<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:D="DAV:" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Can you give a (sanitized) summary of Google-internal thinking on
how the 3 way legal relationship between subscriber (to IDP and RP), the RPs,
and the IDP will work?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Folks studying SAML models learn that a “federation” can be idp-centric,
or sp-centric. These obviously contrast with the openid model, with is **supposed**
to be user-centric-but is looking increasingly idp-centric, in reality (the easiest).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>For example, can an RP (acting now as an OP) turn around and
issue its own assertion to downstream RPs having relied on the Google assertion?
Can it cite its reliance on Google? If it can, its “repurposing” limited? Does
it need permission?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>These are hard (legal) questions, as already seen in the CA world.
There, since ANYONE can rely on an X.509 cert by design, there was no
opportunity to impose contractual obligations on RPs, and no opportunity to
enforce a signup policy or clickthru agreements. So …copyright controls were necessarily
used instead, along with the threats of federal prosecution (as invoked at
least once by VeriSign, when Sun had some poor stooge test the power of the VeriSign
policy being applied in protection of Microsoft’s Authenticode signed-code scheme,
during the Sun/Microsoft web1.0 wars of the late 90s).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
general-bounces@openid.net [mailto:general-bounces@openid.net] <b>On Behalf Of </b>Eric
Sachs<br>
<b>Sent:</b> Wednesday, October 29, 2008 4:40 PM<br>
<b>To:</b> Dick Hardt<br>
<b>Cc:</b> OpenID List; Joseph Smarr<br>
<b>Subject:</b> [LIKELY_SPAM]Re: [OpenID] Google OpenID IDP is now live<o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>>> <span class=apple-style-span>Do you think
there is going to be a rush of un-sophisticated Google OpenID users at this
point in time? I might be mistaken, but Yahoo!, AOL, myopenid are not
whitelisting. What am I missing?</span><o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal><span class=apple-style-span>We just need to do the standard
scaling, stability, translation quality, etc. evaluation to make sure there are
no major problems. If we are lucky, that won't take much time.
However it is more then likely that we will need to tweak things in our
user interface to make it easier to understand, and unfortunately translating
any such tweaks into 40+ languages takes awhile.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<div>
<p class=MsoNormal>On Wed, Oct 29, 2008 at 2:18 PM, Dick Hardt <<a
href="mailto:dick.hardt@gmail.com">dick.hardt@gmail.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<div>
<p class=MsoNormal>On 29-Oct-08, at 11:36 AM, Eric Sachs wrote:<o:p></o:p></p>
</div>
<p class=MsoNormal><br>
<br>
<o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>>> I'd be
interested in how Google thinks users will login with their OpenID if they
can't type in <a href="http://gmail.com" target="_blank"><span
style='color:#7799BB'>gmail.com</span></a> or <a
href="http://google.com" target="_blank"><span style='color:#7799BB'>google.com</span></a> --
these should work. Will they?<o:p></o:p></p>
<div>
<p class=MsoNormal>Since this is the first phase of our launch, we need to make
sure it works stability (and with good usability feedback, including on
validating the translation of our UI into 40+ languages) before we can claim
that lots of RPs should use it. Therefore there is currently a whitelist
of supported RPs.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>If we published an XRDS file for <a href="http://gmail.com"
target="_blank">gmail.com</a> that worked automatically with existing RPs doing
directed identity, then it would break for users because their RPs would not be
on the whitelist.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Once we are able to remove the whitelist, then we can post
the XRDS file for <a href="http://gmail.com" target="_blank">gmail.com</a>
without breaking existing RPs who allow users to type domain names for directed
identity.<o:p></o:p></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Ok. Now I understand why the XRDS is not there at this
point.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>I don't understand why the RPs need to be whitelisted. Do
you think there is going to be a rush of un-sophisticated Google OpenID users
at this point in time? I might be mistaken, but Yahoo!, AOL, myopenid are
not whitelisting. What am I missing?<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal><span style='color:#888888'>-- Dick<o:p></o:p></span></p>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</body>
</html>