[OpenID] [LIKELY_SPAM]Re: Google OpenID IDP is now live
Peter Williams
pwilliams at rapattoni.com
Thu Oct 30 00:27:29 UTC 2008
Can you give a (sanitized) summary of Google-internal thinking on how the 3 way legal relationship between subscriber (to IDP and RP), the RPs, and the IDP will work?
Folks studying SAML models learn that a "federation" can be idp-centric, or sp-centric. These obviously contrast with the openid model, with is **supposed** to be user-centric-but is looking increasingly idp-centric, in reality (the easiest).
For example, can an RP (acting now as an OP) turn around and issue its own assertion to downstream RPs having relied on the Google assertion? Can it cite its reliance on Google? If it can, its "repurposing" limited? Does it need permission?
These are hard (legal) questions, as already seen in the CA world. There, since ANYONE can rely on an X.509 cert by design, there was no opportunity to impose contractual obligations on RPs, and no opportunity to enforce a signup policy or clickthru agreements. So ...copyright controls were necessarily used instead, along with the threats of federal prosecution (as invoked at least once by VeriSign, when Sun had some poor stooge test the power of the VeriSign policy being applied in protection of Microsoft's Authenticode signed-code scheme, during the Sun/Microsoft web1.0 wars of the late 90s).
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Eric Sachs
Sent: Wednesday, October 29, 2008 4:40 PM
To: Dick Hardt
Cc: OpenID List; Joseph Smarr
Subject: [LIKELY_SPAM]Re: [OpenID] Google OpenID IDP is now live
>> Do you think there is going to be a rush of un-sophisticated Google OpenID users at this point in time? I might be mistaken, but Yahoo!, AOL, myopenid are not whitelisting. What am I missing?
We just need to do the standard scaling, stability, translation quality, etc. evaluation to make sure there are no major problems. If we are lucky, that won't take much time. However it is more then likely that we will need to tweak things in our user interface to make it easier to understand, and unfortunately translating any such tweaks into 40+ languages takes awhile.
On Wed, Oct 29, 2008 at 2:18 PM, Dick Hardt <dick.hardt at gmail.com<mailto:dick.hardt at gmail.com>> wrote:
On 29-Oct-08, at 11:36 AM, Eric Sachs wrote:
>> I'd be interested in how Google thinks users will login with their OpenID if they can't type in gmail.com<http://gmail.com> or google.com<http://google.com> -- these should work. Will they?
Since this is the first phase of our launch, we need to make sure it works stability (and with good usability feedback, including on validating the translation of our UI into 40+ languages) before we can claim that lots of RPs should use it. Therefore there is currently a whitelist of supported RPs.
If we published an XRDS file for gmail.com<http://gmail.com> that worked automatically with existing RPs doing directed identity, then it would break for users because their RPs would not be on the whitelist.
Once we are able to remove the whitelist, then we can post the XRDS file for gmail.com<http://gmail.com> without breaking existing RPs who allow users to type domain names for directed identity.
Ok. Now I understand why the XRDS is not there at this point.
I don't understand why the RPs need to be whitelisted. Do you think there is going to be a rush of un-sophisticated Google OpenID users at this point in time? I might be mistaken, but Yahoo!, AOL, myopenid are not whitelisting. What am I missing?
-- Dick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081029/38fb7ce4/attachment-0002.htm>
More information about the general
mailing list