<span class="Apple-style-span" style="border-collapse: collapse; ">>> Can you give a (sanitized) summary of Google-internal thinking on how the 3 way legal relationship between subscriber (to IDP and RP), the RPs, and the IDP will work?</span><div>
<span class="Apple-style-span" style="border-collapse: collapse;">We do not require RPs to sign any legal contract with Google to use our OpenID endpoint, so we do not restrict how they use it, or the AX attributes they get from us. What we do not yet know is what would happen if we received a lot of requests to disable a particular RP, for example because they were doing something illegal. On the other hand, a lot of potential RPs who run mainstream websites have indicated they may need strong commitments from us (possibly legally) about uptime, simplicity of UI, etc.</span></div>
<div><span class="Apple-style-span" style="border-collapse: collapse;"><br></span></div><div><span class="Apple-style-span" style="border-collapse: collapse;">With OAuth, things get slightly more complex. We do have terms of service with OAuth consumer sites, but that is mostly to warn them of things like the fact that if they have a bug in their code that starts overwhelming our servers, we might need to block them temporarily. However for some OAuth enabled services, specifically Google Health, we do require RPs to sign a contract with us that places more requirements on them.<br>
</span><div><span class="Apple-style-span" style="border-collapse: collapse;"><br></span><div>>> For example, can an RP (acting now as an OP) turn around and issue its own assertion to downstream RPs having relied on the Google assertion?</div>
<div>Yes</div><div>>> Can it cite its reliance on Google?</div><div>Yes, though what is harder is how it proves it got such an assertion from Google in the first place.</div><div>>> If it can, its "repurposing" limited? Does it need permission?</div>
<div>Since there is no legal agreement the RP signs with Google, we can't impose any "repurposing" restrictions</div><div><br><div class="gmail_quote">On Wed, Oct 29, 2008 at 5:27 PM, Peter Williams <span dir="ltr"><<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p><span style="font-size:11.0pt;color:#1F497D">Can you give a (sanitized) summary of Google-internal thinking on
how the 3 way legal relationship between subscriber (to IDP and RP), the RPs,
and the IDP will work?</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D">Folks studying SAML models learn that a "federation" can be idp-centric,
or sp-centric. These obviously contrast with the openid model, with is **supposed**
to be user-centric-but is looking increasingly idp-centric, in reality (the easiest).</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D">For example, can an RP (acting now as an OP) turn around and
issue its own assertion to downstream RPs having relied on the Google assertion?
Can it cite its reliance on Google? If it can, its "repurposing" limited? Does
it need permission?</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D">These are hard (legal) questions, as already seen in the CA world.
There, since ANYONE can rely on an X.509 cert by design, there was no
opportunity to impose contractual obligations on RPs, and no opportunity to
enforce a signup policy or clickthru agreements. So …copyright controls were necessarily
used instead, along with the threats of federal prosecution (as invoked at
least once by VeriSign, when Sun had some poor stooge test the power of the VeriSign
policy being applied in protection of Microsoft's Authenticode signed-code scheme,
during the Sun/Microsoft web1.0 wars of the late 90s).</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p><b><span style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt">
<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a> [mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>] <b>On Behalf Of </b>Eric
Sachs<br>
<b>Sent:</b> Wednesday, October 29, 2008 4:40 PM<div class="Ih2E3d"><br>
<b>To:</b> Dick Hardt<br>
<b>Cc:</b> OpenID List; Joseph Smarr<br>
</div><b>Subject:</b> [LIKELY_SPAM]Re: [OpenID] Google OpenID IDP is now live</span></p>
</div><div><div></div><div class="Wj3C7c">
<p> </p>
<p>>> <span>Do you think
there is going to be a rush of un-sophisticated Google OpenID users at this
point in time? I might be mistaken, but Yahoo!, AOL, myopenid are not
whitelisting. What am I missing?</span></p>
<div>
<p> </p>
</div>
<div>
<p><span>We just need to do the standard
scaling, stability, translation quality, etc. evaluation to make sure there are
no major problems. If we are lucky, that won't take much time.
However it is more then likely that we will need to tweak things in our
user interface to make it easier to understand, and unfortunately translating
any such tweaks into 40+ languages takes awhile.</span></p>
</div>
<div>
<p> </p>
</div>
<div>
<div>
<p>On Wed, Oct 29, 2008 at 2:18 PM, Dick Hardt <<a href="mailto:dick.hardt@gmail.com" target="_blank">dick.hardt@gmail.com</a>> wrote:</p>
<div>
<div>
<p> </p>
<div>
<div>
<p>On 29-Oct-08, at 11:36 AM, Eric Sachs wrote:</p>
</div>
<p><br>
<br>
</p>
<p style="margin-bottom:12.0pt">>> I'd be
interested in how Google thinks users will login with their OpenID if they
can't type in <a href="http://gmail.com" target="_blank"><span style="color:#7799BB">gmail.com</span></a> or <a href="http://google.com" target="_blank"><span style="color:#7799BB">google.com</span></a> --
these should work. Will they?</p>
<div>
<p>Since this is the first phase of our launch, we need to make
sure it works stability (and with good usability feedback, including on
validating the translation of our UI into 40+ languages) before we can claim
that lots of RPs should use it. Therefore there is currently a whitelist
of supported RPs.</p>
</div>
<div>
<p> </p>
</div>
<div>
<p>If we published an XRDS file for <a href="http://gmail.com" target="_blank">gmail.com</a> that worked automatically with existing RPs doing
directed identity, then it would break for users because their RPs would not be
on the whitelist.</p>
</div>
<div>
<p> </p>
</div>
<div>
<p>Once we are able to remove the whitelist, then we can post
the XRDS file for <a href="http://gmail.com" target="_blank">gmail.com</a>
without breaking existing RPs who allow users to type domain names for directed
identity.</p>
</div>
</div>
<p> </p>
</div>
<div>
<p>Ok. Now I understand why the XRDS is not there at this
point.</p>
</div>
<div>
<p> </p>
</div>
<div>
<p>I don't understand why the RPs need to be whitelisted. Do
you think there is going to be a rush of un-sophisticated Google OpenID users
at this point in time? I might be mistaken, but Yahoo!, AOL, myopenid are
not whitelisting. What am I missing?</p>
</div>
<div>
<p> </p>
</div>
<div>
<p><span style="color:#888888">-- Dick</span></p>
</div>
</div>
</div>
<p> </p>
</div>
</div></div></div>
</div>
</blockquote></div><br></div></div></div>