[OpenID] Is Ignoring Attribute Exchange a strategic error?

Dick Hardt dick at sxip.com
Thu Jan 18 22:13:32 UTC 2007

On 18-Jan-07, at 11:12 AM, Scott Kveton wrote:
>> AX is why Sxip joined OpenID. SSO is nice for sites, but what we have
>> found they really want, and should be clear to the OpenID community
>> since SREG was created, is moving identity attributes.
> I just want to be clear here as I have been in face-to-face  
> meetings with
> folks and I'll say it here on the list; JanRain is totally behind  
> attribute
> exchange and will support it in our libraries and within the  
> community.  Its
> going to be critical to the long-term success of OpenID.

Good to hear you are still behind AX. You had me worried there for a  

> My point from the previous email was that if we don't have a  
> ubiquitous
> authentication mechanism, then anything else that follows it is moot.

I completely agree, although I view Authentication as just another  
type of attribute exchange, but I digress.

>> OpenID does NOT solve phishing, in fact if the OP is not implemented
>> well, it can make phishing easier as pointed out in Kim Cameron's
>> blog [2].
> Hopefully some of the recent discussions we've been having with  
> Mozilla and
> Microsoft can help change that.

Let me clarify my statement:

OpenID Authentication 2.0 does NOT solve phishing, and is solving it  
is out of scope.

Although I lobbied for it, there is no explicit support for client  
side support of OpenID Authentication 2.0.

This may be just as well, as there can be a separate specification on  
this, and the thinking from various parties has advanced as of late.


I do agree that as a community we need to focus on adoption of OpenID  
Authentication 2.0, (which should be done with the latest draft) --  
but I think many people are looking for AX, and we should get that  
out there quickly as well.

As for other specifications, my experience in the Perl community was  
things really blossomed when innovation was not constrained to the  
"core" . I would like to encourage people to draft and discuss  
extensions to OpenID. I think this is working really well for Firefox  
with addons.

As much as I cringe at suggesting this, perhaps starting a new list  
for those interesting in working on and participating with extensions  
be created so that  work on Authentication, AX and phishing can be  
focussed? Any other suggestions on keeping focus while allowing  

-- Dick


More information about the general mailing list