[OpenID] Definition of OpenID

Paul Madsen paulmadsen at rogers.com
Tue Jun 8 13:32:32 UTC 2010 

in the technical definition for OAuth , is it not '_to_ desktop and 
web-based applications'?

paul

On 08/06/2010 8:32 AM, Andy Powell wrote:
>
> I suspect we need at least two variants, one for a general audience 
> and one more technically correct ;-).
>
> I find your proposed wording for OAuth ("/OAuth is a protocol that 
> allows one to delegate the access authorization to a resource to a 
> third party/") somewhat problematic since it's not overly clear what 
> is being delegated to who?  Tbh, I prefer the current wording at 
> http://oauth.net/ ("/An open protocol to allow secure API 
> authorization in a simple and standard method from desktop and web 
> applications/") -- I think there is a subtle distinction between 
> 'allowing authorization' and 'doing authorization' which makes this 
> wording OK.
>
> On that basis, how about something like the following:
>
> *General audience*
>
> OpenID allows you to use an existing website account to sign in to 
> multiple other websites, without needing to create any new passwords.
>
> OAuth allows you to access a website using a desktop or web-based 
> application, without needing to type the username and password for 
> that website into the application.
>
> *Technical audience*
>
> OpenID is an open standard digital identity framework that allows 
> attributes about an authenticated user to be passed from one website 
> (the OpenID provider) to another (the relying party), usually for the 
> purposes of authorizing access.
>
> OAuth is an open standard protocol that allows simple and secure API 
> authorization from desktop and web-based applications.
>
> ??
>
> Andy
>
> --
>
> Andy Powell
>
> Research Programme Director
>
> Eduserv
>
> t: 01225 474319
>
> m: 07989 476710
>
> twitter: @andypowe11
>
> blog: efoundations.typepad.com
>
> www.eduserv.org.uk <http://www.eduserv.org.uk>
>
> *From:* openid-general-bounces at lists.openid.net 
> [mailto:openid-general-bounces at lists.openid.net] *On Behalf Of *Nat 
> Sakimura
> *Sent:* 08 June 2010 11:35
> *To:* David Recordon
> *Cc:* openid-general at lists.openid.net
> *Subject:* Re: [OpenID] Definition of OpenID
>
> Would love to have a more readable rewrite.
>
> We should make an authoritative punch line that we can use it at many 
> places,
>
> including wikipedia.
>
> =nat
>
> On Tue, Jun 8, 2010 at 4:40 PM, David Recordon <recordond at gmail.com 
> <mailto:recordond at gmail.com>> wrote:
>
> We wrote http://openid.net/get-an-openid/what-is-openid/ a year or two
> ago. It's far more of a product definition than a technical one, but
> supports what you wrote. Ever since we made OpenID 2.0 extensible and
> a combination of other technologies a few years ago it's been a
> framework.
>
> As you point out, OpenID has never done user authentication itself.
> Rather that's handled by cookies, passwords, tokens, certs, etc.
> OpenID does however perform authentication from the provider to the
> relying party once the user has authenticated and granted
> authorization.
>
> So yes, I agree with your definitions but would rewrite them and
> clarify the intended audience. (Unfortunately 1am isn't a good time
> for me to propose better wording.)
>
> --David
>
>
>
> On Tue, Jun 8, 2010 at 12:31 AM, Nat Sakimura <sakimura at gmail.com 
> <mailto:sakimura at gmail.com>> wrote:
> > Many people say that OpenID is for Authentication and OAuth is for
> > Authorization.
> > This does not seem to be an accurate statement.
> > In fact, OpenID does not do the "authentication" in the narrow 
> meaning and
> > OAuth does not do the "authorization" in the narrow meaning.
> > More accurate characterization would be something like:
> > OpenID is a Digital Identity Framework that that conveys the 
> authorization
> > decision and identity attributes/data of an authenticated identity 
> from the
> > identity provider (OpenID provider, OP) to a requesting party called 
> relying
> > party (RP).
> > OAuth is a protocol that allows one to delegate the access 
> authorization to
> > a resource to a third party. (<= need better wording.)
> > Any discussion?
> >
> > --
> > Nat Sakimura (=nat)
> > http://www.sakimura.org/en/
> > http://twitter.com/_nat_en
> >
>
> > _______________________________________________
> > general mailing list
> > general at lists.openid.net <mailto:general at lists.openid.net>
> > http://lists.openid.net/mailman/listinfo/openid-general
> >
> >
>
>
>
>
> -- 
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
> http://twitter.com/_nat_en
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>    
>
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 9.0.829 / Virus Database: 271.1.1/2925 - Release Date: 06/08/10 02:35:00
>
>    
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20100608/b0f1a101/attachment.html>

More information about the general mailing list