<div>>> <span class="Apple-style-span" style="border-collapse: collapse; ">I hope I'm misunderstanding what you are saying and that you support the standard.</span></div><div>>> <span class="Apple-style-span" style="border-collapse: collapse; ">That's the hub and spoke model, pretending to be an open system.</span><div>
<span class="Apple-style-span" style="border-collapse: collapse;">Hopefully my follow on post clarified Dick & Peter's questions.</span></div><div><span class="Apple-style-span" style="border-collapse: collapse;"><br>
</span></div><div><span class="Apple-style-span" style="border-collapse: collapse;">In fact, one of the questions I raised at the <a href="http://sites.google.com/site/oauthgoog/UXFedLogin/09nov-uxsummit">UX summit</a> last week was how an E-mail outsourcing services like our GoogleAppsForYourDomain could offer this type of OpenID IDP as a service to those domains. Since we host thousands of such domains, the auto-discovery aspects of OpenID are key. However the challenge we face is how to avoid lock-in. In particular, we need a way for an enterprise/ISP/school/etc. to start using our IDP, but later move it somewhere else without breaking federated login for their users. Similarly, they should be able to run their own and then migrate it to us. OpenID provides a great set of abstraction layers to make this possible, however there is still a lot more research we need to do into the actual mechanics of getting that to work.<br>
</span><br><div class="gmail_quote">On Wed, Oct 29, 2008 at 11:39 AM, Peter Williams <span dir="ltr"><<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
That's not openid.<br>
<br>
That's the hub and spoke model, pretending to be an open system.<br>
<br>
Openid will go the way of saml if one stays with this way of thinking (core rp code must know how to interact with particular idps, just for basic websso.)<br>
<div><div></div><div class="Wj3C7c"><br>
-----Original Message-----<br>
From: Breno de Medeiros <<a href="mailto:breno@google.com">breno@google.com</a>><br>
Sent: Wednesday, October 29, 2008 2:08 PM<br>
To: Dick Hardt <<a href="mailto:dick.hardt@gmail.com">dick.hardt@gmail.com</a>><br>
Cc: Joseph Smarr <<a href="mailto:joseph@plaxo.com">joseph@plaxo.com</a>>; OpenID List <<a href="mailto:general@openid.net">general@openid.net</a>><br>
Subject: [LIKELY_SPAM]Re: [OpenID] Google OpenID IDP is now live<br>
<br>
<br>
Our API documentation explains what we recommend RPs to implement to<br>
facilitate users attempts to login using Google. (Effectively you can<br>
hook up your button or user a parser for email addresses and perform<br>
discovery at the endpoint above for gmail). Due to the patchy library<br>
support of EAUT at present, we think this is an adequate interim<br>
solution, and the modifications that we suggest RPs to perform are<br>
independent of the actual discovery mechanism supported.<br>
<br>
<br>
On Wed, Oct 29, 2008 at 10:53 AM, Dick Hardt <<a href="mailto:dick.hardt@gmail.com">dick.hardt@gmail.com</a>> wrote:<br>
> "<a href="http://www.google.com/accounts/o8/id" target="_blank">www.google.com/accounts/o8/id</a>"?<br>
><br>
> gosh, I'll remember that one! :-)<br>
><br>
> Given the non memorable openid generated by Google, I'd be interested in how<br>
> Google thinks users will login with their OpenID if they can't type in<br>
> <a href="http://gmail.com" target="_blank">gmail.com</a> or <a href="http://google.com" target="_blank">google.com</a> -- these should work. Will they?<br>
><br>
> -- Dick<br>
><br>
> On 29-Oct-08, at 10:38 AM, Breno de Medeiros wrote:<br>
><br>
>> At this point, you can discover using <a href="http://www.google.com/accounts/o8/id" target="_blank">www.google.com/accounts/o8/id</a> as<br>
>> your OP identifier if you so wish. However, initially we will require<br>
>> registration. Thanks.<br>
>><br>
>> On Wed, Oct 29, 2008 at 10:30 AM, Andrew Arnott <<a href="mailto:andrewarnott@gmail.com">andrewarnott@gmail.com</a>><br>
>> wrote:<br>
>>><br>
>>> Forgive my apparent ignorance, but this doesn't look like a standard<br>
>>> OpenID<br>
>>> Provider. I just tried to log into my own RP typing in "<a href="http://google.com" target="_blank">google.com</a>" to<br>
>>> use<br>
>>> directed identity, since I have no idea what my own identifier URL would<br>
>>> be,<br>
>>> and no endpoints were found. Also tried "<a href="http://gmail.com" target="_blank">gmail.com</a>".<br>
>>> When I read the blog, it mentioned OpenID but the link was to register<br>
>>> for<br>
>>> federated login. I thought Shibboleth was about federated login and<br>
>>> OpenID<br>
>>> was about letting any RP log into an IDP. Why does an RP have to<br>
>>> register<br>
>>> with Google before using its IDP? And even if it registered, that can't<br>
>>> automatically make "<a href="http://google.com" target="_blank">google.com</a>" discoverable, so this doesn't feel like<br>
>>> OpenID at all to me.<br>
>>><br>
>>> Unhappy, but hoping someone can explain it to me.<br>
>>> On Wed, Oct 29, 2008 at 9:02 AM, Eric Sachs <<a href="mailto:esachs@google.com">esachs@google.com</a>> wrote:<br>
>>>><br>
>>>> Google's IDP is now live. You can try it on Plaxo, ZoHo, & Buxfer and<br>
>>>> hopefully more RPs to come soon. Here is the blog post with more<br>
>>>> details,<br>
>>>> including information on how RPs can sign up to use the service:<br>
>>>><br>
>>>><br>
>>>><br>
>>>> <a href="http://google-code-updates.blogspot.com/2008/10/google-moves-towards-single-sign-on.html" target="_blank">http://google-code-updates.blogspot.com/2008/10/google-moves-towards-single-sign-on.html</a><br>
>>>><br>
>>>> And yes, it does allow RPs to request a user's E-mail address via AX as<br>
>>>> an<br>
>>>> option. I'll let Joseph Smarr from Plaxo respond with details on how<br>
>>>> they<br>
>>>> are using that feature to further simplify the signup flow for Plaxo.<br>
>>>> Eric Sachs<br>
>>>> Product Manager, Google Security<br>
>>>> _______________________________________________<br>
>>>> general mailing list<br>
>>>> <a href="mailto:general@openid.net">general@openid.net</a><br>
>>>> <a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
>>>><br>
>>><br>
>>><br>
>>> _______________________________________________<br>
>>> general mailing list<br>
>>> <a href="mailto:general@openid.net">general@openid.net</a><br>
>>> <a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
>>><br>
>>><br>
>><br>
>><br>
>><br>
>> --<br>
>> --Breno<br>
>><br>
>> +1 (650) 214-1007 desk<br>
>> +1 (408) 212-0135 (Grand Central)<br>
>> MTV-41-3 : 383-A<br>
>> PST (GMT-8) / PDT(GMT-7)<br>
>> _______________________________________________<br>
>> general mailing list<br>
>> <a href="mailto:general@openid.net">general@openid.net</a><br>
>> <a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
><br>
><br>
<br>
<br>
<br>
--<br>
--Breno<br>
<br>
+1 (650) 214-1007 desk<br>
+1 (408) 212-0135 (Grand Central)<br>
MTV-41-3 : 383-A<br>
PST (GMT-8) / PDT(GMT-7)<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br></div></div>