Hi Peter,<div><br></div><div>I think you missed the scenario I was saying should use OAuth. The login process with Plaxo was fantastic. I didn't mind that it sniffed my email address from my OP. That's convenience for me.</div>
<div><br></div><div>But after login was completed, the first page I was taken to was a page where they wanted to take some email address and password so they could go download my address book. This has nothing to do with OpenID. They wanted my email password (bad, bad, bad!) And yes, as you say, this is actually fairly common practice. LinkedIn, Facebook, Lala, you name it. Almost every social networking site wants your email password. ("cold dead fingers" comes to mind). The link I sent you in my previous email explains why this is such a Very Bad Thing.</div>
<div><br></div><div>What OAuth does is give Plaxo, et. al, a way to download my address book without me ever giving them my email password. They still need my permission, but not my password. With OAuth, they can only do exactly what I authorize them to do (for instance, download my address book once) and nothing more. Much much safer for the user. They don't have to trust (usually blindly) the site they're at nearly as much.</div>
<div><br></div><div>Of course, then you get into the social question of how your "friends" in your address book will feel about you after you "sell" their contact info to some random site they have no interest in being a part of just to get a little convenience. :)</div>
<div><br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Wed, Jan 14, 2009 at 6:28 AM, Peter Williams <span dir="ltr"><<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p><span style="font-size:11.0pt;color:#1F497D">I have yet to understand why people assert that type of OAuth
comment. I jus don't understand OAUTH well enough, yet.</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D">Given all I know (from the OAUTH spec), data providers can share
data with data consumers, once authorized by the user. Though any act of
authorization (or "delegated" authorization) requires first an act
of authentication (ideally with openid), the two security services are usually
designed to be independent.</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D">In the websso world I come from, what Plaxo do is perfectly
normal. They "confirm" using a local procedure the authentication
statement in the assertion. That is, they declare that the assertion is not a
bearer-class assertion, which would have implicit confirmation. As a consequence
of that confirmation model, they confirm locally that the user controls the
email identifier delivered via the nice "form fill" function that
openid/sreg just performed.</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D">In reality, Plaxo is perform name-federation with the users email
identifier to the plaxo account. The verification model is really between the
mail/phone provider and Plaxo, not OP and RP. Even if the OP has already
performed that very same email confirmation (e.g. myopenid), the UCI model
means that Plaxo have no assurance that it was performed, or performed properly.
Thus, they do it themselves.</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D">As plaxo is oft-cited as a model openid RP by the protocol-designer
class of folk here, I had assumed that this RP-confirmation process was an INTENDED
deployment behavior of "model" RPs. I had ASSUMED that It was one
of those tradeoffs derived from the UCI mission – which gives the function
of survivability on the one hand, but takes away assurance on the other. One
rebuilds assurance by local confirmation, I guessed.</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D">During one-time name-federation to plaxo during (n) openid
registration(s() - and providing different openids can introduce different
email/phone accounts - I don't see this as a big deal. If Plaxo as
an RP were repeatedly confirming with the email/phone provider, then Id agree –
something user-centric is needed (perhaps OAUTH); as then the email
provider becomes a central control/authorization authority - governing the user's
ability to talk to plaxo.</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p><b><span style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt"> Andrew Arnott
[mailto:<a href="mailto:andrewarnott@gmail.com" target="_blank">andrewarnott@gmail.com</a>] <br>
<b>Sent:</b> Wednesday, January 14, 2009 6:06 AM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> Martin Atkins; OpenID List<br>
<b>Subject:</b> Re: [OpenID] Is OpenID truly user-centric and OP-independent?
(WAS: Bug in OpenID RP implementations)</span></p>
</div>
</div><div><div></div><div class="Wj3C7c">
<p> </p>
<p>Yes, I wish everyone could follow that model at Plaxo.</p>
<div>
<p> </p>
</div>
<div>
<p style="margin-bottom:12.0pt">But Plaxo would do well to
adopt OAuth. I noticed as soon as I created an account just now that they
wanted to <a href="http://blog.nerdbank.net/2008/10/why-oauth-can-be-ignored.html" target="_blank">take my
email password</a>. <br clear="all">
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<br>
<br>
</p>
<div>
<p>On Wed, Jan 14, 2009 at 5:51 AM, Peter Williams <<a href="mailto:pwilliams@rapattoni.com" target="_blank">pwilliams@rapattoni.com</a>> wrote:</p>
<div>
<div>
<p><span style="font-size:11.0pt;color:#1F497D">Add a plural s to the word
identity.</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D">IN policy language, the goal is
surely not attaining "independence" from the communications
infrastructure; but achieving "autonomy".</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D">This is nicely seen in the
plaxo model for building RPs, where you can bind n openids to the plaxo
account. As a user, you can invoke any one of these identification paths. If
flicker suspends your account (which they are want to do), there is no downside
to you at Plaxo. Survivability is built in, with automatic, dynamic re-routing
around the congestion point.</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p style="margin-bottom:12.0pt"><b><span style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt"> <a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a> [mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>]
<b>On Behalf Of </b>Andrew Arnott<br>
<b>Sent:</b> Wednesday, January 14, 2009 5:35 AM<br>
<b>To:</b> Martin Atkins</span></p>
<div>
<p>In fact, I've become convinced that there is no way to allow a user to
maintain his own OpenID identity independent of any OP or ISP given the profile
of a common Internet user today.</p>
</div>
</div>
</div>
<div>
<p> </p>
</div>
<div>
<p> </p>
</div>
</div>
</div>
</div>
</div>
<p> </p>
</div>
</div></div></div>
</div>
</div>
</blockquote></div><br></div>