by the time the ill-named v.Next proposal is completed (with all of the "necessary" use cases addressed), the world may have moved on, and the Foundation proven irrelevant. I don't see it as an all-or-nothing situation, but as others have said, there will be an identity piece baked into OAuth sooner than later, and if that work doesn't happen within the OIDF, we're going to be pitching a product that no one has really said that they want, or are currently signing up to implement, based on the lack of clarity in the description of v.Next today, whereas there are already working prototypes of the Connect proposal in the wild.</div>
<div> </div><div>There needs to be a bridge between OpenID 2.0 which is a perfectly fine solution for many use cases today and the next iterations of OpenID 2.x and beyond. </div><div><br></div><div>Chris</div><div><div>
</div><div class="h5"><div> </div>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><font color="#888888">
-- Dick<br>
</font><div><div></div><div><br>
On 2010-06-04, at 11:14 PM, Luke Shepard wrote:<br>
<br>
> We have complained for years in the OpenID community that we don't see enough adoption. That we don't have a great mobile story. That the spec is too complicated. That relying parties can't get the attributes they want. The fact is that most of the major identity providers have adopted or are planning to adopt OAuth 2.0 largely because it solves many of those problems.<br>
><br>
> I believe in OpenID. I believe in the concept of a decentralized identity. I think the OpenID Foundation, by bringing together myriad companies and individuals, is in a unique position to really help bring cohesive, standardized technology - but only if it responds to the realities of the marketplace.<br>
><br>
> My main goal is to see the next generation of identity technology built. A secondary goal is that it is built within the OpenID Foundation. I don't know what the technology will look like exactly - both Nat's and David's proposals have merit. I think the best way to figure out the tech is to implement it, experiment, and try it out in production. I think the wrong way to make it happen is to bicker over the exact wording of the working group before it's even started.<br>
><br>
> As Allen said, this work will happen - must happen. The main question to the OpenID Foundation is whether it wants to encourage innovation or drift into irrelevance.<br>
><br>
> On Jun 4, 2010, at 10:08 PM, Dick Hardt wrote:<br>
><br>
>> Hi Allen<br>
>><br>
>> Thanks for the response. My point in this email is that at the end of the meeting, it was agreed that Connect was not going to be done in the OIDF, which means the WG proposal would be withdrawn. With you and David agreeing on the specs council call that Connect should be a WG, that goes counter to what we had concluded at the meeting.<br>
>><br>
>> Note that I was not the one to suggest that Connect was not going to be in the OIDF, but since that was what everyone had agreed to, there was no point in talking about how it would be done in the OIDF.<br>
>><br>
>> -- Dick<br>
>><br>
>><br>
>> On 2010-06-04, at 8:58 PM, Allen Tom wrote:<br>
>><br>
>>><br>
>>> Hi Dick,<br>
>>><br>
>>> Although I might not have expressed this as strongly as I should have last Friday, I believe that we should be working on an identity layer for OAuth2 within the OIDF.<br>
>>><br>
>>> Yahoo will definitely be implementing this, and I would expect that all other OAuth SPs to do the same. It would definitely simplify things if we could have a single standard interface that can do everything that OpenID 2.0 +AX+Hybrid can do today, and also be extensible to be used for future services and even for OP specific proprietary APIs as well.<br>
>>><br>
>>> I expect that an OAuth based identity layer would be widely implemented and far more widely used than OpenID, making OpenID largely irrelevant. Therefore, I think it's in the OIDFs best interest to back this imitative.<br>
>>><br>
>>> However, on Friday, I did get the impression that there is not sufficent consensus to move forward. If that's still the case, then there's no point forcing the issue. The work is going to get done either way.<br>
>>><br>
>>> Hope that clarifies things<br>
>>> Allen<br>
>>><br>
>>><br>
>>> On Jun 4, 2010, at 7:24 PM, Dick Hardt <<a href="mailto:dick.hardt@gmail.com" target="_blank">dick.hardt@gmail.com</a>> wrote:<br>
>>><br>
>>>> David, Chris, Joseph, Allen<br>
>>>><br>
>>>> When we met last Friday to discuss how Connect and v.Next would work together, the four of you had agreed that it would be best doing the Connect work outside the OIDF. I had come to the meeting to talk about how we would merge or align the efforts, but since there was consensus to do it outside, we did not discuss.<br>
>>>><br>
>>>> From actions I have seen today, it seems that there has been a change since then and that you are planning on working on Connect per the original charter. As emailed separately, I have concerns with the charter as drafted.<br>
>>>><br>
>>>> I am very disappointed that I learn about your change in mind by seeing postings on public mailing lists.<br>
>>>><br>
>>>> WTF?<br>
>>>><br>
>>>> -- Dick<br>
>><br>
>> _______________________________________________<br>
>> board mailing list<br>
>> <a href="mailto:board@lists.openid.net" target="_blank">board@lists.openid.net</a><br>
>> <a href="http://lists.openid.net/mailman/listinfo/openid-board" target="_blank">http://lists.openid.net/mailman/listinfo/openid-board</a><br>
><br>
><br>
> _______________________________________________<br>
> board mailing list<br>
> <a href="mailto:board@lists.openid.net" target="_blank">board@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-board" target="_blank">http://lists.openid.net/mailman/listinfo/openid-board</a><br>
<br>
_______________________________________________<br>
board mailing list<br>
<a href="mailto:board@lists.openid.net" target="_blank">board@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-board" target="_blank">http://lists.openid.net/mailman/listinfo/openid-board</a><br>
</div></div></blockquote></div></div></div><br><br clear="all"><br>-- <br>Chris Messina<br>Open Web Advocate, Google<br><br>Personal: <a href="http://factoryjoe.com" target="_blank">http://factoryjoe.com</a><br>Follow me on Buzz: <a href="http://buzz.google.com/chrismessina" target="_blank">http://buzz.google.com/chrismessina</a> <br>
...or Twitter: <a href="http://twitter.com/chrismessina" target="_blank">http://twitter.com/chrismessina</a> <br><br>This email is: [ ] shareable [X] ask first [ ] private<br>
<br>_______________________________________________<br>
board mailing list<br>
<a href="mailto:board@lists.openid.net">board@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-board" target="_blank">http://lists.openid.net/mailman/listinfo/openid-board</a><br>
<br></blockquote></div><br>