[OpenID] [LIKELY_SPAM]Re: Google OpenID IDP is now live

Thu Oct 30 02:01:24 UTC 2008

>> Can
you give a (sanitized) summary of Google-internal thinking on how the
3  way legal relationship between subscriber (to IDP and RP), the RPs,
and the IDP will work?We
do not require RPs to sign any legal contract with Google to use our OpenID
endpoint, so we do not restrict how they use it, or the AX attributes they
get from us.  What we do not yet know is what would happen if we received a
lot of requests to disable a particular RP, for example because they were
doing something illegal.  On the other hand, a lot of potential RPs who run
mainstream websites have indicated they may need strong commitments from us
(possibly legally) about uptime, simplicity of UI, etc.

With OAuth, things get slightly more complex.  We do have terms of service
with OAuth consumer sites, but that is mostly to warn them of things like
the fact that if they have a bug in their code that starts overwhelming our
servers, we might need to block them temporarily.  However for some OAuth
enabled services, specifically Google Health, we do require RPs to sign a
contract with us that places more requirements on them.

>> For
example, can an RP (acting now as an OP) turn around and issue its own
assertion to downstream RPs having relied on the Google assertion?
Yes
>> Can it cite its reliance on Google?
Yes, though what is harder is how it proves it got such an assertion from
Google in the first place.
>> If it can, its "repurposing" limited? Does it need permission?
Since there is no legal agreement the RP signs with Google, we can't impose
any "repurposing" restrictions

On Wed, Oct 29, 2008 at 5:27 PM, Peter Williams <pwilliams at rapattoni.com>wrote:

>  Can you give a (sanitized) summary of Google-internal thinking on how the
> 3  way legal relationship between subscriber (to IDP and RP), the RPs, and
> the IDP will work?
>
>
>
> Folks studying SAML models learn that a "federation" can be  idp-centric,
> or sp-centric. These obviously contrast with the openid model, with is
> **supposed** to be user-centric-but is looking increasingly idp-centric, in
> reality (the easiest).
>
>
>
> For example, can an RP (acting now as an OP) turn around and issue its own
> assertion to downstream RPs having relied on the Google assertion? Can it
> cite its reliance on Google? If it can, its "repurposing" limited? Does it
> need permission?
>
>
>
> These are hard (legal) questions, as already seen in the CA world. There,
> since ANYONE can rely on an X.509 cert by design, there was no opportunity
> to impose contractual obligations on RPs, and no opportunity to enforce a
> signup policy or clickthru agreements. So …copyright controls were
> necessarily used instead, along with the threats of federal prosecution (as
> invoked at least once by VeriSign, when Sun had some poor stooge test the
> power of the VeriSign policy being applied in protection of Microsoft's
> Authenticode signed-code scheme, during the Sun/Microsoft web1.0 wars of the
> late 90s).
>
>
>
> *From:* general-bounces at openid.net [mailto:general-bounces at openid.net] *On
> Behalf Of *Eric Sachs
> *Sent:* Wednesday, October 29, 2008 4:40 PM
> *To:* Dick Hardt
> *Cc:* OpenID List; Joseph Smarr
> *Subject:* [LIKELY_SPAM]Re: [OpenID] Google OpenID IDP is now live
>
>
>
> >> Do you think there is going to be a rush of un-sophisticated Google
> OpenID users at this point in time?  I might be mistaken, but Yahoo!, AOL,
> myopenid are not whitelisting. What am I missing?
>
>
>
> We just need to do the standard scaling, stability, translation quality,
> etc. evaluation to make sure there are no major problems.  If we are lucky,
> that won't take much time.  However it is more then likely that we will need
> to tweak things in our user interface to make it easier to understand, and
> unfortunately translating any such tweaks into 40+ languages takes awhile.
>
>
>
> On Wed, Oct 29, 2008 at 2:18 PM, Dick Hardt <dick.hardt at gmail.com> wrote:
>
>
>
> On 29-Oct-08, at 11:36 AM, Eric Sachs wrote:
>
>
>
>  >> I'd be interested in how Google thinks users will login with their
> OpenID if they can't type in gmail.com or google.com -- these should work.
> Will they?
>
> Since this is the first phase of our launch, we need to make sure it works
> stability (and with good usability feedback, including on validating the
> translation of our UI into 40+ languages) before we can claim that lots of
> RPs should use it.  Therefore there is currently a whitelist of supported
> RPs.
>
>
>
> If we published an XRDS file for gmail.com that worked automatically with
> existing RPs doing directed identity, then it would break for users because
> their RPs would not be on the whitelist.
>
>
>
> Once we are able to remove the whitelist, then we can post the XRDS file
> for gmail.com without breaking existing RPs who allow users to type domain
> names for directed identity.
>
>
>
> Ok. Now I understand why the XRDS is not there at this point.
>
>
>
> I don't understand why the RPs need to be whitelisted. Do you think there
> is going to be a rush of un-sophisticated Google OpenID users at this point
> in time?  I might be mistaken, but Yahoo!, AOL, myopenid are not
> whitelisting. What am I missing?
>
>
>
> -- Dick
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081029/51b13929/attachment-0002.htm>