<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I’m supportive of OUATH stack and OpenID stack cooperating
closely. What I don’t want is to change the core model of openid –
the UCI part. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>In User-centric OpenID, there are already rather too many
signals that certain OPs are intending to run a policy-based “management regime”
for the web similar to how Facebook runs its “plugin providers.” That
is: the plugins cannot even “exist” without Facebook, and are
subject to Facebook’s rules on how identities are managed and how
personal attributes flow. Now, while that control model works quite naturally in
the Facebook world (since it’s a voluntary portal-plugin model), does it
work for the web – where OPs and RPs are peers?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>We also have to look at Microsoft’s own (WS-Fed and now SAML2)
profile work (and *<b>probably</b>* OpenID/OAUTH work) – remembering that
they have an established profile of websso aimed at DRM enforcement – at the
attribute level. The attributes are not owned by users SPECIFICALLY in this profile
world; they are the property of the OP. The only role the user has is one
of using the OP as an agent; and the only role the RP has is to remotely enforce
the OPs control regime. In this world, should the user ask the RP to do X with
his/her attributes , the answer will be no – as the RP will not even have
the technical means to circumvent the OPs policy, due to the DRM controls wrapped
around their handling of the SAML/OpenID attributes. How that world would handle
the notion that n OPs could link in parallel to a single RP account - and thus neither
would have exclusive control over the projection of the user store at the
RP - I don’t know!<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Now, I would not really object to any of the above even in the embodiment
of OpenID+OAUTH vs SAML+IGF if I saw a balance: between TTP OPs (much
like the SSL world as TTP-class CAs like VeriSign), and non-TTP OPs (much like
the SSL world a half billion self-signed, unmanaged CAs operated by users in
their homes).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>But I don’t see much evidence of the non TTP OP emerging, beyond
the JanRain efforts – where they were making good architectural progress
in outsourcing OP functions to anyone. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
general-bounces@openid.net [mailto:general-bounces@openid.net] <b>On Behalf Of </b>Andrew
Arnott<br>
<b>Sent:</b> Friday, April 03, 2009 9:25 PM<br>
<b>To:</b> santrajan<br>
<b>Cc:</b> general@openid.net<br>
<b>Subject:</b> Re: [OpenID] OAuth SPs don't have to be your OpenID OP<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<p class=MsoNormal>Why should OpenID support OAuth at all? OpenID can stand on
its own. All<br>
OpenID needs to do is address the concerns of RP's and users.<o:p></o:p></p>
</blockquote>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Why? Because in your own words "OpenID needs to
... address the concerns of RPs and users". OAuth protects users,
and aids RPs. Yes, OpenID and OAuth can and do stand on their own.
But if they are to be used together, it can be confusing and cumbersome
to users unless we work to streamline the process.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Pure and simple.<o:p></o:p></p>
</div>
</div>
</div>
</div>
</body>
</html>