[OpenID] OpenID 2.1 Identifier Types --> WAS [Discovery for Email like identifiers]

[Peter Williams]

Luke,

I've yet to use facebook, and have no preconceptions about the firm. Don't attribute to me the anti facebook corporate attitudes I often see from others (who appear posturing, mostly). The facebook brand seems to evoke binary reactions. If its just a bug its just a bug, which is quite a different response to: well nobody wanted it anyway.

Supporting the hxri proxy is going to be faster than arguing about it, i'd venture.

In general, I like openid 2 (as specified). But im also an open systems security engineer, by training at least. If the spec says mandatory, its mandatory. And that affects planning.

The (only) interesting area in openid is uci, which means id portability and thus delegation. It just so happens that delegation means discovery, which means rp sites have to have assuranc that the xrd supplier is a valid authority for that namespace delegation. A million dns and novell and active directory deployers can attest to this, in parallel fields.

We know that rps have shown themselves unable to use https/ssl to test for xrd authority based on dns (as there is no means to distribute the ssl root keys of vanity sites to rps, forcing users into the arms of ttp ca firms like verisign which unfortunately impose a ttp's governing terms of reliance and use on the rps, rather than the user's terms - undermining the whole point of uci). And the excellent authority model built into xrds handling of a full xri resolver is evidently going nowhere, in openidland.

So this leaves me at a dilemma. The thrust of uci in the web theatre of operations depends on xrd, and xrd files now appear to no longer have an authority model. One of the bedrocks of the assurance model is apparently disappearing from the infrastructure. This means I -have- to scramble to replace it in the planning: for example using classical kerberos handoffs between namespace authorities, as is done scalably in the enterprise directory (ldap) world.

________________________________
From: Luke Shepard <lshepard at facebook.com>
Sent: Thursday, June 04, 2009 8:00 PM
To: chris.messina at gmail.com <chris.messina at gmail.com>; Peter Williams <pwilliams at rapattoni.com>
Cc: santrajan at gmail.com <santrajan at gmail.com>; general at openid.net <general at openid.net>
Subject: Re: [OpenID] OpenID 2.1 Identifier Types --> WAS [Discovery for Email like identifiers]

Thanks Chris.

Peter, OpenID support at Facebook is just a few engineers. I pushed out what I had and I've been working on the bugs, but wanted to do it in the context of the open source lib so my fixes could be contributed back to the community. The delegation support is a bug. XRI is a bug too, but a pretty low priority one as it adds complexity and I haven't seen more than a few people try it.

Why the constant allegations of bad intent? This is just how engineering works- sometimes stuff breaks and we iterateon it and fix it.

And yes, the spec is really hard to implement, with lots of use cases to support, so I did the parts I understood best first.


________________________________
From: general-bounces at openid.net <general-bounces at openid.net>
To: Peter Williams <pwilliams at rapattoni.com>
Cc: Santosh Rajan <santrajan at gmail.com>; general at openid.net <general at openid.net>
Sent: Thu Jun 04 19:48:02 2009
Subject: Re: [OpenID] OpenID 2.1 Identifier Types --> WAS [Discovery for Email like identifiers]

On Thu, Jun 4, 2009 at 7:40 PM, Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>> wrote:

Given the logic, should i guess now that google don't want the users to have op portability, and just "opted out" of that bit of discovery, intentionally breaking the delegation support in their op?

Do you mean Facebook?

But its interesting to see which bits of uci are unpalatable to large corporations.

This wasn't a big company decision; this was simply Luke's decision in trying to make sense of the OpenID spec.


2.1 will drop delegation and xri, is my prediction. Xri (and hxri) will go completely and supporting portability will be made optional.

I certainly would prefer that delegation not be dropped, and will fight to prevent that from happening. Delegation is apparently one of the more challenging aspects of the spec as well, but I think with XRD-based discovery, it can stay — and should.

I don't know that anyone has proposed taking that out, nor do I think anyone wants to take that out.

XRI specifically hasn't taken off relative to OpenID itself — and it seems silly to keep features that clearly are not being asked for in the marketplace.

Chris

--
Chris Messina
Open Web Advocate

Website: http://factoryjoe.com
Blog: http://factoryjoe.com/blog
Twitter: http://twitter.com/chrismessina

Diso Project: http://diso-project.org
OpenID Foundation: http://openid.net

This email is:   [ ] bloggable    [X] ask first   [ ] private