<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<title>Re: [OpenID] My answers to the nominee questions</title>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Could the OAUTH and OpenID camps start by agreeing to harmonize terms
(to help the ignorant, like me)?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>As far as I can tell, the “Service Provider” (SP) in
the OAUTH model is known as the IDP/AA/OP in the SAML/openid model for push/pull
assertion protocols.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Both seem to call the classical relying party the consumer (of
the assertion/ticket), though because of the degree to which SAML use cases 99%
overlap with openid, the consumer is also commonly referred to as a Service
Provider.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>A joint document might be written. Apart from harmonizing language,
there doesn’t seem to be a lot to do. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I’ll hazard a guess at which why this has not already happened.
Perhaps folks can correct anything too outlandish. The only claimed rationale for
OAUTH existing, so far discovered, is the claim to a scope beyond which openid
auth is appropriate (e.g. openid auth and YADIS are http protocols and are thus
poor in a SOAP over message queuing environment -- since the architecture
sorely lacks a binding model). If one accepts that, then the place in a cooperative
stack alongside the openid layer could be defined, with openid merely being another
particular layer –as opposed to the name the of whole. If there is an
ego-war going on over this (whole vs part) and someone’s legacy in the written
history of the web is at stake, then there is obviously little hope of openID+
OAUTH formal harmonization. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>In general <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>1 OAUTH seems much less pretentious in its tone, than OpenID. I
see lots of denial in openid-land that it is other than just variant of stuff others
have worked on for years, repackaged and tuned for the current web2.0 wave. I don’t
see that in the OAUTH tone. It seems quite deferential and respectful. There is
no “identity is distinct from security” rubbish, seen the conference
circuit spin scene.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>2 Both showcase minimalism in design ethos, but again, I dont
detect an edge in OAUTH. Openid comes across in its use of minimalism as almost
presenting a requirement for religious devotion: it’s often got an edge,
warring agin the half-implied “evil other stuff”. There is a
notable absence of the “standing on the shoulders of giants”
rhetoric. OAUTH writers on the other hand evidently had higher schooling (or
perhaps it’s a cultural norm of its community).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>As I think now about application (and thus making a contribution
worth having), the realty community’s own peculiar data querying protocol
is now reaching for national scale, wanting to quickly achieve coverage ofmost,
authoritative properly-for sale listing data by aligning all the data owners …via
a new “higher-standard of compliance” initiative. For our little contribution
as technologists, we also websso-enabled our server farm, using techniques than
allow both SAML and openid endpoints. I’m now wondering if I should also add
in the option of an OAUTH endpoint, too, at least for the http binding
layer (and perhaps the payload auth). <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>There is general consensus in US Realty that no-realty specific
standardization is needed: vendors just choose one or all of openid/SAML/OAUTH/certs,
and we will see if any actual profiling for interworking is required, later on.
This stuff is all commodity, and there is no reason to make it a competitive issue.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Hopefully, for a newbie on OAUTH (focused on openid), this is
just a re-statement of the obvious – with some early thought of how it
might be applied, with little fuss, to one data querying web protocol.
Thanks Yahoo! I’m happy to just follow the lead.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'> general-bounces@openid.net
[mailto:general-bounces@openid.net] <b>On Behalf Of </b>Peter Williams<br>
<b>Sent:</b> Saturday, December 13, 2008 5:34 AM<br>
<b>To:</b> Allen Tom; SitG Admin; general@openid.net<br>
<b>Subject:</b> Re: [OpenID] My answers to the nominee questions<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Say more! given the OP is the deliverer of “the
data”.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Why not use the AX extension for these querying functions, given
the openid association (over which an OP knows it itself has recently sent an assertion)
is essentially a persistent authorization ticket?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Do we need to reopen the backchannel flow of openid messaging to
deliver AX (and the other openid extensions being normalized)?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Was the openid2 backchannel flow closed, to facilitate OAUTH
getting its spot in the stack (under some Identerati deal)? Should we reopen
it? <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Architecturally, it seems silly to do adopt OAUTH, if openid
would do the same job using a mere extension.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>(Im pretty ignorant on the topic of OAUTH, but open minded.)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I keep waiting for the RDF crowd to define an openid extension
that is a(nother) binding for SPARQL queries, leveraging the authorization
functions of the openid association keys and assoc-identifiers to do I&A
and machine authz – much as folks use SSL session-keys and
session-identifiers.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'> general-bounces@openid.net
[mailto:general-bounces@openid.net] <b>On Behalf Of </b>Allen Tom<br>
<b>Sent:</b> Friday, December 12, 2008 6:48 PM<br>
<b>To:</b> SitG Admin; general@openid.net<br>
<b>Subject:</b> Re: [OpenID] My answers to the nominee questions<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>SitG Admin wrote: <o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>It would be nice if RP's had a "I'll scratch your back
if you'll scratch mine." system by which they could send short messages to
one another's networks - for instance, Monster.com would say "Hey Yahoo,
please notify all the Friends of this user on your network, blah blah
blah." and Yahoo could do so.<o:p></o:p></p>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
Yahoo has an OAuth protected API that allows a Yahoo user to authorize an RP to
write to the user's Activity Stream using the Yahoo! Updates API. The user's
connections would be able to see the message in their Updates feed. This is
very similar in concept to the News Feed on other sites.<br>
<br>
It would be really nice if a user could sign into an RP using OpenID, and
simultaneously authorize that site to access their data on Yahoo using OAuth. Expect
to hear more about this soon.<br>
<br>
More info about the Yahoo! Updates API is here:<br>
<a href="http://developer.yahoo.com/social/updates/">http://developer.yahoo.com/social/updates/</a><br>
<br>
Allen<br>
<br>
<br>
<o:p></o:p></p>
</div>
</body>
</html>