[OpenID] Where's the added value?

Thu Aug 30 03:05:32 UTC 2007

they actually limit the scope of
> addressable problems, by e.g. requiring to run in a auditing-mode like
> fashion. 

[Peter Williams] infocards are selected by the host/browser. By
definition, one has lots of cards, with a variety of privacy-enhancing
properties. Selecting a card provider in the first place means the buyer
evaluating such properties. If all OpenID providers disclose the
mandatory auditing, so be it.

At the same time, they also offer no significant new feature
> for the OpenID system beyond what PAPE does.

[Peter Williams] I did the equivalent of PAPE in the SAML2 world by
using virtual entityID. Depending how a real entity announced itself, it
could modulate the SAML Request.

If there was ever a SAML1/SAML2 PROTOCOL integration with Cardspace,
would I expect that PAPE/virtualID to influence the cardspace UI? No. I
don't expect the cardspace UI to respond to PAPE. I expect it to respond
to metadata in the cards, that the user selects.

For me, cardspace has only ever been mostly about the assurance of
trusted path - when presenting UI, and doing relying of messages on two
back/back websession that are commonly subject to a variety of MITM
attacks that provide the very opportunity for phishing.

> And finally - unless there is a switch or UI element in the Windows
> CardSpace client I have not seen yet - they do "trick" users into
> believing that their IdP cannot trace their steps, while it can. This
> way they have the potential of also damaging the reputation of the
> InfoCard system and - by uneducated public extension - user centric
> identity and IdM in general.

[Peter Williams] If this is true, it is a failing of Microsoft's design
work. 

Hmm. Cardspace is pretty new, and untested by fire. Perhaps I should
wait a year or two, till it's been hacked a few times. Microsoft can
take the reputation hit, meantime.

> 
> Since we are trying to appeal to a very broad range of people that do
> not necessarily  have the background we have, we must make sure to
only
> send out very clear messages.

[Peter Williams] We are already here. We are slow. We are from the
bottom half of the class. We are used to tech-spin. We have all paid
$400 a year to VeriSign for 10 years, without really knowing why. It was
just cheaper to pay than get a clear answer to the question!

> >> IF (and only if) there are tangible benefits in supporting another
> >> token (such as e.g. SAML 2.0 - I am just teasing ;-)) it would make
> >> economic sense. Microsoft might also have other motivations to
> >> support other self-signed token formats - again, I cannot speak for
> >> them.
> >
> > If there aren't actual restrictions, then I imagine I could write my
> > own identity selector that would issue a different type of tokens
for
> > self-issued cards, without violating the spec.
> Assuming that there are no IPR or other issues, that is my
> understanding
> as far as the current spec goes. How useful such a selector in the
wild
> would be, remains everybody's guess.

[Peter Williams] Id like someone to write a unmanaged-card-issued token
that is just a un-signed X.509 cert, stuffing claims in v4 extensions.
Let it be bearer authenticated, over SSL.

> 
> >> Also, it seems important to me to not create solutions for their
own
> >> sake, but instead have customers or the market drive most
> >> interoperability solutions. 

[Peter Williams] The US market price for SP-spokes is still too high.
Its come down from 24k pa per connection to about 10k in 9 months tho.
Its heading the right direction. If OpenID can alter that dynamic to
totally remove SP connection-based licensing (in favor of paying for
semi-mandatory support contracts valued at $10+k) this will be a good
move.

Another important design principle
> should
> >> be simplicity - and that covers deployment, as well as
architecture.

[Peter Williams] The proposed protocol integrations is complex. Its
undeniable. But I learned from just analyzing it. So, I'm intrigued in
the designers, and what breakthroughs they might bring. Having the
entire src in MONO VM  & .NET framework etc is interesting too.

> > How could the market compare and choose what works better in each
> > case, if there were no diversity and alternatives?

> Diversity is great, only I too have to report back and justify our
work
> to our shareholders. I guess what I am trying to communicate is that I
> could not justify working on an OpenID Infocard token.

[Peter Williams] Is too early to make that judgement. It's only been 2
days. Let's see the conference circuit beat the issue a bit. Conferring
is what they are for!