[OpenID] For the nominees

Peter Williams pwilliams at rapattoni.com
Fri Dec 5 16:59:28 UTC 2008 

From: Eric Sachs [mailto:esachs at google.com]
Sent: Thursday, December 04, 2008 5:19 PM
To: Peter Williams
Cc: Eddy Nigg (StartCom Ltd.); general at openid.net
Subject: Re: [OpenID] For the nominees


But I say MINIMUM functionality because the companies who run those large sites certainly see opportunity in other functionality the identity industry is pursuing, whether it be claims, social integration, personal web services, etc.


I'm guessing that "opportunity" that we analyzed the other day seems an examplar case of the value-add that folk perhaps characterize as: "user-centric".

What was it? you ask?

...leverage the ability to perform a cross-correlation search to find "the other comments left at other commenting sites where a login URL claim (openid) been used, given its been noted to have been used at change.gov".

This is example of the "other functionality" that can be built, once one has the openid concept adopted pretty universally. It's a web2.5 application, leveraging the core web2.0 platform. And, like all web2.0, it obviously relies on the data being in web-form (URLs) - a form that we know make raw web data highly amenable to high-volume, search-based correlations that drive search-powered applications.

That example would seem to characterize a "user-centric" value-add that doesn't exist ...until one searches out the correlations. And it clearly provides to the use a clear personal benefit: a  cross-site "central view" of all authenticated comments left by that _one_ openid user, despite leaving them on _many_ blog sites.  Without said benefit, only the many site-centric  views would exist, leaving the actual  user/commentator at a relative disadvantage.

If this is the user-centric-ness intended in openid/UCI, then I get the meaning of the term. Use the sideeffects of URL-based correlations as a "technology"; one from which one can variously rebuild  the per-user view of their own distributed weblife.

At first blush, that conception makes it obvious why a google would buy into openid. The side effect benefits go way, way beyond openid's  pro forma benefits: providing crypto channel, addressing the user's multiple password problem, and form-filling for signups. Based on the URLness of the openid, as with trackbacks et al, identity URLs get added to side-effect-of-search "technologies", that create the web2.0 computing platform.

But, that is all a very different conception of the term UCI to the one I had understood openid to be about -- one focused narrowly on classical security controls theory. There, UCI is about providing the by-design assurance that a mere OP has no inherent "trusted" role, and the identity metadata is not a platform to vector trust-based control systems, by default. In that conception of UCI, the denial of a trusted role for OPs "by default" characterizes a world in which any one OP is unable to negatively impact the relationship between an openid-empowered user and a the set of RPs being used by said user. This default limitation is the crux of the "user" centeredness, of the control relationship. Of  course, nothing should or does stop one applying a trust overlay, by consent of the parties.

Be fun to know what the design team actually intended UCI to mean: security models or web2.0 benefits. It's clearly the only thing that fundamentally distinguishes the openid crowd from the typical SAML crowd.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081205/ae19b8ad/attachment-0002.htm>

More information about the general mailing list