[OpenID] HTML-Based Discovery incompatibilities

[Peter Williams]

If you had a magic wand to wave in the OAUTH + OpenID integration (which I hope happens),


1.       would you eliminate the concept of end-user controlled delegation?

Today, the ONLY way a user can express the requirement to have myopenid invoke https between the user's browser and myopenid for user authentication is through the user-controlled metadata used also for delegation.


2.       Would you eliminate the concept of a user being able to require an OP to authentication the user over https?

I ask these particular questions as many folk in more traditional TTP IDP community cultures feel end-users really ought to have NO say and NO control over those issues. They would typically argue that only "authorities" have a "proper" role in those areas, whether the authority is the RP, the OP or the vanity openid provider (i-broker/ISP).

They would argue that the end-user is NEVER an authority. Rather, the user has only one role: to be a subscriber to one of other authorities policies. Only if the authority can continually trust and verify the end-user against the policy would such an authority authorize the user to participate in the community. Without an explicit authorization, access to the interworking community will be denied by default.

From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Eran Hammer-Lahav
Sent: Thursday, January 08, 2009 1:32 PM
To: Martin Atkins
Cc: general at openid.net
Subject: Re: [OpenID] HTML-Based Discovery incompatibilities

problem with OpenID, unlike most other protocols in this space is that it is too close to the end-user surface.

So if this feature is not widely adopted, it leads directly to breaking the faith the end-user has in the entire protocol.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090109/542d15fa/attachment-0002.htm>