[OpenID] What are openids weaknesses?

Mon Sep 3 21:16:13 UTC 2007

"I think this is all progressing nicely. No, we are not anywhere close 
to a "mainstream market", this is still at the transition between the 
tech enthusiasts and the first business visionaries. And in my view, 
everything is happening that needs to happen to take that transition. 
Convincing mainstream developers (as opposed to developers working 
for visionaries) is later in that cycle, in my view, so personally, I 
don't spend much of my energies on that."

This is an excellent summary; Ill assume you are speaking the way the OpenID Foundation generally feels about the outlook.

I think everyone in the several industries attempting to pull off websso for Realtor-mediated home brokering now knows EXACTLY how to regard OpenID. Basically, we should have assign monies to have our various R&D folks experiment this year, perhaps influence the technical protocols through helpful security engineering analysis, and then come back next year and review then any rollout plans for OpenID. Its just too immature, for large-scale, mainstream rollout, this calendar year.

That means we (as a realty community) should continue the program to SAML2-enable our relying party sites. As a community, we have three relying party sites coming on line in Oct - sites handling 400-600k paying users now willing to rely on certain IDPs. I know I've enabled 6 smaller RP sites in the last 2 months, taking about 3 days programming each. I know the code for an open source, low-end "get you started" SAML2 server package (building on the opensaml2 material) is being released shortly, based off a funding exercise placed earlier in the year.

-----------

The nice thing  (from Rapattoni anyways) is our WebSSO server vendor is pro-OpenID (I think). The way we have enabled all those realty sites is such that, given the vendor's approach to integration, most of those will also be able to offer OpenID endpoints, just as well as they are offering SAML1, SAML2 and WS-Federation Passive endpoints. At the point that OpenID Auth 2 is mature enough, the sites can decide on which endpoints to open up. Its not as if it really makes the slightest difference to them, residual risk analysis aside. They are buying into the notion of WebSSO and Attribute Authorities really - not the religion of some crypto/security protocol or other.

And if our WebSSO vendor turns out not to be actually OpenID- friendly and interwork generally, I think I shown that its relatively easy to go around them - and put an OpenID gateway on the front of  all the existing SAML endpoints. The same will go for cardspace.

----------------

Yes, Id be delighted to volunteer to help OpenID Foundation, given it is still at the R&D/evangelism stage. I've no idea what they next step would be, to tell the truth. Last year, at DIDW, I avoided the OpenID/Higgins/LID sessions - obviously having no chance whatsoever of fitting in.  This year, at least I've read the code!

Perhaps this year, it is now worth a try to make contacts at DIDW - as the first round of products are coming to market. If nothing else I have a large network of sites and third-party RP relationships that can be marketing showcases by pilot deployments, to draw *deployment* publicity to the slant on WebSSO that OpenID wants to be known for.  

Realty is a broad political alliance: I have no doubt whatsoever that within the National Association of Realtors family  - including about 50 mainstream vendors and 1000 local deployment communities - we can find many who will be highly attracted to the "less-managed, less controlling" way that OpenID pitches the notion of WebSSO. We could obviously start with the several folks doing blogsites for Realtors - but I just don't thing we want to precipitate association of the brand with - "its only for blogging, and blog syndication."

________________________________

From: Johannes Ernst [mailto:jernst+openid.net at netmesh.us]
Sent: Mon 9/3/2007 12:26 PM
To: Peter Williams
Cc: OpenID List
Subject: Re: [OpenID] What are openids weaknesses?

On Sep 2, 2007, at 5:35, Peter Williams wrote:

>> If there isn't a better plan, all we have words and they don't help
>> much.
>
> The words help a lot, Johannes. It's not just 25 developers who need
> convincing. The words help showcase that there is a community forming
> and it will be therefore be _able_ generally to contribute to civil
> society conformed of Peter-class plebs.

I think this is all progressing nicely. No, we are not anywhere close 
to a "mainstream market", this is still at the transition between the 
tech enthusiasts and the first business visionaries. And in my view, 
everything is happening that needs to happen to take that transition. 
Convincing mainstream developers (as opposed to developers working 
for visionaries) is later in that cycle, in my view, so personally, I 
don't spend much of my energies on that.