[OpenID] Definition of OpenID

Nat Sakimura sakimura at gmail.com
Wed Jun 9 13:53:45 UTC 2010 

The main topic of this thread is how to come up with a better description of
OpenID.
To do that, making a contrast with OAuth is rather useful as both OpenID and
OAuth are members of OpenStack family.

=nat

On Wed, Jun 9, 2010 at 10:38 PM, Thomas Hardjono <identity at hardjono.net>wrote:

>  Apologies for my newbie question: are we defining OAuth here? (ie. are we
> talking about the same OAuth 2.0 that is being developed in the IETF or is
> it a different OAuth).
>
>
>
> Thanks.
>
>
>
> /thomas/
>
>
>
>
>
> *From:* openid-general-bounces at lists.openid.net [mailto:
> openid-general-bounces at lists.openid.net] *On Behalf Of *Nat Sakimura
> *Sent:* Wednesday, June 09, 2010 2:23 AM
> *To:* openid-general at lists.openid.net
>
> *Subject:* Re: [OpenID] Definition of OpenID
>
>
>
> (2010/06/08 21:32), Andy Powell wrote:
>
> I suspect we need at least two variants, one for a general audience and one
> more technically correct ;-).
>
>
>
> I find your proposed wording for OAuth (“*OAuth is a protocol that allows
> one to delegate the access authorization to a resource to a third party*”)
> somewhat problematic since it’s not overly clear what is being delegated to
> who?  Tbh, I prefer the current wording at http://oauth.net/ (“*An open
> protocol to allow secure API authorization in a simple and standard method
> from desktop and web applications*”) – I think there is a subtle
> distinction between ‘allowing authorization’ and ‘doing authorization’ which
> makes this wording OK.
>
>
>
> On that basis, how about something like the following:
>
>
>
> *General audience*
>
>
>
> OpenID allows you to use an existing website account to sign in to multiple
> other websites, without needing to create any new passwords.
>
> To me, this emphasizes the "login" too much. OpenID is not about login.
>
> >From my experience, "General Audience" is too broad. When I am forced to
> speak about it,
> I change my explanation.
>
> For example, to explain it to a mom with a kid who plays Nintendo's Wii,
> I go like:
>
> Me: "Do you know Wii?"
> Mom: "Yes!"
> Me: "Then you must know Mii."
> Mom: "Of course!"
> Me: "You created Mii because you just cannot get into the machine. So, Mii
> looks like you, has your nickname, and so on. If you are playing Wii fit, it
> records your wait and other activity logs, and you go to games using your
> Mii. At the game, the Mii tells the game keeper required information on
> behalf of you. In fact, Mii is yourself in Wii. That's called Digital
> Identity. Do you get it?"
> Mom: "Sure."
> Me: "To use your Mii, you have to establish your right to control that Mii.
> Usually, you do this with PIN on the remote.
> That is called Authentication."
> Mom: "OK. That's easy."
> Me: "Unfortunately, Mii can only live in Nintendo Wii. It just cannot live
> in any other places.
> To make it possible for Mii to go to various places in the internet, those
> places must understand Mii.
> To make it up, we have to 'open up' Mii so that everybody can understand
> what that Mii is saying or doing.
> That's OpenMii. OpenID is one such thing, a standardized Digital Identity
> for the Internet."
>
> It seems to work remarkably well on those moms and kids.
> At the same time, it does not work for somebody who never saw a Mii.
>
>
>
>
>
> OAuth allows you to access a website using a desktop or web-based
> application, without needing to type the username and password for that
> website into the application.
>
> What about "without telling the username and password to that application"
>
>
>
> *Technical audience*
>
>
>
> OpenID is an open standard digital identity framework that allows
> attributes about an authenticated user to be passed from one website (the
> OpenID provider) to another (the relying party), usually for the purposes of
> authorizing access.
>
> We need to include the "user control/authorization of the attribute
> release". It is one of the most important concept around OpenID. "usually
> for the purposes of authorizing access" is a bit confusing. We need to
> specify who is authorizing what access, if we were to write it.
>
> What about something like:
>
> OpenID is an open standard Digital Identity Framework that passes the
> authorization decision and attributes/data of an authenticated user from one
> website (the OpenID provider) to another (the relying party).
>
>
>
> OAuth is an open standard protocol that allows simple and secure API
> authorization from desktop and web-based applications.
>
> Main concept of the OAuth, the access authorization __delegation__ is gone
> from this definition.
>
> What about this:
>
> "OAuth is an open standard protocol that allows the access authorization to
> an API to be given to an application without disclosing the user's
> credential. "
>
>
>
> ??
>
>
>
> Andy
>
>
>
> --
>
> Andy Powell
>
> Research Programme Director
>
> Eduserv
>
> t: 01225 474319
>
> m: 07989 476710
>
> twitter: @andypowe11
>
> blog: efoundations.typepad.com
>
>
>
> www.eduserv.org.uk
>
>
>
> *From:* openid-general-bounces at lists.openid.net [
> mailto:openid-general-bounces at lists.openid.net<openid-general-bounces at lists.openid.net>]
> *On Behalf Of *Nat Sakimura
> *Sent:* 08 June 2010 11:35
> *To:* David Recordon
> *Cc:* openid-general at lists.openid.net
> *Subject:* Re: [OpenID] Definition of OpenID
>
>
>
> Would love to have a more readable rewrite.
>
>
>
> We should make an authoritative punch line that we can use it at many
> places,
>
> including wikipedia.
>
>
>
> =nat
>
>
>
> On Tue, Jun 8, 2010 at 4:40 PM, David Recordon <recordond at gmail.com>
> wrote:
>
> We wrote http://openid.net/get-an-openid/what-is-openid/ a year or two
> ago. It's far more of a product definition than a technical one, but
> supports what you wrote. Ever since we made OpenID 2.0 extensible and
> a combination of other technologies a few years ago it's been a
> framework.
>
> As you point out, OpenID has never done user authentication itself.
> Rather that's handled by cookies, passwords, tokens, certs, etc.
> OpenID does however perform authentication from the provider to the
> relying party once the user has authenticated and granted
> authorization.
>
> So yes, I agree with your definitions but would rewrite them and
> clarify the intended audience. (Unfortunately 1am isn't a good time
> for me to propose better wording.)
>
> --David
>
>
>
> On Tue, Jun 8, 2010 at 12:31 AM, Nat Sakimura <sakimura at gmail.com> wrote:
> > Many people say that OpenID is for Authentication and OAuth is for
> > Authorization.
> > This does not seem to be an accurate statement.
> > In fact, OpenID does not do the "authentication" in the narrow meaning
> and
> > OAuth does not do the "authorization" in the narrow meaning.
> > More accurate characterization would be something like:
> > OpenID is a Digital Identity Framework that that conveys the
> authorization
> > decision and identity attributes/data of an authenticated identity from
> the
> > identity provider (OpenID provider, OP) to a requesting party called
> relying
> > party (RP).
> > OAuth is a protocol that allows one to delegate the access authorization
> to
> > a resource to a third party. (<= need better wording.)
> > Any discussion?
> >
> > --
> > Nat Sakimura (=nat)
> > http://www.sakimura.org/en/
> > http://twitter.com/_nat_en
> >
>
> > _______________________________________________
> > general mailing list
> > general at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-general
> >
> >
>
>
>
>
> --
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
> http://twitter.com/_nat_en
>
>
>
>
>
> _______________________________________________
>
> general mailing list
>
> general at lists.openid.net
>
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
>
>
>
>
>  --
>
> Nat Sakimura (n-sakimura at nri.co.jp)
>
> Nomura Research Institute, Ltd.
>
> Tel:+81-3-6274-1412 Fax:+81-3-6274-1547
>
>
>
> PLEASE READ:
>
> The information contained in this e-mail is confidential and intended for the named recipient(s) only.
>
> If you are not an intended recipient of this e-mail, you are hereby notified that any review, dissemination, distribution or duplication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete your copy from your system.
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>


-- 
Nat Sakimura (=nat)
http://www.sakimura.org/en/
http://twitter.com/_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20100609/bec34fb0/attachment.html>

More information about the general mailing list