[OpenID] user centric delegation vs portability: LRDD : competing threats: the consumer's fear hypothesis

John Bradley ve7jtb at ve7jtb.com
Mon Oct 26 01:11:18 UTC 2009 

Peter,

LRDD discovery will not remove the ability for users to delegate there  
openID provider service to whomever they like.

That isn't to say that all the providers will support delegation.   
That is a separate issue.

However there is no proven business model for users controlling there  
own identifier.   Users in general opted for free services that don't  
allow for portability, rather than for the XRI model that allowed for  
portability and independence from the faustian bargain people have  
struck with the social networks.

There were a lot of us who put a lot of effort into making openID user  
centric rather than OP centric.  At the end of the day people didn't  
care.

Perhaps one day they will.

Nothing in personal delegation has been removed if you have your own  
domain.
Yes users who don't have there own domain may loose the ability to  
delegate if they don't control the domain.  That was a risk they  
always ran.

What has been added is the ability to delegate discovery of meta-data  
for an entire domain.

So SME do gain something.

Perhaps XRI based iBrokers will make a comeback or Chi.mp like  
services for hosting personal XRD with email or URL identifiers.   I  
think they are a important option for people but I am not holding my  
breath.

John B.




On 2009-1025, at 7:57 PM, Peter Williams wrote:

>
> I found the writeup at http://hueniverse.com/2009/09/openid-and-lrdd/
> convincing, technically. It moved the whole set of technical  
> delegation
> issues forward. It told a story. It was well written.
>
> A. It reminded me of what Ping Identity once proposed for
> dynamically-sharing SAML metadata between IDPs and (affiliations of)  
> SP:
> use a url-factory rule to deduce a URI from a domain name, get  
> metadata from
> said URL, and apply https/domain-cert controls to test for a saml  
> entities
> authority... to make assertions for that domain name. Optionally,  
> sign the
> metadata (much as one optionally signs XRDs). All Pretty obvious stuff
> ...but effective.
>
> B. It reminded me of the leap forward of myopenid, when hosting  
> outouurced
> OPs via OPX (which uses DNS control principles to enable domain  
> admins to
> prove the delegated domain is authorizing the outsourcer to speak  
> for it).
>
> C. And, it reminded me of openid2, in that there are various flow  
> fallbacks.
> These allows communities to choose different flows (and thereby  
> address
> different players issue sets) when delegating and locating providers.
>
> What I didnt like what the bias I heard throughout the writeup -  
> concerning
> the criteria I described in C.
>
> Unlike the openid communities traditional mission (empower users,  
> and give
> them control over their data and names), there was a fear message at  
> the
> heart of it: focus on all that which COULD go wrong. And into that  
> fear
> rides the fearless knight on a white horse... the OP.
>
> The fear said, users are easily duped and cannot in any case be  
> trusted to
> get it right - unlike the corporate CISO in whom we must trust.  
> (Peter is a
> CISO, by the way). Furthermore, we will bias the fallbacks so  
> corporate CIOs
> can control, before users control. If this was law, folks just coded  
> their
> bias in favor of the CIO and against the user/subscriber - through the
> formulation of the legal presumptions.
>
> Now, this bias may well be fine (if your audience is corporate  
> buyers of
> outsourced apps, leveraging openid protocols to get login sessions and
> attributes). And, perhaps that is who the vendor is pitching its LRPP
> technology to .
>
> But, surely, the openid movement more generally needs to be focussed  
> more
> widely than only corporate sales -it also has consumer interests to
> consider. If it fails here, it will risk falling into the pit that  
> SAML fell
> into - and fail to stay current with the larger currents of the web  
> itself.
> Historically (in the years before openid challenged SAML), every  
> corporate
> SAML link took a year, cost a million, was the bane of the CIO life,  
> and
> noone did two if they could avoid it.
>
> Now, as oft associated with the Facebook brand, there are interplays  
> between
> the corporate control and consumer rights - particularly over data  
> ownership
> and identity control isues. And some mega-brands do better than  
> others in
> getting the balance right (and some actively hamper the user when
> dis-associating from the brand, once things go sour). Some brands  
> infamously
> create explicit exit barriers (preventing you from exporting your  
> contacts
> to a file, say, or impose legal controls that limit just who you may  
> (NOT)
> choose to also work with).
>
> When considering whether LRPP MAY be right for openid movement, we  
> must
> reflect that the openid movement is -or at least WAS - in the middle  
> of
> these issues, and took a position. It traditionally allowed for  
> identifier
> portablity and data rights. If you were to lose rights of access at  
> an OP
> (paypal dumps peter for violating service rule X) ... delegation  
> ensured
> that this 1 OP's suspension of Peter made no difference to Peter's  
> private
> life and Peter's relationship with RPs (becuase the protocols  
> automatically
> fell back on the next OP to which peter had delegated YOUR name).  
> Peter
> either could take such pre-cautions, or not - depending on his needs.
>
> What Im hearing in the LRPP story is not consistent with the  
> original openid
> user-centric story - targeting social networks (vs corporate  
> application
> outsourcing). The fear line seems to be implicitely denying the  
> legitimacy
> of user centric identity. In its marketing line, it seems to be  
> saying that:
> its far more important for consumers  to be free of fear, than be  
> free of a
> provider (when the relationship goes sour).
>
> Interesting changes going on in this movement!
>
>
>
>
>
>
>
> -- 
> View this message in context: http://www.nabble.com/user-centric-delegation-vs-portability%3A-LRDD-%3A-competing-threats%3A-the-consumer%27s-fear-hypothesis-tp26052720p26052720.html
> Sent from the OpenID - General mailing list archive at Nabble.com.
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2468 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091025/b7a478bc/attachment-0001.bin>

More information about the general mailing list