It is interesting how a discussion on a relatively simple extension proposal which was motivated by:<br><br>1. Users saying in usability study after usability study that they are more comfortable with the Facebook-Connect style login flow than the full browser redirect model.<br>
<br>2. Potential RPs demanding popup UI flows in order to adopt the scheme as they do not want their users to lose the context of their site.<br><br>3. IDPs listening to the same demand again and again and deciding to propose an _optional_ feature that RPs can choose to interact with their users<br>
<br>Became a philosophical discussion on issues from user-centric philosophy to anti-phishing to trust models on certificates.<br><br>Reality: The proposed WG suggests that RPs who want to can add a couple of parameters to their URL requests to indicate to OPs (that advertize the feature) that they embraced a fancy-dancy popup UI that makes their users happier. They could already do this by hardcoding window sizes for the OPs that they care about. IDPs could just document their favorite window sizes as non-standard "enhancements" and force RPs (at least those who care for their users) to embrace per-OP customization of window sizes as a fait accompli.<br>
<br>Perception: Run for the hills: OpenID is being corrupted! It will become a phishing haven! It has sold its soul!<br><br>Or, as every San Franciscan knows it: The city was best when I moved in, and has gone downhill ever since. :)<br>
<br><br><div class="gmail_quote">On Fri, Mar 20, 2009 at 6:44 PM, Peter Williams <span dir="ltr"><<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Openid clearly started with the OP being someone's blogsite - expecting there to be millions of OPs (i.e. you and me) and equal number of RPs. Clearly, vanity delegation was nothing more than adding a few meta tags to your blog's html home page, giving one the ability to use various of your blog site URLs faciliting portability. Even I managed to do test all that (in its essentially original openid1.1 form), and I'm technically incompetent. And RP was an authenticated comment handler ...on someone's blog site. If the blog provider was hosted (by blogspot), fine. Or, a wordpress installation of a blog server on your enterprise gateway was just as legitimate to hosted blogs in livejounrnal, say. Host a serer yourself or be a tenant of a blogservice - it made no difference to your status as an OP.<br>
<br>
Now, we never hear of that world any longer. The founders seems to change orientation, right about the time I started focusing on openid. And to be fair, it was and still is the mega-OP with openid2 capabilities that drives our commercial interest (seeing as they can nowhandle the ~6 million accounts of users who occasionally come to our site, now to authenticate using websso - or "identity verification"). At the same time, for realtors themselves (vs the public who search realtor listings), the peer-peer model is also important; and there are a million of these (each with their own web2.0 portal, offering a variety of "professional" services to their homeowner clients).<br>
<br>
Since Openid2, all I ever hear is about yahoo, paypal, google, facebook, myspace and live - who will each govern (n00 million) users. The users (and nominal owners of a blog site) are no longer the OP: s/he is a merely "subscriber" to an OP service - which will "speak for" the "site owner" under their brand rather than the individual's "brand". The rules and interaction with an RP will be the OP's decision (no longer the subscriber). If the subscriber wants to do this or that trust model with the RPs, it is now irrelevant. You want to use Yahoo, it WILL be ssl and their UI design rules (whether the original OP/site wants it, or not).<br>
<br>
Am I wrong that the founders (who obviously knowingly migrated to the world of openid2, and directed id in particular) changed focus? Did you move the notion of OPs from being those x00,000 owners of blog sites (who can set their own policy) to the (small number of) large portal firms that now host n00,000 "tenants" each - all acting under a single brand and security policy?<br>
<div class="im"><br>
<br>
> -----Original Message-----<br>
> From: <a href="mailto:general-bounces@openid.net">general-bounces@openid.net</a> [mailto:<a href="mailto:general-bounces@openid.net">general-bounces@openid.net</a>] On<br>
</div><div class="im">> Behalf Of Martin Atkins<br>
> Sent: Friday, March 20, 2009 4:27 PM<br>
> To: <a href="mailto:general@openid.net">general@openid.net</a><br>
> Subject: Re: [OpenID] Fwd: [OpenID Foundation] New Poll Opened<br>
><br>
</div><div class="im">> Peter Williams wrote:<br>
> ><br>
> > OpenID on the<br>
</div>> > other hand started peer/peer, and is rapidly he[Peter Williams] adding into the TTP<br>
<div><div></div><div class="h5">> space<br>
> > (where I suspect its founders wanted it all along).<br>
> ><br>
><br>
> Your suspicions are incorrect.<br>
><br>
> Its "founders" (which I choose to understand as those who started the<br>
> project, which started with Brad Fitzpatrick and fanned out to a number<br>
> of others including myself) imagined it originally as a solution to the<br>
> problem of allowing users of LiveJournal.com to leave comments on<br>
> DeadJournal.com and vice-versa; that it ended up being a user-centric,<br>
> decentralized system tis largely a symptom of the culture of the<br>
> LiveJournal developers.<br>
><br>
> The original OpenID was designed to operate without SSL at all, with<br>
> parties establishing associations on the fly with no verification, and<br>
> it remains that way today on LiveJournal.com. Some folks wanted the<br>
> benefits that SSL brings, and that's fine... no-one's forcing you to<br>
> use<br>
> SSL right now. I fought SSL being a requirement for OpenID 2.0 and I<br>
> will continue to fight it as I believe it should be up to each party to<br>
> decide whether it needs the benefits SSL provides.<br>
><br>
><br>
> _______________________________________________<br>
> general mailing list<br>
> <a href="mailto:general@openid.net">general@openid.net</a><br>
> <a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>--Breno<br><br>+1 (650) 214-1007 desk<br>+1 (408) 212-0135 (Grand Central)<br>MTV-41-3 : 383-A <br>PST (GMT-8) / PDT(GMT-7)<br>