[OpenID] Rule of thumb

Peter Williams pwilliams at rapattoni.com
Sat Jul 14 22:22:28 UTC 2007 

Well, we are going to differ only on a minor point: that policy statements (or models thereof) and federation agreements (or models thereof) are part of (or will be soon a part of) open source movements. Does anyone doubt that creative-commons, or the GPL are - for their part - an intrinsic components of the Open Source movement? Isn't GPL3 right now a major publicity story!? given Novell's and Microsoft's recent moves?  Federation and CPSs - as are relying party agreements (RPAs) are only  refined legal agreements, addressing licensing of IP in trust system design. These areas of legal work relate only to trust systems design work (webSSO, cert servers, secure email, PGP, etc) , admittedly, not the whole range of topics addressed by the Open Source movement.
 
If I think out loud about the trust area, the VeryThing that VeriSign taught the world (leveraging the 15 years worth of earlier work that Michael Baum brought to VeriSign, and that which VeriSign's TTP services marketing savvy then gave to the Internet community) in trust systems was that the legal and technical worlds have to be aligned - to achieve the B2C rocket's liftoff. The B2C rocket is MUCH MUCH MUCH harder task to engineer for successful liftoff, than the B2B rocket, say.
 
----------
 
Savvy lawyers who write statutes (and there are few of those, but they are to be found as clerks of senators, congressman, and state-equivalent persons) can codify issue-based statutes, much as we engineers do for system designs. When the two were aligned last time, klutzy old (yes - old and way "passed it" even in 1994) X.509 certificates went from being that which IETFers would spit at Peter for advocating, to what we now enjoy: warts and all. Derision aside, SSL + https cert handling works on a macro scale, and a harmonious position was obtained - albeit at pretty low-level consensus level - but the resulting trust system that could address all of: social politics, technology, US Fed govt paranoia about strong crypto when put into the hands of mere citizens, military re-application, and even some international relations/law issues handled at the UN.
 
This topic of "open source legal apparatus" is , note, quite vital and pertinent to Realty at this time. Realty recently rejected - in the SAML WebSSO world - the attempt to introduce licensing fees, to pay for rights to use and apply a (very well thought-out) set of Relying Party Agreements (and all the related legal-space trust framework components ). If we take that as a cue, no vendor that brings a webSSO technology to Realty will succeed if (a) the technology is encumbered (b) or is tied indirectly to particular legal trust frame working IP (E.g. CPSs, RPAs, Federation Policies). If folk cannot buy software, and just software - or buy services hosting that software, alternatively - folk will probably just wait it out. We already have all the practices, agreement and policy apparatus we need (for our corner of the world) and all the political process one needs via the realtor trade association to debate and evolve ourselves. And yes, its a perverse process, as in any trade association. But remember that Realty already has far more lawyers than any industry could really ever really want; law and technology in US realty thus have a long history of co-development. We just need unbundled technology, not legal advice sold in the form of software licensing.
 
Hopefully, folks are listening. Its only my opinion; others in US Realty will sure express their own! But, Im going to use experience to guess that the worldview whose picture I'm painting is going to be a dominant viewpoint - and one that many other buying groups are going to be following as Realty leads - as a possible adopter of this next generation infrastructure.

Since David Recordan has apparently accepted an offer to speak on behalf of the OpenID Community at the national realty conference this year, Im now wondering whether i should accept Andre Durand's invitation to participate at the coming DIDW conference, in a panel format discussion. I'm feeling somewhat obligated, since David is clearly doing his part to match up technology vendors with realty buyers. Someone from Realty therefore needs to be showing reciprocal respect, trying to match up lots of potential realty buyers with what has to be a vibrant, competitive market of OpenID technology sellers! This is just the way that social networking happens in realty - a series of mutual respect steps that engender the kind of trust that can last a lifetime.


________________________________

From: Eddy Nigg (StartCom Ltd.) [mailto:eddy_nigg at startcom.org]
Sent: Sat 7/14/2007 2:13 PM
To: Peter Williams
Cc: OpenID - General
Subject: Re: [OpenID] Rule of thumb


Hi Peter,

For me Open Source is about the source, An Open Standard is about the standard. GPL is an open source license (for the legal stuff). Policy and practice statements have certainly nothing to do with open...

Communities are communities...there are many different kinds of. Needless to point out where this comes into play at many of the open source projects, but there is open source without a community and there are communities without any source.

CAcert is a (not so open) community which runs a web-of-trust; no open standard and no open source. And since you touched the word "obligations" below, at CAcert there are no obligations. There isn't any liability either and if you have worked with volunteers in any/most community projects than I'm sure you know where the commitments end...

Perhaps what OpenID is, somebody else knows to define better than me, but right now for me it seems to be an open standard. Similar as Jabber/XMPP is an open standard. Or many other open standards out there...


-- 

Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Jabber:      startcom at startcom.org <mailto:startcom at startcom.org> 
Phone:       +1.213.341.0390


Peter Williams wrote: 

	 

	 Also CAcert has nothing - I repeat NOTHING - to do with "Open Source" whatsoever, but CAcert is a community operated web-of-trust scheme.
	
	--------------------

	 

	This got me thinking, all afternoon. Open Source means folks writing software, one might infer. So, why did I feel right to use the term?

	 

	In my view, Open Source means writing legal agreements (a form of software). Use of community property begets certain obligations.

	 

	Open Source means writing federation policies. Use of community property begets certain obligations.

	 

	Open Source means developing/writing certification practice statements? Use of community property begets...

	 

	It's a state of mind, surely: not merely the ability to be a god of Unix device drivers.

	 

	If OpenID - as a vendor-led community - is heading for the fully de-centralized infrastructure vision that is implied by its technological potential, OpenID folk and CAcert folk should actually get on fine - old PKI wars about browsers and certs, aside.

	 

	If OpenID infrastructure turns out to emulate in its default trust models that used when delivering https in webland today (or more viciously, vendor clubs rig the infrastructure with lobbying funds so it adopts the  "mega-TTP model"), CAcert folks will be in exactly the same position with OpenID as they are with the vendors of browsers for the public: outcast.

	 

	This has been actually been an excellent use case analysis. Organized realty has folks with actual, analogous approach to trust management as that being investigated by the CAcert community in PKI. Like such people or despise their view on life, they are present and entirely valuable participants in the Realty world - at least. We will love you, if no-one else will! Folks may not realize it, but 1.3 million Realtors are amongst the world's best social networkers. Each individual's commission check at the end of the next month depends solely on that exhibiting that skill. At the same time, each Realtor is in competition with the one up the road, as are broker offices, and as our towns vying for deals in that suddenly interesting parcel of land that was desert, 30 years ago. So, lots of interesting, local-community-driven trust practices have evolved over the last 30+ years of online brokering.

	 

	Mental note to self: OpenID, at least when applied to de-centralized realty's private management domain,  has to show it can adopt, extend and live happily with a CAcert approach to trust management (as well as other means, such as assurances-based evaluation). After all, SAML2 had no problem; and is functionally identical to OpenID. If OpenID in practice comes overly loaded with a preset set of ideas about how Realty shall orchestrate trust management, it might well not be suitable for adoption. But, finding this out is exactly why I'm here, and why several of us are reaching out to OpenIDers!

More information about the general mailing list