[OpenID] user centric delegation vs portability: LRDD : competing threats: the consumer's fear hypothesis

Peter Williams home_pw at msn.com
Sun Oct 25 22:57:28 UTC 2009 

I found the writeup at http://hueniverse.com/2009/09/openid-and-lrdd/
convincing, technically. It moved the whole set of technical delegation
issues forward. It told a story. It was well written.

A. It reminded me of what Ping Identity once proposed for
dynamically-sharing SAML metadata between IDPs and (affiliations of) SP: 
use a url-factory rule to deduce a URI from a domain name, get metadata from
said URL, and apply https/domain-cert controls to test for a saml entities
authority... to make assertions for that domain name. Optionally, sign the
metadata (much as one optionally signs XRDs). All Pretty obvious stuff
...but effective.

B. It reminded me of the leap forward of myopenid, when hosting outouurced
OPs via OPX (which uses DNS control principles to enable domain admins to
prove the delegated domain is authorizing the outsourcer to speak for it). 

C. And, it reminded me of openid2, in that there are various flow fallbacks.
These allows communities to choose different flows (and thereby address
different players issue sets) when delegating and locating providers.

What I didnt like what the bias I heard throughout the writeup - concerning
the criteria I described in C. 

Unlike the openid communities traditional mission (empower users, and give
them control over their data and names), there was a fear message at the
heart of it: focus on all that which COULD go wrong. And into that fear
rides the fearless knight on a white horse... the OP.

The fear said, users are easily duped and cannot in any case be trusted to
get it right - unlike the corporate CISO in whom we must trust. (Peter is a
CISO, by the way). Furthermore, we will bias the fallbacks so corporate CIOs
can control, before users control. If this was law, folks just coded their
bias in favor of the CIO and against the user/subscriber - through the
formulation of the legal presumptions.

Now, this bias may well be fine (if your audience is corporate buyers of
outsourced apps, leveraging openid protocols to get login sessions and
attributes). And, perhaps that is who the vendor is pitching its LRPP
technology to . 

But, surely, the openid movement more generally needs to be focussed more
widely than only corporate sales -it also has consumer interests to
consider. If it fails here, it will risk falling into the pit that SAML fell
into - and fail to stay current with the larger currents of the web itself.
Historically (in the years before openid challenged SAML), every corporate
SAML link took a year, cost a million, was the bane of the CIO life, and
noone did two if they could avoid it. 

Now, as oft associated with the Facebook brand, there are interplays between
the corporate control and consumer rights - particularly over data ownership
and identity control isues. And some mega-brands do better than others in
getting the balance right (and some actively hamper the user when
dis-associating from the brand, once things go sour). Some brands infamously
create explicit exit barriers (preventing you from exporting your contacts
to a file, say, or impose legal controls that limit just who you may (NOT)
choose to also work with).

When considering whether LRPP MAY be right for openid movement, we must
reflect that the openid movement is -or at least WAS - in the middle of
these issues, and took a position. It traditionally allowed for identifier
portablity and data rights. If you were to lose rights of access at an OP
(paypal dumps peter for violating service rule X) ... delegation ensured
that this 1 OP's suspension of Peter made no difference to Peter's private
life and Peter's relationship with RPs (becuase the protocols automatically
fell back on the next OP to which peter had delegated YOUR name). Peter
either could take such pre-cautions, or not - depending on his needs.

What Im hearing in the LRPP story is not consistent with the original openid
user-centric story - targeting social networks (vs corporate application
outsourcing). The fear line seems to be implicitely denying the legitimacy
of user centric identity. In its marketing line, it seems to be saying that:
its far more important for consumers  to be free of fear, than be free of a
provider (when the relationship goes sour).

Interesting changes going on in this movement!







-- 
View this message in context: http://www.nabble.com/user-centric-delegation-vs-portability%3A-LRDD-%3A-competing-threats%3A-the-consumer%27s-fear-hypothesis-tp26052720p26052720.html
Sent from the OpenID - General mailing list archive at Nabble.com.

More information about the general mailing list