[OpenID] Definition of OpenID

Nat Sakimura n-sakimura at nri.co.jp
Wed Jun 9 06:22:59 UTC 2010 

(2010/06/08 21:32), Andy Powell wrote:
>
> I suspect we need at least two variants, one for a general audience 
> and one more technically correct ;-).
>
> I find your proposed wording for OAuth ("/OAuth is a protocol that 
> allows one to delegate the access authorization to a resource to a 
> third party/") somewhat problematic since it's not overly clear what 
> is being delegated to who?  Tbh, I prefer the current wording at 
> http://oauth.net/ ("/An open protocol to allow secure API 
> authorization in a simple and standard method from desktop and web 
> applications/") -- I think there is a subtle distinction between 
> 'allowing authorization' and 'doing authorization' which makes this 
> wording OK.
>
> On that basis, how about something like the following:
>
> *General audience*
>
> OpenID allows you to use an existing website account to sign in to 
> multiple other websites, without needing to create any new passwords.
>
To me, this emphasizes the "login" too much. OpenID is not about login.

 From my experience, "General Audience" is too broad. When I am forced 
to speak about it,
I change my explanation.

For example, to explain it to a mom with a kid who plays Nintendo's Wii,
I go like:

Me: "Do you know Wii?"
Mom: "Yes!"
Me: "Then you must know Mii."
Mom: "Of course!"
Me: "You created Mii because you just cannot get into the machine. So, 
Mii looks like you, has your nickname, and so on. If you are playing Wii 
fit, it records your wait and other activity logs, and you go to games 
using your Mii. At the game, the Mii tells the game keeper required 
information on behalf of you. In fact, Mii is yourself in Wii. That's 
called Digital Identity. Do you get it?"
Mom: "Sure."
Me: "To use your Mii, you have to establish your right to control that 
Mii. Usually, you do this with PIN on the remote.
That is called Authentication."
Mom: "OK. That's easy."
Me: "Unfortunately, Mii can only live in Nintendo Wii. It just cannot 
live in any other places.
To make it possible for Mii to go to various places in the internet, 
those places must understand Mii.
To make it up, we have to 'open up' Mii so that everybody can understand 
what that Mii is saying or doing.
That's OpenMii. OpenID is one such thing, a standardized Digital 
Identity for the Internet."

It seems to work remarkably well on those moms and kids.
At the same time, it does not work for somebody who never saw a Mii.


> OAuth allows you to access a website using a desktop or web-based 
> application, without needing to type the username and password for 
> that website into the application.
>
What about "without telling the username and password to that application"
>
> *Technical audience*
>
> OpenID is an open standard digital identity framework that allows 
> attributes about an authenticated user to be passed from one website 
> (the OpenID provider) to another (the relying party), usually for the 
> purposes of authorizing access.
>
We need to include the "user control/authorization of the attribute 
release". It is one of the most important concept around OpenID. 
"usually for the purposes of authorizing access" is a bit confusing. We 
need to specify who is authorizing what access, if we were to write it.

What about something like:

OpenID is an open standard Digital Identity Framework that passes the 
authorization decision and attributes/data of an authenticated user from 
one website (the OpenID provider) to another (the relying party).
>
> OAuth is an open standard protocol that allows simple and secure API 
> authorization from desktop and web-based applications.
>
Main concept of the OAuth, the access authorization __delegation__ is 
gone from this definition.

What about this:

"OAuth is an open standard protocol that allows the access authorization 
to an API to be given to an application without disclosing the user's 
credential. "
>
> ??
>
> Andy
>
> --
>
> Andy Powell
>
> Research Programme Director
>
> Eduserv
>
> t: 01225 474319
>
> m: 07989 476710
>
> twitter: @andypowe11
>
> blog: efoundations.typepad.com
>
> www.eduserv.org.uk <http://www.eduserv.org.uk>
>
> *From:* openid-general-bounces at lists.openid.net 
> [mailto:openid-general-bounces at lists.openid.net] *On Behalf Of *Nat 
> Sakimura
> *Sent:* 08 June 2010 11:35
> *To:* David Recordon
> *Cc:* openid-general at lists.openid.net
> *Subject:* Re: [OpenID] Definition of OpenID
>
> Would love to have a more readable rewrite.
>
> We should make an authoritative punch line that we can use it at many 
> places,
>
> including wikipedia.
>
> =nat
>
> On Tue, Jun 8, 2010 at 4:40 PM, David Recordon <recordond at gmail.com 
> <mailto:recordond at gmail.com>> wrote:
>
> We wrote http://openid.net/get-an-openid/what-is-openid/ a year or two
> ago. It's far more of a product definition than a technical one, but
> supports what you wrote. Ever since we made OpenID 2.0 extensible and
> a combination of other technologies a few years ago it's been a
> framework.
>
> As you point out, OpenID has never done user authentication itself.
> Rather that's handled by cookies, passwords, tokens, certs, etc.
> OpenID does however perform authentication from the provider to the
> relying party once the user has authenticated and granted
> authorization.
>
> So yes, I agree with your definitions but would rewrite them and
> clarify the intended audience. (Unfortunately 1am isn't a good time
> for me to propose better wording.)
>
> --David
>
>
>
> On Tue, Jun 8, 2010 at 12:31 AM, Nat Sakimura <sakimura at gmail.com 
> <mailto:sakimura at gmail.com>> wrote:
> > Many people say that OpenID is for Authentication and OAuth is for
> > Authorization.
> > This does not seem to be an accurate statement.
> > In fact, OpenID does not do the "authentication" in the narrow 
> meaning and
> > OAuth does not do the "authorization" in the narrow meaning.
> > More accurate characterization would be something like:
> > OpenID is a Digital Identity Framework that that conveys the 
> authorization
> > decision and identity attributes/data of an authenticated identity 
> from the
> > identity provider (OpenID provider, OP) to a requesting party called 
> relying
> > party (RP).
> > OAuth is a protocol that allows one to delegate the access 
> authorization to
> > a resource to a third party. (<= need better wording.)
> > Any discussion?
> >
> > --
> > Nat Sakimura (=nat)
> > http://www.sakimura.org/en/
> > http://twitter.com/_nat_en
> >
>
> > _______________________________________________
> > general mailing list
> > general at lists.openid.net <mailto:general at lists.openid.net>
> > http://lists.openid.net/mailman/listinfo/openid-general
> >
> >
>
>
>
>
> -- 
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
> http://twitter.com/_nat_en
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>    


-- 
Nat Sakimura (n-sakimura at nri.co.jp)
Nomura Research Institute, Ltd.
Tel:+81-3-6274-1412 Fax:+81-3-6274-1547

PLEASE READ:
The information contained in this e-mail is confidential and intended for the named recipient(s) only.
If you are not an intended recipient of this e-mail, you are hereby notified that any review, dissemination, distribution or duplication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete your copy from your system.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20100609/0e27002c/attachment.html>

More information about the general mailing list