On Mon, Apr 19, 2010 at 8:38 PM, Nate Klingenstein <span dir="ltr"><<a href="mailto:ndk@internet2.edu">ndk@internet2.edu</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
This service, again, does many things we're uncomfortable with: stores active user sessions at third parties, stores trust lists on behalf of third parties, tightly couples a specific discovery service to the rest of the federated identity infrastructure, and contingent on other checks, it could present its users' bearer tokens/sessions, if those are represented by extenders' XAuth tokens.<br>
<br>
As I mentioned earlier, I can think of ways I could leverage XAuth to avoid some of those drawbacks, but not others. I'm not against trusted services: they're important and necessary for infrastructure. I'm not suggesting any of those attacks is probable. But it means <a href="http://xauth.org" target="_blank">xauth.org</a> would have to be an immensely trusted and well-governed service, and federated identity infrastructure would be much more centralized than it is today.<br>
<br>
So, having it randomly pop up from Meebo based on a bunch of ideas floated by Google with absolutely no information about governance, ownership, security measures, etc. gives me the willies. Address some of those things, confirm that the appropriation I described earlier is okay, and I'll feel a little better, maybe even like this could be useful.<br>
<br></blockquote><div>The place to address these issues is on the XAuth list:</div><div><br></div><div><a href="http://groups.google.com/group/xauth">http://groups.google.com/group/xauth</a></div><div><br></div><div>The issues you raise are all the right ones, and the answers are not well formulated yet.</div>
<div><br></div><div>That said, Meebo demonstrated a very strong desire to be able to move "at a startup's pace" and really just get something out to demonstrate a concept in practice (to a new audience, I suppose!) and then iterate from here.</div>
<div><br></div><div>Less than perfect, yes, but ideal for making progress and forcing these conversations into concrete outcomes.</div><div><br></div><div>Chris</div></div><br>-- <br>Chris Messina<br>Open Web Advocate, Google<br>
<br>Personal: <a href="http://factoryjoe.com">http://factoryjoe.com</a><br>Follow me on Buzz: <a href="http://buzz.google.com/chrismessina">http://buzz.google.com/chrismessina</a> <br>...or Twitter: <a href="http://twitter.com/chrismessina">http://twitter.com/chrismessina</a> <br>
<br>This email is: [ ] shareable [X] ask first [ ] private<br>