[OpenID] Fwd: [OpenID Foundation] New Poll Opened

Peter Williams pwilliams at rapattoni.com
Sat Mar 21 02:39:15 UTC 2009 

A debate on a WG formation (note the subject) should be philosophical (and a touch political). One is really analyzing the intended output, and the stated motives and  background of the proponents. Since the work has not been done, there is nothing else to comment on - other than the charter.

Try not to assume malice; it's almost always incompetence for my part. I have two callings: get google to do websso for "consumers" and send  us assertions I can consume (without becoming bound to legal/policy rules that my customers will reject), and let 1,000,000 realtors be their own OP and their own RP. I need both peer-peer and openid.

As it stands today, we are doing SAML for the realtors (more peer peer, with very personal brands/trust), and hoping to do openid for the consumers (more about mega-portal with massive commercial brands and reach)


From: Breno de Medeiros [mailto:breno at google.com]
Sent: Friday, March 20, 2009 7:14 PM
To: Peter Williams
Cc: general at openid.net
Subject: Re: [OpenID] Fwd: [OpenID Foundation] New Poll Opened

It is interesting how a discussion on a relatively simple extension proposal which was motivated by:

1. Users saying in usability study after usability study that they are more comfortable with the Facebook-Connect style login flow than the full browser redirect model.

2. Potential RPs demanding popup UI flows in order to adopt the scheme as they do not want their users to lose the context of their site.

3. IDPs listening to the same demand again and again and deciding to propose an _optional_ feature that RPs can choose to interact with their users

Became a philosophical discussion on issues from user-centric philosophy to anti-phishing to trust models on certificates.

Reality: The proposed WG suggests that RPs who want to can add a couple of parameters to their URL requests to indicate to OPs (that advertize the feature) that they embraced a fancy-dancy popup UI that makes their users happier. They could already do this by hardcoding window sizes for the OPs that they care about. IDPs could just document their favorite window sizes as non-standard "enhancements" and force RPs (at least those who care for their users) to embrace per-OP customization of window sizes as a fait accompli.

Perception: Run for the hills: OpenID is being corrupted! It will become a phishing haven! It has sold its soul!

Or, as every San Franciscan knows it: The city was best when I moved in, and has gone downhill ever since. :)

On Fri, Mar 20, 2009 at 6:44 PM, Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>> wrote:
Openid clearly started with the OP being someone's blogsite - expecting there to be millions of OPs (i.e. you and me) and equal number of RPs. Clearly, vanity delegation was nothing more than adding a few meta tags to your blog's html home page, giving one the ability to use various of your blog site URLs faciliting portability. Even I managed to do test all that (in its essentially original openid1.1 form), and I'm technically incompetent. And  RP was an authenticated comment handler ...on someone's blog site. If the blog provider was hosted (by blogspot), fine. Or, a wordpress installation of a blog server on your enterprise gateway was just as legitimate to hosted blogs in livejounrnal, say. Host a serer yourself or be a tenant of a blogservice - it made no difference to your status as an OP.

Now, we never hear of that world any longer. The founders seems to change orientation, right about the time I started focusing on openid. And to be fair, it was and still is the mega-OP with openid2 capabilities that drives our commercial interest (seeing as they can nowhandle the ~6 million accounts of users who occasionally come to our site, now to authenticate using websso - or "identity verification"). At the same time, for realtors themselves (vs the public who search realtor listings), the peer-peer model is also important; and there are a million of these (each with their own web2.0 portal, offering a variety of "professional" services to their homeowner clients).

Since Openid2, all I ever hear is about yahoo, paypal, google, facebook, myspace and live - who will each govern (n00 million) users. The users (and nominal owners of a blog site) are no longer the OP: s/he is a merely "subscriber" to an OP service - which will "speak for" the "site owner" under their brand rather than the individual's "brand". The rules and interaction with an RP will be the OP's decision (no longer the subscriber). If the subscriber wants to do this or that trust model with the RPs, it is now irrelevant. You want to use Yahoo, it WILL be ssl and their UI design rules (whether the original OP/site wants it, or not).

Am I wrong that the founders (who obviously knowingly migrated to the world of openid2, and directed id in particular) changed focus? Did you move the notion of  OPs from being those x00,000 owners of blog sites (who can set their own policy) to the (small number of) large portal firms that now host n00,000 "tenants" each - all acting under a single brand and security policy?


> -----Original Message-----
> From: general-bounces at openid.net<mailto:general-bounces at openid.net> [mailto:general-bounces at openid.net<mailto:general-bounces at openid.net>] On
> Behalf Of Martin Atkins
> Sent: Friday, March 20, 2009 4:27 PM
> To: general at openid.net<mailto:general at openid.net>
> Subject: Re: [OpenID] Fwd: [OpenID Foundation] New Poll Opened
>
> Peter Williams wrote:
> >
> > OpenID on the
> > other hand started peer/peer, and is rapidly he[Peter Williams]  adding into the TTP
> space
> > (where I suspect its founders wanted it all along).
> >
>
> Your suspicions are incorrect.
>
> Its "founders" (which I choose to understand as those who started the
> project, which started with Brad Fitzpatrick and fanned out to a number
> of others including myself) imagined it originally as a solution to the
> problem of allowing users of LiveJournal.com to leave comments on
> DeadJournal.com and vice-versa; that it ended up being a user-centric,
> decentralized system tis largely a symptom of the culture of the
> LiveJournal developers.
>
> The original OpenID was designed to operate without SSL at all, with
> parties establishing associations on the fly with no verification, and
> it remains that way today on LiveJournal.com. Some folks wanted the
> benefits that SSL brings, and that's fine... no-one's forcing you to
> use
> SSL right now. I fought SSL being a requirement for OpenID 2.0 and I
> will continue to fight it as I believe it should be up to each party to
> decide whether it needs the benefits SSL provides.
>
>
> _______________________________________________
> general mailing list
> general at openid.net<mailto:general at openid.net>
> http://openid.net/mailman/listinfo/general
_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general



--
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090320/ac10f749/attachment-0002.htm>

More information about the general mailing list