[OpenID] Sidestepping lack of RP's

Peter Williams pwilliams at rapattoni.com
Sat Jul 26 22:41:55 UTC 2008 

For me, attribute exchange is presented not as that which its name suggests (trivial directory lookup, over the existing crypto association, rather like the saml equivalent) but as an outsourcing and replication service for "member accounts". It comes across as dumbing down web spokes, by offloading (local) member record management to the op.

Perhaps its all in the presentation!

In opeind auth, the vision is clear: uci and massively distributed control. In ax, the vision for outsourcing seems somewhat incompatible with the auth vision: seemingly being about increasing centralization of storage, control, and distribution.

Now if I had half a billion member records, had seen the light on websso, and now wanted to make revenue flow from that asset, would I attempt to say to commercial rps: yes! You are allowed into the hub/spoke network (gaining both sso and access to the hub's ax attributes), but only when your app is reduced to being a "tenant" of the hub's id mgt service.

Now! that tenant model feels fine when the third party app is a "mere" plugin to a social networking site. It doesnt feel quite right when the app is a true web peer.

I know i'm not articulating this point well at all, as I don't really understand the full ramifications of the security model underneath ax. View the above as discussion points, therefore.

-----Original Message-----
From: SitG Admin <sysadmin at shadowsinthegarden.com>
Sent: Saturday, July 26, 2008 1:56 PM
To: general at openid.net <general at openid.net>
Subject: [OpenID] Sidestepping lack of RP's


(It occurred to me, as I was finishing this message, that this could
be an opportunity for Attribute Exchange to step forward and be
useful. I don't recall, unfortunately, and can't seem to locate,
exactly where it was said that AX has become this extension with huge
potential but we don't seem to be *doing* anything with it, to take
advantage, so if you know where this was, please say something.
Thanks.)

Another major site has begun "using" OpenID, but not as a Relying Party.

It's like a DRM scheme where the big players hold all the keys (but
us "beneficiaries" aren't trusted/allowed to know our own), we have
the illusion of being able to communicate with one another but, in
practice, these interactions take place solely at the discretion of
those big players, grouped by company and alliance.

Let's say that I see someone on MySpace that I want to "socialize"
(the purported purpose of a "social" network, is it not?) with;
unless they log onto my site directly, there is no way I have of
communicating to them so much as the desire to talk, other than
making a MySpace account.

I know that MySpace (and others) may be thinking that, if non-users
(such as myself) and their users were able to set up channels of
communication outside of MySpace, I would never *need* MySpace, and
they wouldn't get any more users. But while the first part of this is
true, I assert that if I can't get to know one of MySpace's users
well enough to be certain that I *do* want to take advantage of
MySpace's technology to be more connected to them in that way,
MySpace is actually *losing* a new user, potentially.

The big players (MySpace, et all) should *advertise* their userbase,
which is what they *are* doing (as Providers), but leaving it at that
- while, perhaps, a decision based on risk as much as benefit - loses
out on a lot of what OpenID's boundary-dissolving has to offer. How
many sales do you make if you saturate the television stations and
then, when you get a flood of callers, respond lackadaisically and
show no real commitment to getting the caller to buy anything? This
comparison does not quite fit since the respective major sites have
*plenty* of features and all listed on their sites, it is just the
follow-up to *advertising* which is practically nonexistent; at
least, in the analogy, there is someone to answer the phones *at
all*! Imagine what would happen if callers received no answer or
worse yet found that the number had been disconnected, with the
company uninterested if noone felt like coming out to their property
in person to inquire about a purchase?!

But this message isn't about getting the big players to adopt OpenID
as Relying Parties (though that would be nice), nor merely to focus
on getting "communication between native users and OpenID users"
raised into the spotlight; I thought of a way to mitigate this lack
of communication, though admittedly at some risk of letting major
sites say "Well then *we* don't need to do anything about it!":

You want to get in touch with, let's say, a MySpace user (they do
seem to feature rather prominently in my examples; it seems fair,
since they're the latest instance in a succession of "Let's 'support'
OpenID by doing OP but not RP!"), but you don't know which sites they
log into, so you log into a supporting RP's site and say "Please let
*this* person know that *my* URI is trying to get in touch with
them!". The next time they log in to that same RP (and there'll be a
better chance of this if several major sites offer such a service to
their OpenID users), the RP notifies them!

The same RP could even offer messaging capabilities, allowing you to
get in touch with that MySpace user *outside* of MySpace *or* your
own Identity site. For some fraction of use cases this would mean the
RP was offering the feature for communications involving its *own*
users, thus compromising the "outside of uncooperative RP's" promise
this idea holds, but so what if it did? Just don't offer the service
for your own users!

You may rest assured that other sites *will*.

This assumes, of course, that other sites are offering the service
*at all*; but, let's go with that for a moment.

As a purely hypothetical use-case, I have a MySpace account and want
to get in touch with someone who has a Yahoo account (Yahoo isn't a
RP yet, are they? If they are, let's pretend they're not, or you can
substitute the name of some other RP for "Yahoo" as you read on), so
I can log on to AOL and leave a message for that Yahoo person - but I
can't use the Yahoo service or the MySpace service for it, because
Yahoo doesn't want to risk losing *their* user and MySpace doesn't
want to risk losing *me*. I can only use the services at *other*
sites, such as AOL.

And, of course, when AOL delivers such a notification, it'll also try
to persuade the user with the Yahoo account to use *AOL's* internal
messaging service to communicate further with you. Heck, there's even
a home-field advantage - AOL has AIM, an "external" messaging
service! Or maybe you're logging into some other site that has a deal
with AOL whereby it recommends AIM (thereby outsourcing the
responsibility of implementing a messaging service) and receives
something else in return. But using an external messaging service
would require *both* of the users to accept it, and sign up and
everything, so I'm unhappy with the idea and I suggest that sites
which utilize "internal" communication channels (requiring nothing
more from OpenID users than their OpenID itself) will see a much
better response to their service from users if they keep with the
spirit of OpenID.

The *point*, though, of AOL trying to persuade the users of 3rd-party
sites to use its own internal messaging service, is to get users
interested in using *AOL*; to acquire additional users for its own
site(s). And if AOL is the *only* site to offer such a service, I
would expect it to leverage that for all it's worth; to exploit
Attribute Exchange and say "Hmm. This user from WordPress has similar
interests to that user from LiveJournal, let's bring that to their
attention.", then saying "Hey folks, LJ won't play with WP and
vice-versa, but if you come play over *here* we can connect you
*both*."

This is, again, all purely hypothetical. For all I know LJ and WP
already *do* play with one another. Anyway:

If enough sites begin providing such a service, it may become
pressure on others to do the same. If you're losing clients to
several other competitors and not employing the same technologies to
return that favor, you may find yourself beginning to ask "Wait, why
not?". In the long run, that exclusion clause for either user being
of *your* site may disappear, because - with such a saturation in the
rest of the web of means by which they can get in touch with one
another, and interact, *outside* your site - all it's accomplishing
is losing you clients, users who would otherwise migrate to other
sites that are able (and willing) to provide services *you* won't.

I'm hoping that the exclusion clause (where you don't have to offer
notification/messaging between users if either one of them "belongs"
to you) will eliminate enough of the objections to providing such a
service that there can *be* a "long run" for it.

-Shade
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list