[OpenID] Reconsideringhttp://openiddifferent from https://openid

Peter Williams pwilliams at rapattoni.com
Fri Sep 21 22:54:51 UTC 2007 

Let me try again. I didn't capture originally that OpenID is obviously
fine for: 0-80%.

With the help of OpenID V1 where beneficial, the web is cheap, cost
effective and sufficiently safe for 80% of users and usages. It is less
safe for those business to business usages that demand quality and
security in the 80-85% user/usage safety band. The goal of OpenID v2 is
to deliver cost-effective WebSSO to this 80-85% band of users and usage
quality, bringing the cost of WebSSO deployment and operation to that
equivalent to the cost of deploying and operating a general purpose web
server, whilst suffering a marginal and tangible increase in residual
risk. Etc.



For marketing purposes, choose a point. I chose 85. One could choose
80-90...its a judgement call.

Im trying to say: go for it 0-80. Don't even whine. Think carefully
80-85. For 85+, careful consideration is required, including
alternatives. 

It's a metaphor.


> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net]
On
> Behalf Of Dave Kearns
> Sent: Friday, September 21, 2007 3:35 PM
> To: OpenID List
> Subject: Re: [OpenID] Reconsideringhttp://openiddifferent from
> https://openid
> 
> From: Peter Williams
> >
> > The problem statement is
> >
> > The web is cheap, cost effective and sufficiently safe for 80% of
> > users and usages. It is less safe for those the business to
> > business usages that demand quality and security in the 80-85%
> > user/usage safety band. The goal of OpenID is to deliver
> > cost-effective WebSSO to this 80-85% band of users and usage
> > quality, bringing down the cost of WebSSO deployment and
> > operation to that equivalent to the cost of deploying and
> > operating a general purpose web server, whilst suffering a
> > marginal and tangible increase in residual risk.
> >
> 
> I've got to strongly disagree with these numbers. OpenID is, of
course,
> an
> authentication mechanism. The 80% of the web that is "cheap, cost
> effective
> and sufficiently safe" contains very few authentication ceremonies.
> It's
> purpose (at this point, but not its original purpose) is to supplant
> username/password transactions. I don't know the % of web transactions
> that
> are authorized only after a username/password authentication, but it's
> a lot
> less than 80% and, I'd wager, a lot less than 20%. And any increase in
> risk
> should be countered by a decrease in value of the transaction. That
> brings
> us, once again, to the point where OpenID is fine for transactions
with
> no
> apparent monetary value but also no apparent reputation value...
> 
> -dave
> 
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list