[OpenID] Fwd: Excellent critique of OpenID usability
Peter Williams
pwilliams at rapattoni.com
Sat Aug 18 19:29:42 UTC 2007
Should market-consumers should also be given the message that their browser can also be the OP - by installing an OpenID plug-in?
Should consumer-focused sites be encouraged to link to favored plug-in download URLs (e.g. VeriSign's site)?
-------------
Additional non-marketing, 5-line discussion follows, with IP ramifications.
-------------
The "OP plug-in" technology is pretty hard to understand. David's references on VeriSign's OP plug-in using metadata (like in the Atom/RSS world) took me a while to comprehend, I know.
The equivalent "PAOS" binding of the SAML WebSSO flow was easier to understand: the HTTP plug-in simply POSTs off its signed-SAM Response. It helped explain Andrew's comment on OP-initiated OpenID Auth 2.0 draft 11 text.
For dev-grade plug-in doing OP-initiated Auth flows, Windows developers can exploit http://www.bayden.com/dl/TamperIESetup.exe (which also manufactured my equivalent PAOS flow). On an Ajax page-level gateway, the plug-in may just chain onto an async OpenID Auth connection the (signed) claims it receives from an upstream, proxied-OP over a second, async connection.
If I finally get David's remarks, an OpenID plug-in can exploit RDF to control interworking with a reverse OP-proxy. Just as signed FOAF files deliver wot services to mutually-distrusting Consumers and OPs, RDF metadata can drive the reverse OP-proxying.
This would all seem to be an embodiment of the SAML world's IDP-proxying profile, in the case of a PAOS-like binding. Speaking personally, I can justify patents here - disclosing how RDF might drive OP proxying. I can also see the community calling for submissions on this topic, to standardize some more basic, unencumbered method.
More information about the general
mailing list