[OpenID] Is Ignoring Attribute Exchange a strategic error?

Recordon, David drecordon at verisign.com
Thu Jan 18 22:32:13 UTC 2007

I don't see why the specs@ list can't be used to discuss AX, the volume
has been low for a few weeks now anyway. :)


-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Dick Hardt
Sent: Thursday, January 18, 2007 2:14 PM
To: Scott Kveton
Cc: openid-general
Subject: Re: [OpenID] Is Ignoring Attribute Exchange a strategic error?

On 18-Jan-07, at 11:12 AM, Scott Kveton wrote:
>> AX is why Sxip joined OpenID. SSO is nice for sites, but what we have

>> found they really want, and should be clear to the OpenID community 
>> since SREG was created, is moving identity attributes.
> I just want to be clear here as I have been in face-to-face meetings 
> with folks and I'll say it here on the list; JanRain is totally behind

> attribute exchange and will support it in our libraries and within the

> community.  Its going to be critical to the long-term success of 
> OpenID.

Good to hear you are still behind AX. You had me worried there for a

> My point from the previous email was that if we don't have a 
> ubiquitous authentication mechanism, then anything else that follows 
> it is moot.

I completely agree, although I view Authentication as just another type
of attribute exchange, but I digress.

>> OpenID does NOT solve phishing, in fact if the OP is not implemented
>> well, it can make phishing easier as pointed out in Kim Cameron's
>> blog [2].
> Hopefully some of the recent discussions we've been having with  
> Mozilla and
> Microsoft can help change that.

Let me clarify my statement:

OpenID Authentication 2.0 does NOT solve phishing, and is solving it  
is out of scope.

Although I lobbied for it, there is no explicit support for client  
side support of OpenID Authentication 2.0.

This may be just as well, as there can be a separate specification on  
this, and the thinking from various parties has advanced as of late.


I do agree that as a community we need to focus on adoption of OpenID  
Authentication 2.0, (which should be done with the latest draft) --  
but I think many people are looking for AX, and we should get that  
out there quickly as well.

As for other specifications, my experience in the Perl community was  
things really blossomed when innovation was not constrained to the  
"core" . I would like to encourage people to draft and discuss  
extensions to OpenID. I think this is working really well for Firefox  
with addons.

As much as I cringe at suggesting this, perhaps starting a new list  
for those interesting in working on and participating with extensions  
be created so that  work on Authentication, AX and phishing can be  
focussed? Any other suggestions on keeping focus while allowing  

-- Dick

general mailing list
general at openid.net

More information about the general mailing list