<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:D="DAV:" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Hans<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>You specifically mentioned Google Apps, and complained in public
that you could not administer the domain service the firm hosts for you. The clear
imputation was that the Google Apps service is lousy, and their support folks
cannot fix their own software for you. You essentially recommended that another
Google service be abandoned - in favor of self-hosting. You proposed imposing a
(tea) tax on conferences, to fund the hosting costs.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I too wrote about the topic of Google Apps, as you introduced, and
praised it in contrast – particularly in the area of websso and their domain
management service. (I’m not given to praising Google, normally.) I focused
comment on the quality of their engineering solution in the area of websso and domain
hosting (and how they address the fallback issues of remote administration, in
particular). These engineering properties will, I personally hope, soon relate to
their openid SP services (as a variant of the websso SP service they obviously already
deliver for Google Apps domain users, today).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Yes, I realize your main point was that the Foundation should
not use service providers to deliver critical infrastructure services. But,
that notion unfortunately contradicts with the wider Foundation mission in promoting
websso/openid : so that one can verily outsource and mashup services providers by
relying on assertions (where system-system dependencies are inevitably found).
So, I showed that there are mature business-grade engineering solutions out
there in the wild that deal with the system dependencies introduced - and one can
avoid simply falling back on “do everything yourself”. By way of
example, I used Google Apps as the demonstration of those deployment principles.
<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Hopefully I gave a contrasting view of Google Apps to your own, focusing
on our primary topic: websso/openid. I’d love to see the Foundation not
only reject self-hosting – but do a showcase integration with Google Apps.
It’s a mature, business-class SP for open systems, and would only enhance
the reputation of the Foundation in business circles, in my view. A small grant
to TrustBearer Labs might facilitate the integration between the Foundations own
native openid2 technology and the websso standards Google Apps uses today. Who
knows, a successful,high-profile demo might even make Google fast-track native
openid2 support for their various SPs.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Peter.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Hans Granqvist
[mailto:hans@granqvist.com] <br>
<b>Sent:</b> Monday, December 08, 2008 10:11 AM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> openid-general General<br>
<b>Subject:</b> Re: Google Apps, dependencies, failover and UCI<o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Peter: I have no idea what you're talking about. Sorry.<o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>I was merely pointing out that the Google group
feature, while technically <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>very usable, may have some issues in ease-of-signup for
people who<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>want to use emails from Google hosted domains. For
some that itself may <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>make them not participate. <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>I still want to know why there isn't enough money within
OIDF to independently<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>operate these lists using open and free technology. Last
time I checked, those kind<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>of things were kinda central to the
OpenID philosophy. <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Hans<o:p></o:p></p>
</div>
<div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal>On Mon, Dec 8, 2008 at 7:52 AM, Peter Williams <<a
href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p><span style='font-size:11.0pt;color:#1F497D'>Hans:</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>Re: Per your memo (enclosed
below)</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>In defense of Google, I've had
only sterling success with their websso to Google Apps. In engineering terms,
we can perhaps analyze it, and perhaps glimpse at their openid services for
their SPs (as they evolve, them).</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>The Google SP optionally
administers with a local id (allowing administrative failover, when the sso
links break), and users can (SAML2) websso into it as an entirely
standards-based SP once the SP->IDP link is manually configured. As an SP,
it aggregates several applications into its local session. However, they can be
targeted individually as resources when performing websso, since the websso
service hooks up nicely with the complementary DNS naming and service mappings
for the hosted domains. </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>All in all, it's well thought
through - through its very, very expensive at $50 per annum, per user.
I've no doubt there are major price breaks for volume of n0,000 users… in
which case it would be viable for integration with our realty "MLS",
for example,once down to $0.50-$1 a month. A large percentage of our users
choose gmail anyways (where we send about 100G of data to gmail accounts every
night, after running the users' custom data-crawls!) I'm sure individuals
would authorize $0.50 cents a month for the convenience of websso to their
gmail from their main console. They already do that to websso to a dozen other
sites, after all. If now paid for by search ads on the websso UI, that src of
funding might even overcome the current, total-resistance to (Google) ads. </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>Technically, Google Apps
performs sp-initiated websso flow (essentially like openid1), and has been
tuned so that one IDP aggregator/endpoint can host n IDP tenants (all on the
same switching entityID/cert). This allows an approximation of the OpenID-style
delegation, where the level1 IDP acts as a delegation/proxy resolver. That
first line IDP known to Google performs rerouting (though Google are not
exploiting SAML2 grade security signed requests), and vectors the request
upstream to a 2<sup>nd</sup>-level IDP delegated by the user or selected
interactively (in our implementation). These upstream failover dynamics can all
hidden from the SP (unlike in the control system design used by OpenID2.) but
are clearly intended by the Google architecture.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>It's by no means all as cute as
a real openid2 SP->OP, with user-controlled (signed) XRDS being accessed
directly by SPs. But it's the best SAML2 SP I've personally seen on a
consumer-grade website, where all sso/dns configuration can be done without needing
specialized engineers. Hey, even I could do it.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>WebSSO is all about
dependencies. The trick (having managed this kind of integration for 2 years
now with a variety of sso folk with a wide range of security engineering
training) is to ensure all the failovers work – for when the public
web/internet breaks. This is why I personally focus on failopen,
loosely-coupled, user-centered control system designs.. as its very orientation
has side-effect that take care of vast majority of inter-system dependencies.
By getting the intelligent human being involved in failover (only) early on, we
avoid the support phone call that we cannot afford to service. </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>So, I give Google an A- on
websso design and execution (as I've seen it). They can go for optional extra
credit and be awarded an A, if they would sign the auth requests.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p><b><span style='font-size:10.0pt'>From:</span></b><span style='font-size:
10.0pt'> <a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>
[mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>]
<b>On Behalf Of </b>Hans Granqvist<br>
<b>Sent:</b> Sunday, December 07, 2008 10:25 PM<br>
<b>To:</b> openid-general General<br>
<b>Subject:</b> Re: [OpenID] We Need Less Bureaucracy But Also More
Transparency</span><o:p></o:p></p>
</div>
<p> <o:p></o:p></p>
<p>Google groups are broken. I can't sign up to groups with any email address I
want.<o:p></o:p></p>
<div>
<p>My main domain is hosted by Google Apps and I cannot sign up with any email<o:p></o:p></p>
</div>
<div>
<p>address on this domain. Though I suppose I should be able to, the Google
reps<o:p></o:p></p>
</div>
<div>
<p>I've spoken or emailed to (several) can't fix it. I wonder how many
else <o:p></o:p></p>
</div>
<div>
<p>would be in the same situation.<o:p></o:p></p>
</div>
<div>
<p> <o:p></o:p></p>
</div>
<div>
<p>Regardless, you cannot have dependencies if you want to stay open, right?<o:p></o:p></p>
</div>
<div>
<p> <o:p></o:p></p>
</div>
<div>
<p>If there is more money needed to keep mailman and servers going, and OIDF is<o:p></o:p></p>
</div>
<div>
<p>unable to pay (are they?), why not politely request a cut from the
conferences <o:p></o:p></p>
</div>
<div>
<p>making money around the standard?<o:p></o:p></p>
</div>
<div>
<p> <o:p></o:p></p>
</div>
<div>
<p style='margin-bottom:12.0pt'> <o:p></o:p></p>
<div>
<p>On Fri, Dec 5, 2008 at 5:36 PM, Peter Williams <<a
href="mailto:pwilliams@rapattoni.com" target="_blank">pwilliams@rapattoni.com</a>>
wrote:<o:p></o:p></p>
<p>Does the foundation resolve to deem acceptable google's privacy practices
(since thats the indirect endorsement).<br>
<br>
Can't whine about janrain without doing the same to all.<br>
<br>
has anyone even reviewed them yet for political correctness (while facebook
meantime cleansup).<br>
<br>
Satire.<o:p></o:p></p>
<div>
<div>
<p><br>
-----Original Message-----<br>
From: SitG Admin <<a href="mailto:sysadmin@shadowsinthegarden.com"
target="_blank">sysadmin@shadowsinthegarden.com</a>><br>
Sent: Friday, December 05, 2008 6:31 PM<br>
To: David Recordon <<a href="mailto:drecordon@sixapart.com" target="_blank">drecordon@sixapart.com</a>><br>
Cc: <a href="mailto:general@openid.net" target="_blank">general@openid.net</a>
<<a href="mailto:general@openid.net" target="_blank">general@openid.net</a>><br>
Subject: Re: [OpenID] We Need Less Bureaucracy But Also More Transparency<br>
<br>
<br>
>I keep wanting to see us move to Google Groups<br>
<br>
So long as we can make clear that it isn't an endorsement? ;)<br>
<br>
I understand that Google has an interest in *their* system being<br>
used, and offering a mere publicly searchable archive (open Gmail<br>
account subscribed to the list) wouldn't stop users from using their<br>
*other* systems, but the topology of such a solution resembles the<br>
idea of UCI: instead of going with a single central interface, users<br>
go with the list (their 'open' choice) and can login to Google with<br>
their OpenID's to see an aggregated dataset (or, if they like what<br>
Google is marketing, opt to upgrade to a Gmail account so they can<br>
begin integrating their private messages with that dataset, too).<br>
<br>
-Shade<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><o:p></o:p></p>
</div>
</div>
</div>
<p> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>