[OpenID] Reconsideringhttp://openiddifferent from https://openid

Peter Williams pwilliams at rapattoni.com
Sat Sep 22 06:05:06 UTC 2007 

Folks!
 
Try out VISA WebSSO; its designed for the ordinary consumer. Go buy a $1 object somewhere. The VISA/Mastercard mechanism gets you access to a payment webservice at a merchant website (rather than the shopping cart). But its websso just the same. It has a (patented, licensed) protocol flow that OpenID applies (almost identically). There are 8400 "OPs"  in this particular walled garden.
https://usa.visa.com/personal/security/vbv/index.html?ep=v_sym_verified
 
The list of relying parties is quite large, with some well known brand names. http://usa.visa.com/personal/security/visa_security_program/vbv/shop.html?it=l2|/personal/security/visa_security_program/vbv/index.html|Places%20to%20Shop
 
The only architectural difference betwen OpenID and VerifiedByVISA is that OpenID registers a URI, rather than a cardnumber. While OpenID nominally allows for anyone to be an OP (and the use of URIs as as identifiers facilitates that ...quite spectacularly and in a visionary way)... in reality we see more and more folks believe it will be just a few mega-OPs (the portal guys) that carry the day. The very thing that characterizes OpenID and rationalizes what all the URI hassles actually accrue as benefits to the end user are ... apparently ... NOT that which will actually bring about mass adoption :-(.
 
----------------------
 
If I boil things down to "what lies in a consumers interest?", can I subscribe to:
 
"OpenID technology for  'low-assurance WebSSO' gets you to the shopping cart and feedback form, while your VerifiedByVisa technology for 'medium-assurance WebSSO' gets you passed the checkout?"
 
Yes. I do think that I could subscribe to that view.
 
Whats missing in the OpenID technology suite is the walled garden setup mechanisms (the OP whitelists for creating n federations of sites, per RP,  etc). If OpenID doesnt get this sorted, then No! I dont think I can subscribe to the view of a mass OpenID future. Default on a walling mechanism and  SAML/WS-Fed will take the shopping card and feedback form.
 
The wildcard in all this is actually openid+cardspace, however. Microsoft marketing + open technology for RPs on all platforms. Now there you have is a real wildcard in the equation. A high-assurance "Trusted Client" technology than can finally take on a high-assurance "TTP Network" like VisaNet!

 
________________________________

From: general-bounces at openid.net on behalf of Dave Kearns
Sent: Fri 9/21/2007 9:27 PM
To: OpenID List
Subject: Re: [OpenID] Reconsideringhttp://openiddifferent from https://openid



I've absolutely no idea what you're talking about here. SSO is not in any
way a vertical market nor a walled garden. It's raison d'etre is, in fact,
to do away with those concepts.

-dave

> -----Original Message-----
> From: Peter Williams [mailto:pwilliams at rapattoni.com]
> Sent: Friday, September 21, 2007 9:16 PM
> To: Dave Kearns; OpenID List
> Subject: RE: [OpenID] Reconsideringhttp://openiddifferent from
> https://openid <https://openid/> 
>
>
>
> Lets note that there is nothing in the "concept" of OpenID that
> is particularly new. Its just WebSSO. Its been around a while in
> varous guises, and various predictions. Here are some old ones:-
>
> http://www.internetnews.com/xSP/article.php/3411_1014961.
> http://www.infoworld.com/articles/hn/xml/03/01/07/030107hnliberty2
> .html?s=IDGNS
>
> A little independent (old) commentary on Liberty  (and holds for
> OpenID) is at
> http://searchwebservices.techtarget.com/originalContent/0,289142,s
> id26_gci896956,00.html?Offer=5NEWS
>
> The whole flow  of OpenID (with validation) is of course
> identical with that laid out at
> http://www.smallnetbuilder.com/content/view/25970/113/1/3/
> (!patent warning!)
>
> To address a quite high assurance general-merchant network, you
> see what VISA actually does - to administer its trust domain (and
> sell affiliate services back to its own members!) at
> https://partnernetwork.visa.com/vpn/global/category.do
>
> Now where does all that fit if placed on our 0-100 scale, based
> on the 80/20 rule of getting anything to mass adoption?. I'd
> argue the 100% space for webSSO is divided up something like:-
>
> 00-20 academic, no auth publishing
> 20-40 academic publishing with trackback/cookie-grade snooping/id
> 40-60 portal/campus (yahoo, LiveID, Internet2 etc)
> 60-80 merchant shopping/services accounts (e-commerce)
> 80-85 B2B (tradesecret, copyrights, licensing, billing, proprietary...)
> 85-90 secure payment (VISANet, ACH, UK-APACS etc)
> 90-95 Reuters, Lloyds, BiigCompany Supply Chain Management, Telco
> 95-99 military/govt messaging
> 99-99.999999 police dossiers/intel (sordid sex and enemy lies)
> 0.000001 access to national secrets (that are worth a damn after 1 month)
>
> OpenID seems to fit 30-50, and perhaps 80-85.
>
> SAML fits 90-96. Arguably it also fits 80-85 though OpenID v3
> could well compete there, if its costs/uptake is a better deal
> than the work of the traditional SAML vendor. A lightweight SAML2
> could take on OpenID in 40-50 tho.
>
> In strange cross-category industries likethat servicing a
> complete Realty transaction, the space cuts across 50-96. Thus, a
> multi-protocol WebSSO strategy is called for. OpenID, 3dsecure, SAML2

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list