[security] security

[Chris Drake]

Hi Martin,

Ahh - I see now.  We all read "OpenID is an open, decentralized, free
framework for user-centric digital identity.", but you are merely
trying to build an "I own this URL" framework - excluding the bits
relating to authentication and handling of identity matters.

I do not want to discourage your development - a standard for this
kind of thing can actually be useful.  I would like to propose that
you find a more appropriate name for your framework - since it is not
related to Authentication, nor suitable for the handling of identity
matters.

OpenID (which will use your newly named component as one small part)
can then progress in the direction of Authentication, security, and
utility for built-in identity-handling - with the ultimate goal of
trying to achieve its purpose, as stated on the OpenID.net home page.

Kind Regards,
Chris Drake


Sunday, October 29, 2006, 2:00:42 AM, you wrote:

MA> Chris Drake wrote:
>> Hi Martin,
>> 
>> MA> I prefer
>> MA> the design principle of having lots of simple, focused components that
>> MA> solve only one problem.
>> 
>> Please show us your list of problems that you believe OpenID solves,
>> and the components that make up the solutions.
>> 

MA> The spec that we are calling "OpenID Authentication" provides a protocol
MA> for an RP to ask an IdP whether some user controls a given URI.

MA> It specifies the use of another protocol —?Yadis —?as a mechanism to
MA> discover a list of IdPs that will answer for a given URI.

MA> Anything else is outside of the scope of OpenID Authentication.

MA> You will probably note that OpenID 2.0 has grown this scope a small
MA> amount with the concept of directed identity, which provides a mechanism
MA> for an RP to ask an IdP to respond with a URL that somehow represents a
MA> user. [1]

MA> Notice that I'm distinguishing between "OpenID Authentication", which is
MA> the spec we're currently working on, and "OpenID" itself, which I hope
MA> will will slowly grow into a suite of inter-operable technologies 
MA> related to decentralized identity.

MA> There are a few other specs currently being considered which are related
MA> to, but are not part of, OpenID Authentication:
MA>    * "Simple Registration", for automating the provision of simple
MA>     user profile information to RPs.
MA>    * "Attribute Exchange", which I'm not really following and don't know
MA>     much about.

MA> ...and obviously, there's a lot of debate about how RPs should determine
MA> whether to trust particular IdPs and identifiers, but as far as I'm
MA> aware no-one is working on any concrete proposals related to this right
MA> now. I imagine this will become an area of focus for lots of people once
MA> OpenID Authentication 2.0 is finished.

MA> -------

MA> [1] I personally would have preferred directed identity as a separate
MA> spec, but there we go. You can't win 'em all. :)

MA> _______________________________________________
MA> security mailing list
MA> security at openid.net
MA> http://openid.net/mailman/listinfo/security