[OpenID] Musing on FaceBook, OpenID and the next mountain to climb

Johannes Ernst jernst+openid.net at netmesh.us
Wed Jul 30 16:47:34 UTC 2008 

So what would that mean in terms of what work to focus on what work to  
leave out?

On 2008/07/30, at 8:23, Peter Williams wrote:

> Every handshake protocol eventually hits the point where scalability  
> and assurance requirements lead design teams to consider capability  
> exchange and negotiation. For example, in ssl one has ciphersuites  
> and trust points, each being negotiated in a suitable phase of the  
> handshake. In the case of ssl, much of the capability negotiation  
> and management is delegated - to the key management protocol that  
> aligns with the ciphersuite (eg kerberos for kerberos ciphersuites).  
> One can venture that ssl adoptability was in part due to reliance on  
> such infrastructures for trustworthiness and assurance: which  
> allowed the designers to avoid reengineering the wheel, probably  
> badly. Negotiation of capabilities exchange  security handshakes  
> requires careful security handshake design, note.
>
> Openid might want to take the posture that its goal is to provide  
> the integration points for other system's reputation,  
> trustworthiness, capability negotiations handling. For example, one  
> might opt to let established routing logic handle trustwortiness  
> metrics (since handling of routes of different trustworthiness is an  
> advanced art in the vpn and virtual routing domain fields, these  
> days).
>
> Id split from assurance/trustworthiness issues the issue of terms  
> negotiation. In both the edi and early pki era, folks played with  
> using such as cert fields to encode legal terms, and otherwise use  
> reliance procedures to attempt to enact legal agreements and legal  
> obligation passing. Neither wasparticularly succesful, though there  
> is always large amounts of interest generated - given the nature of  
> those problems. Not a lot tends to result, however: reflecting the  
> fact prhaps that some things are just better handled procedurally,  
> rather than by using machine logic.
>
> -----Original Message-----
> From: Nat Sakimura <n-sakimura at nri.co.jp>
> Sent: Tuesday, July 29, 2008 11:40 PM
> To: Johannes Ernst <jernst+openid.net at netmesh.us>; OpenID List <general at openid.net 
> >
> Subject: Re: [OpenID] Musing on FaceBook, OpenID and the next  
> mountain to climb
>
>
> I'd volunteer, but, for drafting the WG charter,
> I need more input from the people on this list on
> what should be in the scope.
>
> For me, I was thinking of the below for sometime:
>
> 1) Contralct Negotiation Protocol
>   - Negotiates the terms of the use, and back channel data transfer
> protocol.
> 2) Reputation Service Protocol
>   - Means to obtain the trustworthiness score of an assertion.
>
> In terms of Johannes's enumeration:
>
>>  - single-sign-on across the web with a simple user experience
>   => OpenID Authentication 2.0 + some more security features.
>
>>  - high-quality identity information available to RPs
>   => 1) + 2) above.
>
>>  - social network information available to RPs
>   => 1) + 2) above.
>
>>  - communication from RP into the social network of the user
>   => I am still vague on what it will be like.
>      Could someone post a concrete example usecase, please?
>
> =nat
>
>
>
> On Wed, 30 Jul 2008 13:05:48 +0900, Johannes Ernst
> <jernst+openid.net at netmesh.us> wrote:
>
>> Like others, I've been amazed about what Facebook has put together
>> with Facebook Connect as announced last week.
>>
>> Their proposition for relying parties seems to be:
>>
>>  - single-sign-on across the web with a simple user experience
>>  - high-quality identity information available to RPs
>>  - social network information available to RPs
>>  - communication from RP into the social network of the user
>>
>> and IMHO, that is indeed a great business proposition for RPs.
>>
>> Of course, they seem to be building this with Facebook-specific
>> protocols, but that's not surprising given that the OpenID technology
>> stack right now is insufficient to accomplish what they wanted to
>> accomplish. But not dramatically so -- it might just be plugging some
>> other technologies into OpenID (like XFN or FOAF etc.) and filling in
>> some gaps if one wanted to do that.
>>
>> So ... methinks we should grow the OpenID stack over the next 6-12
>> months to be able to do all of this (and more?) with open
>> technologies. This would also make OpenID much more interesting to
>> relying parties...
>>
>> Open protocols are clearly necessary to grow the entire market, which
>> would be in the interest of everybody including Facebook.
>>
>> Anybody up to getting an OpenID working group started up to work on
>> this?
>>
>> [Feel free to respond on the list or privately.]
>>
>>
>>
>> Johannes Ernst
>> NetMesh Inc.
>>
>>
>
>
>
> --
> =nat
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list