[OpenID] Fwd: Excellent critique of OpenID usability

Peter Williams pwilliams at rapattoni.com
Sat Aug 18 19:29:42 UTC 2007


Should market-consumers should also be given the message that their browser can also be the OP - by installing an OpenID plug-in? 

Should consumer-focused sites be encouraged to link to favored plug-in download URLs (e.g. VeriSign's site)? 

-------------

Additional non-marketing, 5-line discussion follows, with IP ramifications.

-------------

The "OP plug-in" technology is pretty hard to understand.  David's references on VeriSign's OP plug-in using metadata (like in the Atom/RSS world) took me a while to comprehend, I know.

The equivalent "PAOS" binding of the SAML WebSSO flow was easier to understand: the HTTP plug-in simply POSTs off its signed-SAM Response. It helped explain Andrew's comment on OP-initiated OpenID Auth 2.0 draft 11 text.

For dev-grade plug-in doing OP-initiated Auth flows, Windows developers can exploit  http://www.bayden.com/dl/TamperIESetup.exe  (which also manufactured my equivalent PAOS flow). On an Ajax page-level gateway, the plug-in may just chain onto an async OpenID Auth connection the (signed) claims it receives from an upstream, proxied-OP over a second, async connection.

If I finally get David's remarks, an OpenID plug-in can exploit RDF to control interworking with a reverse OP-proxy. Just as signed FOAF files deliver wot services to mutually-distrusting Consumers and OPs, RDF metadata can drive the reverse OP-proxying.

This would all seem to be an embodiment of the SAML world's IDP-proxying profile, in the case of a PAOS-like binding. Speaking personally, I can justify patents here - disclosing how RDF might drive OP proxying. I can also see the community calling for submissions on this topic, to standardize some more basic, unencumbered method. 

 




More information about the general mailing list