The main topic of this thread is how to come up with a better description of OpenID. <div>To do that, making a contrast with OAuth is rather useful as both OpenID and OAuth are members of OpenStack family. </div><div><br></div>
<div>=nat</div><div><div><br><div class="gmail_quote">On Wed, Jun 9, 2010 at 10:38 PM, Thomas Hardjono <span dir="ltr"><<a href="mailto:identity@hardjono.net">identity@hardjono.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D">Apologies for my newbie question: are we defining OAuth here?
(ie. are we talking about the same OAuth 2.0 that is being developed in the
IETF or is it a different OAuth).</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D">Thanks.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D">/thomas/</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Courier New";color:#1F497D"> </span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;color:windowtext">From:</span></b><span style="font-size:10.0pt;color:windowtext"> <a href="mailto:openid-general-bounces@lists.openid.net" target="_blank">openid-general-bounces@lists.openid.net</a>
[mailto:<a href="mailto:openid-general-bounces@lists.openid.net" target="_blank">openid-general-bounces@lists.openid.net</a>] <b>On Behalf Of </b>Nat
Sakimura<br>
<b>Sent:</b> Wednesday, June 09, 2010 2:23 AM<br>
<b>To:</b> <a href="mailto:openid-general@lists.openid.net" target="_blank">openid-general@lists.openid.net</a></span></p><div><div></div><div class="h5"><br>
<b>Subject:</b> Re: [OpenID] Definition of OpenID</div></div><p></p>
</div>
</div><div><div></div><div class="h5">
<p class="MsoNormal"> </p>
<p class="MsoNormal">(2010/06/08 21:32), Andy Powell wrote: </p>
<p class="MsoNormal"><span style="font-size:10.5pt">I
suspect we need at least two variants, one for a general audience and one more
technically correct ;-).</span></p>
<p class="MsoNormal"><span style="font-size:10.5pt"> </span></p>
<p class="MsoNormal"><span style="font-size:10.5pt">I
find your proposed wording for OAuth (“<i>OAuth is a protocol that allows
one to delegate the access authorization to a resource to a third party</i>”)
somewhat problematic since it’s not overly clear what is being delegated
to who? Tbh, I prefer the current wording at <a href="http://oauth.net/" target="_blank">http://oauth.net/</a>
(“<i>An open protocol to allow secure API authorization in a simple and
standard method from desktop and web applications</i>”) – I think
there is a subtle distinction between ‘allowing authorization’ and
‘doing authorization’ which makes this wording OK.</span></p>
<p class="MsoNormal"><span style="font-size:10.5pt"> </span></p>
<p class="MsoNormal"><span style="font-size:10.5pt">On
that basis, how about something like the following:</span></p>
<p class="MsoNormal"><span style="font-size:10.5pt"> </span></p>
<p class="MsoNormal"><b><span style="font-size:10.5pt">General
audience</span></b></p>
<p class="MsoNormal"><span style="font-size:10.5pt"> </span></p>
<p class="MsoNormal"><span style="font-size:10.5pt">OpenID
allows you to use an existing website account to sign in to multiple other
websites, without needing to create any new passwords.</span></p>
<p class="MsoNormal">To me, this emphasizes the "login" too much.
OpenID is not about login. <br>
<br>
>From my experience, "General Audience" is too broad. When I am
forced to speak about it, <br>
I change my explanation. <br>
<br>
For example, to explain it to a mom with a kid who plays Nintendo's Wii, <br>
I go like: <br>
<br>
Me: "Do you know Wii?" <br>
Mom: "Yes!"<br>
Me: "Then you must know Mii."<br>
Mom: "Of course!"<br>
Me: "You created Mii because you just cannot get into the machine. So, Mii
looks like you, has your nickname, and so on. If you are playing Wii fit, it
records your wait and other activity logs, and you go to games using your Mii.
At the game, the Mii tells the game keeper required information on behalf of you.
In fact, Mii is yourself in Wii. That's called Digital Identity. Do you get
it?"<br>
Mom: "Sure."<br>
Me: "To use your Mii, you have to establish your right to control that
Mii. Usually, you do this with PIN on the remote. <br>
That is called Authentication."<br>
Mom: "OK. That's easy."<br>
Me: "Unfortunately, Mii can only live in Nintendo Wii. It just cannot live
in any other places. <br>
To make it possible for Mii to go to various places in the internet, those
places must understand Mii. <br>
To make it up, we have to 'open up' Mii so that everybody can understand what
that Mii is saying or doing. <br>
That's OpenMii. OpenID is one such thing, a standardized Digital Identity for
the Internet."<br>
<br>
It seems to work remarkably well on those moms and kids. <br>
At the same time, it does not work for somebody who never saw a Mii. <br>
<br>
<br>
<br>
</p>
<p class="MsoNormal"><span style="font-size:10.5pt"> </span></p>
<p class="MsoNormal"><span style="font-size:10.5pt">OAuth
allows you to access a website using a desktop or web-based application,
without needing to type the username and password for that website into the
application.</span></p>
<p class="MsoNormal">What about "without telling the username and password
to that application"<br>
<br>
</p>
<p class="MsoNormal"><span style="font-size:10.5pt"> </span></p>
<p class="MsoNormal"><b><span style="font-size:10.5pt">Technical
audience</span></b></p>
<p class="MsoNormal"><span style="font-size:10.5pt"> </span></p>
<p class="MsoNormal"><span style="font-size:10.5pt">OpenID
is an open standard digital identity framework that allows attributes about an
authenticated user to be passed from one website (the OpenID provider) to another
(the relying party), usually for the purposes of authorizing access.</span></p>
<p class="MsoNormal">We need to include the "user control/authorization of
the attribute release". It is one of the most important concept around
OpenID. "usually for the purposes of authorizing access" is a bit
confusing. We need to specify who is authorizing what access, if we were to
write it. <br>
<br>
What about something like: <br>
<br>
OpenID is an open standard Digital Identity Framework that passes the
authorization decision and attributes/data of an authenticated user from one
website (the OpenID provider) to another (the relying party). </p>
<p class="MsoNormal"><span style="font-size:10.5pt"> </span></p>
<p class="MsoNormal"><span style="font-size:10.5pt">OAuth
is an open standard protocol that allows simple and secure API authorization
from desktop and web-based applications.</span></p>
<p class="MsoNormal">Main concept of the OAuth, the access authorization
__delegation__ is gone from this definition. <br>
<br>
What about this: <br>
<br>
"OAuth is an open standard protocol that allows the access authorization
to an API to be given to an application without disclosing the user's
credential. "<br>
<br>
</p>
<p class="MsoNormal"><span style="font-size:10.5pt"> </span></p>
<p class="MsoNormal"><span style="font-size:10.5pt">??</span></p>
<p class="MsoNormal"><span style="font-size:10.5pt"> </span></p>
<p class="MsoNormal"><span style="font-size:10.5pt">Andy</span></p>
<p class="MsoNormal"><span style="font-size:10.5pt"> </span></p>
<p class="MsoNormal"><span style="font-size:10.5pt">--</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#7030A0">Andy Powell</span></p>
<p class="MsoNormal"><span style="font-size:10.5pt">Research
Programme Director</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#7030A0">Eduserv</span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;color:#7030A0">t:</span><span style="font-size:10.5pt">
01225 474319</span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;color:#7030A0">m:</span><span style="font-size:10.5pt">
07989 476710</span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;color:#7030A0">twitter:</span><span style="font-size:10.5pt">
@andypowe11</span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;color:#7030A0">blog:</span><span style="font-size:10.5pt">
<a href="http://efoundations.typepad.com" target="_blank">efoundations.typepad.com</a></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt"> </span></p>
<p class="MsoNormal"><span style="font-size:10.5pt"><a href="http://www.eduserv.org.uk" target="_blank">www.eduserv.org.uk</a> </span></p>
<p class="MsoNormal"><span style="font-size:10.5pt"> </span></p>
<div style="border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;border-color:-moz-use-text-color -moz-use-text-color">
<p class="MsoNormal"><b><span style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt"> <a href="mailto:openid-general-bounces@lists.openid.net" target="_blank">openid-general-bounces@lists.openid.net</a>
[<a href="mailto:openid-general-bounces@lists.openid.net" target="_blank">mailto:openid-general-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Nat Sakimura<br>
<b>Sent:</b> 08 June 2010 11:35<br>
<b>To:</b> David Recordon<br>
<b>Cc:</b> <a href="mailto:openid-general@lists.openid.net" target="_blank">openid-general@lists.openid.net</a><br>
<b>Subject:</b> Re: [OpenID] Definition of OpenID</span></p>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Would love to have a more readable rewrite. </p>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">We should make an authoritative punch line that we can use
it at many places, </p>
</div>
<div>
<p class="MsoNormal">including wikipedia. </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">=nat</p>
</div>
<div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">On Tue, Jun 8, 2010 at 4:40 PM, David Recordon <<a href="mailto:recordond@gmail.com" target="_blank">recordond@gmail.com</a>> wrote:</p>
<p class="MsoNormal">We wrote <a href="http://openid.net/get-an-openid/what-is-openid/" target="_blank">http://openid.net/get-an-openid/what-is-openid/</a>
a year or two<br>
ago. It's far more of a product definition than a technical one, but<br>
supports what you wrote. Ever since we made OpenID 2.0 extensible and<br>
a combination of other technologies a few years ago it's been a<br>
framework.<br>
<br>
As you point out, OpenID has never done user authentication itself.<br>
Rather that's handled by cookies, passwords, tokens, certs, etc.<br>
OpenID does however perform authentication from the provider to the<br>
relying party once the user has authenticated and granted<br>
authorization.<br>
<br>
So yes, I agree with your definitions but would rewrite them and<br>
clarify the intended audience. (Unfortunately 1am isn't a good time<br>
for me to propose better wording.)<br>
<br>
--David</p>
<div>
<div>
<p class="MsoNormal"><br>
<br>
On Tue, Jun 8, 2010 at 12:31 AM, Nat Sakimura <<a href="mailto:sakimura@gmail.com" target="_blank">sakimura@gmail.com</a>> wrote:<br>
> Many people say that OpenID is for Authentication and OAuth is for<br>
> Authorization.<br>
> This does not seem to be an accurate statement.<br>
> In fact, OpenID does not do the "authentication" in the narrow
meaning and<br>
> OAuth does not do the "authorization" in the narrow meaning.<br>
> More accurate characterization would be something like:<br>
> OpenID is a Digital Identity Framework that that conveys the authorization<br>
> decision and identity attributes/data of an authenticated identity from
the<br>
> identity provider (OpenID provider, OP) to a requesting party called
relying<br>
> party (RP).<br>
> OAuth is a protocol that allows one to delegate the access authorization
to<br>
> a resource to a third party. (<= need better wording.)<br>
> Any discussion?<br>
><br>
> --<br>
> Nat Sakimura (=nat)<br>
> <a href="http://www.sakimura.org/en/" target="_blank">http://www.sakimura.org/en/</a><br>
> <a href="http://twitter.com/_nat_en" target="_blank">http://twitter.com/_nat_en</a><br>
></p>
</div>
</div>
<p class="MsoNormal">> _______________________________________________<br>
> general mailing list<br>
> <a href="mailto:general@lists.openid.net" target="_blank">general@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
><br>
></p>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<br>
-- <br>
Nat Sakimura (=nat)<br>
<a href="http://www.sakimura.org/en/" target="_blank">http://www.sakimura.org/en/</a><br>
<a href="http://twitter.com/_nat_en" target="_blank">http://twitter.com/_nat_en</a></p>
</div>
<pre> </pre><pre> </pre><pre>_______________________________________________</pre><pre>general mailing list</pre><pre><a href="mailto:general@lists.openid.net" target="_blank">general@lists.openid.net</a></pre><pre><a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a></pre>
<pre> </pre>
<p class="MsoNormal"><br>
<br>
<br>
</p>
<pre>-- </pre><pre>Nat Sakimura (<a href="mailto:n-sakimura@nri.co.jp" target="_blank">n-sakimura@nri.co.jp</a>)</pre><pre>Nomura Research Institute, Ltd. </pre><pre>Tel:+81-3-6274-1412 Fax:+81-3-6274-1547</pre><pre> </pre>
<pre>PLEASE READ:</pre><pre>The information contained in this e-mail is confidential and intended for the named recipient(s) only.</pre><pre>If you are not an intended recipient of this e-mail, you are hereby notified that any review, dissemination, distribution or duplication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete your copy from your system. </pre>
</div></div></div>
</div>
</div>
<br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Nat Sakimura (=nat)<br><a href="http://www.sakimura.org/en/">http://www.sakimura.org/en/</a><br><a href="http://twitter.com/_nat_en">http://twitter.com/_nat_en</a><br>
</div></div>