[OpenID] A little crypto-politics: crypto anarchism, VeriSign OpenID, OpenID brand meaning

Sun Sep 9 15:21:34 UTC 2007

By actually playing with various blogging sites, I feel much clearer
about OpenID's message and core value. I was already convinced - as an
engineer -- about the fundamental notion of the URI as an udnerlying
form of identity that will be suitable to scalable collaboration,
especially having learned about its potential interplay with modern RDF
which similarly exploits URIs as a scaling technique for representing
domain-specific knowledge sets.

I finally did a blogit/trackback to a blogentry.

Now this is when I think I finally had my openID moment.

There I was being asked to fill in the form, to leave my own
blogit-trackback data (name, emailaddress, URL...).

If OpenID allows me to simply fill out the URL, and the rest comes via
OpenID Auth... then I get it (finally!).

Furthermore, if the policy of the blogsite accepting comments requires
auth of the user behind that URL, OpenID Auth comes through again.

Furthermore, as a gazzilion blogsites can be doing a gazzilion
trackbacks between each other without reference to blogsite provider as
the validator of ID, the delegation mode(s) of OpenID Auth makes total
sense.

Now why cannot the wiki say something like this (in 200 words)?

It's taken me two months to get it! (Ok, 2 weeks for the rest of
humankind).

--------

So, I downloaded MSFT's offline web blog editor - Live Writer. It's
configured to publish to my blogsite at a URL I best not cite again,
lest an atom (pun) of disapproval be expressed. At some point, I'll also
have it publish to that Google blogsite I made in an earlier experiment
with OpenID (using the anonymous OP in India, failing to interworking
with the wiki of this group). Unlike MSN Spaces, the Google provider
doesn't curtail so much which web techniques one can apply (e.g. set
metadata tags in HTML for Openid delegation!) and so should allow a more
"as-intended" OpenID experience.

I also installed a plugin to Live.com skydrive - which allows one to
easily add iframe markup to a blog entry linking up to "files" stored in
skydrive. I was simply trying to reference my foaf file! More on this in
a moment.

Of course, the 5+ year old single-sign-on world of live.com/Passport
lets me logon once to Live.COM's IM client "Live Messenger" - something
I must have used for 10 years now, to leverage the MSN personal portal
page, created during the last round of "portalservers will rule the
Web"! If I now startup up offline blogsite editor and publish a post,
the http publication on the website does a behind-the-scenes SSO to get
me login privileges sufficient to complete the act of publication.  It's
identical in form these days with the WebSSO used for years to so
auto-logon to MSN.com:

For example: "GET
/login.srf?wa=wsignin1.0&rpsnv=10&checkda=1&ct=1189346476&rver=4.0.1534.
0&wp=LBI&wreply=http:%2F%2Fwww.msn.com%2F&lc=1033&id=1184 HTTP/1.1" 

Now, the form of that URL is very suggestive of the "WS-Federation
passive' protocol flow (which my Federation server vendor happens to
support, in addition to SAML). It's obviously playing the role that
OpenID Auth messages play, when doing solicited auth. But that's not the
point.... this is WebSSO; and OpenID is not WebSSO. More on this in yet
another moment.

I also played similarly with livesite.com, the work of
http://www.nbdev.co.uk/blogs/webcasts/archive/2007/08/17/live-id-single-
sign-on-the-webcast.aspx, seeing how one cardspace interaction occurs
with a next generation blog experience. I got to play with cardspace
management and binding, "account linking" of the LiveID (onto a
community server account), the various levels of cardspace UI
experience, and use the "enhanced security" option (pretty green title
bars! certified by VeriSign.)

https://login.live.com/login.srf?lc=1033&ru=https://login.live.com/beta/
ManageCards.srf%3fru%3dhttp://login.live.com/login.srf%253flc%253d1033%2
526appid%253d0016000080002409%2526alg%253dwsignin1.0%2526appctx%253d%252
52fDefault.aspx%2526vv%253d500%26id%3d3%26vv%3d500%26lc%3d1033&wll=1&id=
3&bk=51313236

I even now have a formal cardspace id, for use with that site:
WX2-JXGB-SBW! Presumably, I need to remember that. Good luck, grandma.
(There was also something about CIDs, whatever they are!)

This is all a very nice tittle-tattle about MSFT-related work this year
and last decade, but what about OpenID?

So if simple, traditional, already-fielded WebSSO is not OpenID, lets
focus on something that is -- that which Skip is most famous for: its
browser plugins. Flash back - to a moment ago -- to my skydrive plugin.
This was my skip-like moment, without having to install Firefox. On
invoking the live writer plugin to try and embed a link to a file via
its iframe-markup-generator function, it "required me" to login to the
plugin (using the MSFT live.com account, in a live.com style popup
windows (with many warnings about privacy issues, reputation, this is
NOT Microsoft code warnings)).

Ok. Well at least I find myself using a common identity. No longer
restricted to doing webSSO, the SSOness is now unlinked from the webness
of WebSSO, and is also working with a (code-component -> website)
handoff of an identity (using the ws-federation passive protocol,
still). Presumably, a full cardspace experience could also be integrated
here, where a card releases attributes to the target active-plugin
operating on my own host (rather than some target website like MSN.com).

So is this OpenID like?

Perhaps. I had to login to the card, to login to the LiveID-enabled
component. Presumably, I will one day be using my OpenID to logon to the
card... (which presents some local auth UI, via OpenID Auth flows) to
then logon to the target, without or without account linking.

But we still ways away from blogging culture. I got a login-less
publication ability (leveraging WebSSO). And, an offline editing process
had me nicely leverage something openid-like to access the plugin that
then allowed me to create some markup; yet still nothing is published.

OK. So then I published the blog entry, a rather trivial iframe -
causing a browser popup to ask you to control the download of an rdf
file, as it happened.

And then I did a trackback to that entry.