I'd agree with that phrasing.<div><br></div><div>Another way to think about this is that OpenID affords the opportunity for people on the web to have durable, cross-site [external] identifiers. Whether they let other people use them (as some teens let their friends use their MySpace accounts or share their passwords to each other's accounts) is up to the individual. If you want to add Fort Knox type security to proving ownership of your identifier(s), you can. It won't establish trust, which, as Brandon suggested, requires a relationship, but it does create the possibility where you can start with a basic identifier (which today, for most sites, is an email address (no trust is afforded to those kinds of identifiers either) in most cases) and then "level up" your level of individual security as needs demand.</div>
<div><br></div><div>The problem that we've seen in the past is that one identity-trust-security model tends to fare poorly on the web because assumptions don't scale vertically or horizontally. Technologies like OAuth and OpenID are interesting because they solve a particular component of various domain-independent problems and then allow you to remix them to create solutions bigger than the sum of their parts.</div>
<div><br></div><div>I'm not familiar with the bowels of SAML2, but from my experience, it's hard enough for people to prioritize development for a "simple" protocol like OpenID when they're building their consumer apps... that I can't imagine the evangelism muscle that it'd require to get people to back in support for these higher order protocols, unless, of course, they're dealing with banks.</div>
<div><br></div><div>Technology robustness is only one part of the equation; you must also consider the cost to implement in for someone completely uninitiated in these concepts and technologies. It's why HTML, CSS and Javascript have won on the web... and we must keep that in mind in how we design these building blocks.</div>
<div><br></div><div>Chris<br><br><div class="gmail_quote">On Sun, Oct 19, 2008 at 10:53 AM, Martin Atkins <span dir="ltr"><<a href="mailto:mart@degeneration.co.uk">mart@degeneration.co.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
That depends on what it is you're trusting. OpenID allows you to trust (man-in-the-middle attacks and phishing not withstanding) that a user "owns" a given URI.<br>
<br>
When OpenID talks about "identity" it is that URI it's talking about. This is why I tend to make a point of using the word "identifier" instead of "identity", since it makes it clearer what we're talking about. An OpenID identifier is similar to a social security number or credit card number in that it gives you a name to call something or someone by. The OpenID Authentiction protocol allows you to verify that someone is the rightful owner of that name, for some definition of "rightful".[1]<br>
<br>
Since users can self-issue identifiers, OpenID itself can't tell you anything else about a user other than that they "own" an identifier. When OpenID folks talk about building trust apon this, they generally mean using OpenID identifiers to identify parties in trust relationships.<br>
<br>
I hope this clears things up. I'd agree that some of the terminology that has been historically used around OpenID is a bit confusing. In particular, the text that originally said "OpenID is not a trust system. Trust requires identity first" would be better stated, I feel, as "OpenID is not a trust system. Trust systems are easier to build when you have globally-significant verifiable identifiers." Doesn't make for quite as catchy a soundbite, though.<br>
<br>
Cheers,<br>
Martin<br>
<br>
[1] There is, of course, no reason why someone who owns a URL can't allow everyone to be the "owner" of it per OpenID's definition. Likewise, though, there's no reason why I can't put some local user credentials on BugMeNot and create a "public" account that way.<br>
<br>
Brandon Ramirez wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="Ih2E3d">
Can we have identity without trust? Can we have trust without identity? In my mind, the two are interwoven. When a person identifies themselves, we need some element of trust (if we're in person and we've met them before, our memory provides that trust, if not, a photo ID , etc.). To rephrase, I'd say that identity can technically exist without trust, but it's meaningless to us humans.<br>
<br>
Trust can also not exist without identity. If you login to my web site, a 3rd party vouches for your claim of identity. In order to trust this 3rd party, I must know who they are. If it's a random entity, then why should I trust them? It's like a driver's license. It's only a valid form of ID because it's certified by the government, and we know who the different government entities are (DMV, Department of State, etc.). If I were a bouncer checking ID's, I'd be a bit suspicious if someone gave me a driver's license issued by "State of MyFakeState". The same goes for virtual identity. Why should I trust a random OP?<br>
<br>
- Brandon<br>
<br></div><div><div></div><div class="Wj3C7c">
On Sat, Oct 18, 2008 at 12:23 AM, Chris Messina <<a href="mailto:chris.messina@gmail.com" target="_blank">chris.messina@gmail.com</a> <mailto:<a href="mailto:chris.messina@gmail.com" target="_blank">chris.messina@gmail.com</a>>> wrote:<br>
<br>
I don't think that it's necessarily OpenID's job to solve these<br>
specific problems. It's really an identity protocol; trust, veracity<br>
and authenticity (in the human sense) are, by design (and by<br>
extension, politics) purposely kept out of scope.<br>
<br>
Several of our companies, mine included, operate in the space<br>
afforded by the adoption of a technology like OpenID, where you can<br>
choose to have increasing levels of complexity, encryption, circuity<br>
and sophistication to thwart those who would gain by attempting to<br>
act as though they were you.<br>
<br>
Whether you verify that you're human by receiving a $1 transaction<br>
or a 5 character text message is actually an opportunity for<br>
innovation and research, and by promoting the adoption of OpenID as<br>
a common conduit, we enable the pre-conditions for such an industry<br>
to grow up with consumer-facing services (as opposed to enterprise).<br>
<br>
My girlfriend today commented that OpenID is too hard because it<br>
requires too many steps. She wasn't talking about the authentication<br>
dance -- and she didn't even mind typing in her blog address to sign<br>
in (she's delegated to ClaimID.com). Instead her gripe was with the<br>
form-filling process *immediately* following the sign in process<br>
where, even though her OpenID provider has her name, email, bio and<br>
a bunch of other choice tidbits, the relying party either didn't, or<br>
didn't know how to, ask for it from her IdP. And since she had to<br>
re-enter this data *yet* again, OpenID as a whole ended up looking bad.<br>
<br>
The point that I'm ultimately making here is that we could sit here<br>
all day arguing over the need to secure one's identity and how to do<br>
it, but for most people, that's self-referential bike shed painting.<br>
<br>
We need this stuff to just work and get out of the way (unless a<br>
user chooses otherwise), and no user interface research is going to<br>
be complete unless we also weigh the second order benefits of<br>
time-saving and smoother flows that can come by enhancing the<br>
standards-based identity technologies.<br>
<br>
To that end, I think we need to think beyond just authentication<br>
here, and look at what happens immediately AFTER you've signed in<br>
with OpenID. How can we make that experience intuitive, compelling,<br>
desirable and motivating? How can we get it in people's heads that<br>
the OpenID experience is the one that they WANT -- and the one that<br>
they should DEMAND from their favorite web services?<br>
<br>
If we can't improve even the basic sign up and sign in flows from<br>
where they are today, indeed, we will continue struggle with basic<br>
issues like awareness and adoption.<br>
<br>
Chris<br></div></div></blockquote></blockquote></div><br clear="all"><br>-- <br>Chris Messina<br>Citizen-Participant &<br> Open Technology Advocate-at-Large<br><a href="http://factoryjoe.com">factoryjoe.com</a> # <a href="http://diso-project.org">diso-project.org</a><br>
<a href="http://citizenagency.com">citizenagency.com</a> # <a href="http://vidoop.com">vidoop.com</a><br>This email is: [ ] bloggable [X] ask first [ ] private<br>
</div>