[OpenID] My answers to the nominee questions

Peter Williams pwilliams at rapattoni.com
Fri Dec 12 14:59:23 UTC 2008 

The quite common derogation of https openid by some many folk in the community really amazes me. It’s like there are two sub-communities here. Some understand the nature of the discovery process that powers openid, and others perhaps don’t. We have folks with the experience to be writing OASIS trusted resolution spec for XRI, and define HXRIs proxy introductions. And, we have folks who cannot configure a CTL (ie. run a root registration authority) even though thousands of vb programmers can now  do it.

Ive no idea what “end-end” HTTPS identifier support is. Presumably it contrasts with link-based HTTPS identifier support (ES to IS, IS to IS, HTTPS CONNECT proxy to client , HTTP1.1 proxy to server with optional TLS upgrade, etc).. So, since I’m evidently ignorant (as usual) , it always help to be open minded.

What is it?

In, terms of Brand, we could certainly drop the painful https OpenIDs. But, we’d have to stop talking about the anti-phishing properties of openid. By its elimination and without some replacement, we’d be making the phishing problem worse: it’s just the nature of HTTP redirect handoffs that power foreground openid auth. (And lets not forget, the leadership has recommended against pursuing backchannel flows of openid auth assertions)

Of course, we should ask: Are there any alternatives to SSL+PKI just sitting there waiting for mass adoption by 2 billion consumers?

In terms of the perceived “brand”, do recall websso technology competitors already know we’ve been through 3 methods now: trusted XRI resolution procedures (reject), HXRIs (reject), HTTPS OpenID (reject?). They may even claim the  community failed to  deliver on its promise of a cardspace-leveraging  method too, since its “harmonization” with a modified openid2 auth seems to have dropped off the radar.



From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Friday, December 12, 2008 2:12 AM
Cc: general at openid.net
Subject: Re: [OpenID] My answers to the nominee questions

On 12/12/2008 09:24 AM, Luke Shepard:


Things that don’t matter: OpenID as a brand. As Scott put, who cares about the brand of SMTP? Or HTTP?. Also, some stuff is pretty minor. Like end-to-end support of HTTPS identifiers. If it gets in the way of usability and adoption, then it sucks. The real question is, is an HTTP identifier more secure and usable than using an email and password. If so, then move on.

Facebook might not care about security and if their user accounts get phished and broken by whatever means, but the heavyweights in the computer industry certainly do. Other corporations as well. Just heard yesterday from a representative of one of the biggest firms out there (without disclosing names) what their real problem is (with OpenID) and what needs to change in their point of view in order to higher the adoption rate of relying parties (including themselves). You bet that security is (still) one of the main concerns. Please also note that your provider (Facebook) is only a relying party to itself - if you really believe in what you said above than open up and extend the trust to all possible OpenID providers.

Facebook Connect? I guess it will be as relevant to WebSSO as Alta Vista is for search today - but OpenID is intended to penetrate and influence a particular pattern and behavior of the main stream user and his/her Internet experience. Those were educated to enter user names and passwords for more than a decade, it will take some time to educate them to something different. OpenID is more than a protocol or specification - it's a spec, product and educational effort where security can't be optional but is a way  of life (the same way you've got a lock at your house's door). Besides that, SSL/TLS isn't such a big deal these days, it's the norm for any authentication form I think.
Regards



Signer:

Eddy Nigg, StartCom Ltd.<http://www.startcom.org>

Jabber:

startcom at startcom.org<xmpp:startcom at startcom.org>

Blog:

Join the Revolution!<http://blog.startcom.org>

Phone:

+1.213.341.0390




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081212/7e578722/attachment-0002.htm>

More information about the general mailing list