[OpenID] Definition of OpenID

Thomas Hardjono identity at hardjono.net
Wed Jun 9 13:38:36 UTC 2010 

Apologies for my newbie question: are we defining OAuth here? (ie. are we
talking about the same OAuth 2.0 that is being developed in the IETF or is
it a different OAuth).

 

Thanks.

 

/thomas/

 

 

From: openid-general-bounces at lists.openid.net
[mailto:openid-general-bounces at lists.openid.net] On Behalf Of Nat Sakimura
Sent: Wednesday, June 09, 2010 2:23 AM
To: openid-general at lists.openid.net
Subject: Re: [OpenID] Definition of OpenID

 

(2010/06/08 21:32), Andy Powell wrote: 

I suspect we need at least two variants, one for a general audience and one
more technically correct ;-).

 

I find your proposed wording for OAuth ("OAuth is a protocol that allows one
to delegate the access authorization to a resource to a third party")
somewhat problematic since it's not overly clear what is being delegated to
who?  Tbh, I prefer the current wording at http://oauth.net/ ("An open
protocol to allow secure API authorization in a simple and standard method
from desktop and web applications") - I think there is a subtle distinction
between 'allowing authorization' and 'doing authorization' which makes this
wording OK.

 

On that basis, how about something like the following:

 

General audience

 

OpenID allows you to use an existing website account to sign in to multiple
other websites, without needing to create any new passwords.

To me, this emphasizes the "login" too much. OpenID is not about login. 

>From my experience, "General Audience" is too broad. When I am forced to
speak about it, 
I change my explanation. 

For example, to explain it to a mom with a kid who plays Nintendo's Wii, 
I go like: 

Me: "Do you know Wii?" 
Mom: "Yes!"
Me: "Then you must know Mii."
Mom: "Of course!"
Me: "You created Mii because you just cannot get into the machine. So, Mii
looks like you, has your nickname, and so on. If you are playing Wii fit, it
records your wait and other activity logs, and you go to games using your
Mii. At the game, the Mii tells the game keeper required information on
behalf of you. In fact, Mii is yourself in Wii. That's called Digital
Identity. Do you get it?"
Mom: "Sure."
Me: "To use your Mii, you have to establish your right to control that Mii.
Usually, you do this with PIN on the remote. 
That is called Authentication."
Mom: "OK. That's easy."
Me: "Unfortunately, Mii can only live in Nintendo Wii. It just cannot live
in any other places. 
To make it possible for Mii to go to various places in the internet, those
places must understand Mii. 
To make it up, we have to 'open up' Mii so that everybody can understand
what that Mii is saying or doing. 
That's OpenMii. OpenID is one such thing, a standardized Digital Identity
for the Internet."

It seems to work remarkably well on those moms and kids. 
At the same time, it does not work for somebody who never saw a Mii. 





 

OAuth allows you to access a website using a desktop or web-based
application, without needing to type the username and password for that
website into the application.

What about "without telling the username and password to that application"



 

Technical audience

 

OpenID is an open standard digital identity framework that allows attributes
about an authenticated user to be passed from one website (the OpenID
provider) to another (the relying party), usually for the purposes of
authorizing access.

We need to include the "user control/authorization of the attribute
release". It is one of the most important concept around OpenID. "usually
for the purposes of authorizing access" is a bit confusing. We need to
specify who is authorizing what access, if we were to write it. 

What about something like: 

OpenID is an open standard Digital Identity Framework that passes the
authorization decision and attributes/data of an authenticated user from one
website (the OpenID provider) to another (the relying party).  

 

OAuth is an open standard protocol that allows simple and secure API
authorization from desktop and web-based applications.

Main concept of the OAuth, the access authorization __delegation__ is gone
from this definition. 

What about this: 

"OAuth is an open standard protocol that allows the access authorization to
an API to be given to an application without disclosing the user's
credential. "



 

??

 

Andy

 

--

Andy Powell

Research Programme Director

Eduserv

t: 01225 474319

m: 07989 476710

twitter: @andypowe11

blog: efoundations.typepad.com

 

www.eduserv.org.uk 

 

From: openid-general-bounces at lists.openid.net
[mailto:openid-general-bounces at lists.openid.net] On Behalf Of Nat Sakimura
Sent: 08 June 2010 11:35
To: David Recordon
Cc: openid-general at lists.openid.net
Subject: Re: [OpenID] Definition of OpenID

 

Would love to have a more readable rewrite. 

 

We should make an authoritative punch line that we can use it at many
places, 

including wikipedia. 

 

=nat

 

On Tue, Jun 8, 2010 at 4:40 PM, David Recordon <recordond at gmail.com> wrote:

We wrote http://openid.net/get-an-openid/what-is-openid/ a year or two
ago. It's far more of a product definition than a technical one, but
supports what you wrote. Ever since we made OpenID 2.0 extensible and
a combination of other technologies a few years ago it's been a
framework.

As you point out, OpenID has never done user authentication itself.
Rather that's handled by cookies, passwords, tokens, certs, etc.
OpenID does however perform authentication from the provider to the
relying party once the user has authenticated and granted
authorization.

So yes, I agree with your definitions but would rewrite them and
clarify the intended audience. (Unfortunately 1am isn't a good time
for me to propose better wording.)

--David



On Tue, Jun 8, 2010 at 12:31 AM, Nat Sakimura <sakimura at gmail.com> wrote:
> Many people say that OpenID is for Authentication and OAuth is for
> Authorization.
> This does not seem to be an accurate statement.
> In fact, OpenID does not do the "authentication" in the narrow meaning and
> OAuth does not do the "authorization" in the narrow meaning.
> More accurate characterization would be something like:
> OpenID is a Digital Identity Framework that that conveys the authorization
> decision and identity attributes/data of an authenticated identity from
the
> identity provider (OpenID provider, OP) to a requesting party called
relying
> party (RP).
> OAuth is a protocol that allows one to delegate the access authorization
to
> a resource to a third party. (<= need better wording.)
> Any discussion?
>
> --
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
> http://twitter.com/_nat_en
>

> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>




-- 
Nat Sakimura (=nat)
http://www.sakimura.org/en/
http://twitter.com/_nat_en

 
 
_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
  






-- 
Nat Sakimura (n-sakimura at nri.co.jp)
Nomura Research Institute, Ltd. 
Tel:+81-3-6274-1412 Fax:+81-3-6274-1547
 
PLEASE READ:
The information contained in this e-mail is confidential and intended for
the named recipient(s) only.
If you are not an intended recipient of this e-mail, you are hereby notified
that any review, dissemination, distribution or duplication of this message
is strictly prohibited. If you have received this message in error, please
notify the sender immediately and delete your copy from your system. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20100609/873bf2c7/attachment.html>

More information about the general mailing list