Building identity on top of OAuth 2.0?

John Bradley john.bradley at wingaa.com
Wed May 19 14:49:28 UTC 2010 

From conversations at IIW, I would say that David/Facebooks design goal is something as simple as possible for RP to get the minimum information.

That may well translate into weak, in this version of the proposal.

Talking to Brenno and others, variations on this approach may be significantly less weak. 

Once there is a openID WG considering the issue under our IPR policy I will feel significantly more comfortable contributing.

As a community director doing openID standards development outside of the foundation is not something that I can personally participate in.

I am looking forward to the vNext working group getting to work.

I hope as a member you will be participating as well.

Regards 

John B.
On 2010-05-19, at 2:25 AM, Ben Laurie wrote:

> 
> 
> On 16 May 2010 00:57, David Recordon <recordond at gmail.com> wrote:
> The past few months I've had a bunch of one on one conversations with a lot of different people – including many of folks on this list – about ways to build a future version of OpenID on top of OAuth 2.0. Back in March when I wrote a draft of OAuth 2.0 I mentioned it as one of my future goals as well (http://daveman692.livejournal.com/349384.html).
> 
> Basically moving us to where there's a true technology stack of TCP/IP -> HTTP -> SSL -> OAuth 2.0 -> OpenID -> (all sorts of awesome APIs). Not just modernizing the technology, but also focusing on solving a few of the key "product" issues we hear time and time again.
> 
> I took the past few days to write down a lot of these ideas and glue them together. Talked with Chris Messina who thought it was an interesting idea and decided to dub it "OpenID Connect" (see http://factoryjoe.com/blog/2010/01/04/openid-connect/). And thanks to Eran Hammer-Lahav and Joseph Smarr for some help writing bits of it!
> 
> So, a modest proposal that I hope gets the conversation going again. http://openidconnect.com/
> 
> If the goal is to get something as weak as possible without it instantly collapsing around your ears, then this sounds like a great plan.
> 
> If, OTOH, you are interested in actually protecting peoples' identities, then OAuth 2.0 doesn't seem like a great starting point.
>  
> 
> --David
> 
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
> 
> 
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100519/1e754d95/attachment.htm>

More information about the specs mailing list