[OpenID] About Google, Yahoo, Facebook and OpenID

Peter Williams pwilliams at rapattoni.com
Thu May 21 15:15:52 UTC 2009 

You really need to reason from text in the standard, that the RP is or is not conforming. yes openid is "social" - but its also a protocol - just like any other.

I find your analysis interesting, but they do tend to come across as a rant. Rants rarely convince, though _can_ get the emotion of a point across, if used occasionally.

I think you  are saying that an RP (Facebook) maintains, on behalf of an RP-provisioned account, a XRDS file. And, I think you are saying that the RP provides users with a URL to that XRDS File (which is populated with service elements facilitating openid delegation to an OP [from a limited set of allowed OPs] that the user has bound to their RP-provisioned account.).

If that's all true, the practice is fine, architecturally. I want to do the same (as an RP with 16M visitors), and have stated so before. As we have not done it yet, I cannot say whether users would own the resource (so they can change the service elements, possbly using a wizard we provide). But, that would be my initial outlook. Then, in my view, we would be adding something "social" to the UCI space.

If anyone does that, there are merely doing what the XRI resolution infrastructure was supposed to be adding to openid auth (meta addressing resolution) - where that the the XRD sequence is being managed by simpler (but YADIS-conforming) means. Dont forget that the XRI meta-addressing servers dont have to be operated by the OPs. That service can be operated by anyone (including RPs), whose resolution service at the end of the day can even redirect resolution of an XRI to a  YADIS URL (as we tried for real with Plaxo, 18m ago).

IN my view, the really fun part of openid "social" media space is the relationship with XRI (even if URLs are used in the role that XRIs were destined for). Its in that space were novel, ad non-proprietary trust models will be invented, that go beyond simple hub/spoke and federated cross-forest trusts, break out of B2B, and will address the "web".

________________________________________
From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of Santosh Rajan [santrajan at gmail.com]
Sent: Thursday, May 21, 2009 6:07 AM
To: general at openid.net
Subject: [OpenID]  About Google, Yahoo, Facebook and OpenID

Facebook's support for OpenID may have some worrying prospects for Google,
Yahoo, Microsoft  and other major email providers, who would like to be
OpenID providers.

Even though everyone says Facebook is now an OpenID RP, I dont agree with
that. What Facebook does is only grock the users browser login status, and
logs the user in if he has delegated that provider to Facebook. It does not
work in many cases and I am not impressed with their implementation, and
have said as much in my
http://santrajan.blogspot.com/2009/05/facebook-support-for-openid-where.html
earlier posts .

So what is it that is going to be of a concern for Google, Yahoo etc?

Whether by design or by accident, what really Facebook has done, is to
become an OpenID discovery and delegation provider for all its users. ie.
Facebook users can now point to their Openid provider and also indicate
their prefered provider in case they have more than one. This is
significant. Because the primary problem to be solved for OpenID is
discovery and delegation, and Facebook does it for its users.

Now all Facebook has to do is "Switch On" OpenID for Facebook Connect and
Voila! You have 250 million users ready with single sign on with Facebook
Connect! Throw in 250 million verified email addresses for good measure. (I
am not sure all these are verified, but I can say they did verify mine).

If major RP's are not already salivating at the prospects, then they will
soon. And this is not really all that bad. If you don't mind Facebook being
your centralized mechanism for OpenID discovery and if they are the closest
you can get to one, then why not?

Now you know why Google, Yahoo etc need to be concerned. But there are other
options. One is the
http://santrajan.blogspot.com/2009/05/case-for-openemailid.html OpenEmailID
i have suggested in an earlier post, where the onus on discovery rests with
the RP. An even better Option is the  http://code.google.com/p/webfinger/
WebFinger protocol , where the onus on discovery lies with the email
provider for email addresses as identities.

Whatever happens I think it is high time Google, Yahoo etc move ahead with
providing discovery for their users.

The OpenID community must come to a concrete decision on which way they must
go and go after their objective as fast as possible.



-----

Santosh Rajan
http://santrajan.blogspot.com http://santrajan.blogspot.com
--
View this message in context: http://www.nabble.com/About-Google%2C-Yahoo%2C-Facebook-and-OpenID-tp23652873p23652873.html
Sent from the OpenID - General mailing list archive at Nabble.com.

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list