[OpenID] Combining Google & Yahoo user experience research

Peter Williams pwilliams at rapattoni.com
Mon Feb 16 19:30:58 UTC 2009 

I always find it useful to see how engineers in related disciplines address similar issues. The discovery of topologies hardly seems a feature novel to the web/openid, given 30 years of routing and key management experience addressing analogous topics.

http://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/ted.pdf (custom key management, for dynamic hub/spoke trust networks)
http://en.wikipedia.org/wiki/DMVPN (multipoint GRE for dynamic spoke-spoke interaction (e.g. AX))

http://www.cipheroptics.com/pdf/wp-ce_vs_dmvpn.pdf (comparison of scalable key management approaches to trust networking, designed  for multicast scale distribution problems [unlike the above, which are OAUTH scale]).

From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Nate Klingenstein
Sent: Wednesday, February 11, 2009 11:33 AM
To: Eric Sachs
Cc: OpenID List
Subject: Re: [OpenID] Combining Google & Yahoo user experience research

Eric,

That sort of a centralized discovery mediator is the model we've been working with for some time, originally termed a WAYF and now a DS.  Ours have been federation-centric, generally all the schools in a particular country, but there's now active discussion of scaling that up to have a centralized service.

We've been trying to get rid of the centralized WAYF/DS for a long time for two main reasons.  The first is that the lists are getting preposterously long, with many hundreds of providers.  The second is that the service is likely to have a better idea which IdP's it's willing to accept, and can constrain the selections available in advance.

You abstract away the first problem by assuming a different entry point -- from the IdP rather than the RP -- but we've had difficulties with that in practice, because users like to go to services first. The second can always be caught when the user fails authorization, which is possibly even preferable from a UX perspective.  Even if we must face the first problem head-on, I don't think it's serious enough to make the CDS solution less appealing than the alternatives.

This is one of the many reasons federations have proven much more important and resilient than we'd ever imagined as the global Shibboleth deployment has grown.  It's not the sort of decentralized model that many would like to see, but I concur that it's the most likely and reasonable solution at present.

Thanks for the input,
Nate.

On 11 Feb 2009, at 19:14, Eric Sachs wrote:


The Google team believes that for IDP discovery, there are options that can be achieved without browser extensions.  In general Google always prefers solutions that can be supported by the existing installed base of browsers (especially mobile devices), as opposed to requiring client side software installations.

Here is a link to one such proposal that is not specific to IDP discovery, but is designed to make a user's web browsing preferences more portable.

http://sites.google.com/site/oauthgoog/Home/pds


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090216/d93e603f/attachment-0001.htm>

More information about the general mailing list