[OpenID] Community Opinion on OID 2.1 Discovery and Identifiers...

Breno de Medeiros breno at google.com
Fri Jun 5 22:25:36 UTC 2009 

We also just need a more readable spec. From my experience listening to many
confessions, it takes the average skilled web developer several months
before they can understand the differences between what identifiers are
displayed (claimed_id sans fragment), used to authenticate at the OP (local
id), at the RP (claimed id + fragment). Then there is the issue with OP
identifiers+identifier select, unsolicited assertions, etc.

Reading from the current spec all the possible flows that result in
obtaining this tripartite identity (displayed, local at OP, local at RP) and
convincing oneself that the whole thing is secure requires an exercise of
intense concentration and many, many passes through it. That is before we
get into details such as the fact that some URLs are machine generated and
ugly in displays, etc.

Adding some identifier abstraction might help to clarify things.

On Fri, Jun 5, 2009 at 3:03 PM, John Bradley <john.bradley at wingaa.com>wrote:

> David,
> I am on the modular spec side.  I believe that other auth methods could
> also be considered.
>
> I don't see why LID or others need to be excluded from the overall
> framework that is openID.
>
> I am referring to identifier abstraction to make certain that we clearly
> understand the need for a primary key vs a display identifier.
>
> We ran into this with XRI and the presumption that the claimed_id is what
> is displayed for the user.
>
> With XMPP identifiers you may have multiple identifiers that resolve to the
> same XRD and hence have the same claimed_id but may want your input
> identifier represented in some way.
>
> Perhaps we need more that one identifier at the API layer.
>
> What I am saying is that if the core spec assumes URI then there will be a
> built in bias as there is now.
>
> We need to consider how provider portability could
> be achieved or at-least not be precluded by core design choices.
>
> John B.
>
>
> On 5-Jun-09, at 4:27 PM, David Fuelling wrote:
>
> Replies inline...
>
> On Fri, Jun 5, 2009 at 7:28 PM, John Bradley <john.bradley at wingaa.com>wrote:
>
>> David,
>> I tried to vote but RPX and Jyte seems to have some issue with me :)
>>
>
> Wierd, aren't those two products made by the same company?
>
>
>>
>> One option that should be discussed is abstracting all identifiers out of
>> the core spec.
>>
>
> +1
>
>
>>
>> When I originally proposed that last year in the early 2.1 discussions it
>> was rejected.
>>
>> Unless we have some reasonable abstraction layer for identifiers adding
>> new ones will never work properly.
>>
>
> Can you detail this a bit more?  Maybe I'm missing something, but if 2.1
> says something like, "an identifier that can be resolved to an XRD document
> is can be used", wouldn't this work?  If we have an XRD, then we should be
> able to do the OpenID dance.
>
>
>
>>
>> My proposal is that all identifiers including URL are removed from the
>> core spec and placed in there respective binding extension documents.
>>
>
> I am open to this.  More and more I'm leaning towards the idea that their
> should be "Identifier" parity...namely, if you can give me an XRD, then you
> can be my identifier (somebody should write a song with that title).
>
> If this is rejected due to the argument that developers are only willing to
>> read one document, then my argument that leaving URL in the core spec makes
>> all the other identifiers second class citizens is proved.
>>
>
> I think the JSF (XMPP) has disproved this, at least from the perspective
> that a successful spec can have a "core", with supplemental pieces of the
> spec.  Whether or not XMPP is more difficult to understand than OpenID is
> debatable.
>
>
>> This again raises the question of what is openID.  Is it an authentication
>> protocol,  a discovery methodology,  a Identity abstraction layer for
>> applications,  or a marketing term?
>>
>
> I think OpenID is a little bit of each.
>
> I might re-frame the question to be "how to we enable OpenID to play in all
> of these different areas".  I think a good solution would be a more modular
> spec.
>
>
>>
>> I think we need to understand the answers to the latter questions before
>> deciding what should be in the core spec.
>>
>> John B.
>>
>> On 5-Jun-09, at 3:00 PM, general-request at openid.net wrote:
>>
>> Date: Fri, 5 Jun 2009 18:51:48 +0000
>> From: David Fuelling <sappenin at gmail.com>
>> Subject: [OpenID] Community Opinion on OID 2.1 Discovery and
>> Identifiers...
>> To: general at openid.net
>> Message-ID:
>> <51dae84d0906051151i24578169l2595c9d4e291bb1d at mail.gmail.com>
>> Content-Type: multipart/alternative;
>> boundary=0016364582b282ac08046b9e62a0
>>
>> --0016364582b282ac08046b9e62a0
>> Content-Type: text/plain; charset=ISO-8859-1
>> Content-Transfer-Encoding: 7bit
>>
>> The point below (about the community needing to decide if it's going to
>> support webfinger) is just one of many questions I'd like community to
>> decide concerning OID Auth 2.1 Discovery and Identifier support.
>>
>> Maybe this is where a WG should be formed....I'm not really sure.  It
>> seems
>> kind of backwards to form a working group about something like email
>> identifiers (e.g.) and then come back to the community with some decision.
>> It seems like the community should reach some consensus first, and then we
>> start a WG.  Perhaps I have the wrong notion of what a Working Group is.
>>
>> At any rate, *in the absence of a WG* on any of these issues, I'm curious
>> to
>> know the community's opinion on these questions so we can all know what
>> the
>> general consensus is.
>>
>> So, at the risk of igniting a firestorm, I created a bunch of Jyte claims
>> and embedded them in the wiki.  Please share your vote (and thus your
>> opinion) if you so wish.
>>
>> https://openid.pbworks.com/Identifier-and-Discovery-2_1-Questions
>>
>> Also, please note that I'm not authoritative about the questions.  Feel
>> free
>> to embed your own claim into the wiki page (though I tried to be fair in
>> the
>> framing of the questions).
>>
>> David
>>
>> On Fri, Jun 5, 2009 at 4:38 AM, Santosh Rajan <santrajan at gmail.com>
>> wrote:
>>
>>
>>
>> On Tue, Jun 2, 2009 at 11:33 PM, Dirk Balfanz <balfanz at google.com> wrote:
>>
>>
>> I Webfinger gives you everything you need. The OpenID community just needs
>>
>> to decide whether the email-like identifiers falling out of webfinger are
>>
>> acceptable OpenIDs.
>>
>>
>>
>>
>> I think you have a raised a very valid issue here. I didn't realize that
>>
>> first time round. You are right. I don't see any point in continuing with
>>
>> the email issue without a clear answer to this question.
>>
>>
>> _______________________________________________
>>
>> general mailing list
>>
>> general at openid.net
>>
>> http://openid.net/mailman/listinfo/general
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>


-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090605/3e061f7c/attachment.htm>

More information about the general mailing list