On Wed, May 19, 2010 at 7:49 AM, John Bradley <span dir="ltr"><<a href="mailto:john.bradley@wingaa.com">john.bradley@wingaa.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div style="word-wrap:break-word">From conversations at IIW, I would say that David/Facebooks design goal is something as simple as possible for RP to get the minimum information.</div></blockquote><div><br></div><div>I wouldn't say that these are just my design goals, what I proposed is very similar to even what Twitter shipped a few years ago on OAuth 1.0.</div>
<div><br></div><div><a href="http://apiwiki.twitter.com/Sign-in-with-Twitter">http://apiwiki.twitter.com/Sign-in-with-Twitter</a></div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div style="word-wrap:break-word"><div>That may well translate into weak, in this version of the proposal.</div><div><br></div><div>Talking to Brenno and others, variations on this approach may be significantly less weak. </div>
<div><br></div><div>Once there is a openID WG considering the issue under our IPR policy I will feel significantly more comfortable contributing.</div><div><br></div><div>As a community director doing openID standards development outside of the foundation is not something that I can personally participate in.</div>
<div><br></div><div>I am looking forward to the vNext working group getting to work.</div><div><br></div><div>I hope as a member you will be participating as well.</div><div><br></div><div>Regards </div><div><br></div><div>
John B.<div><div></div><div class="h5"><br><div><div>On 2010-05-19, at 2:25 AM, Ben Laurie wrote:</div><br><blockquote type="cite"><br><br><div class="gmail_quote">On 16 May 2010 00:57, David Recordon <span dir="ltr"><<a href="mailto:recordond@gmail.com" target="_blank">recordond@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
The past few months I've had a bunch of one on one conversations with a lot of different people – including many of folks on this list – about ways to build a future version of OpenID on top of OAuth 2.0. Back in March when I wrote a draft of OAuth 2.0 I mentioned it as one of my future goals as well (<a href="http://daveman692.livejournal.com/349384.html" target="_blank">http://daveman692.livejournal.com/349384.html</a>).<div>
<br></div><div>Basically moving us to where there's a true technology stack of TCP/IP -> HTTP -> SSL -> OAuth 2.0 -> OpenID -> (all sorts of awesome APIs). Not just modernizing the technology, but also focusing on solving a few of the key "product" issues we hear time and time again.<div>
<br></div><div>I took the past few days to write down a lot of these ideas and glue them together. Talked with Chris Messina who thought it was an interesting idea and decided to dub it "OpenID Connect" (see <a href="http://factoryjoe.com/blog/2010/01/04/openid-connect/" target="_blank">http://factoryjoe.com/blog/2010/01/04/openid-connect/</a>). And thanks to Eran Hammer-Lahav and Joseph Smarr for some help writing bits of it!</div>
<div><br></div><div>So, a modest proposal that I hope gets the conversation going again. <a href="http://openidconnect.com/" target="_blank">http://openidconnect.com/</a></div></div></blockquote><div><br></div><div>If the goal is to get something as weak as possible without it instantly collapsing around your ears, then this sounds like a great plan.</div>
<div><br></div><div>If, OTOH, you are interested in actually protecting peoples' identities, then OAuth 2.0 doesn't seem like a great starting point.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div><div><br></div><font color="#888888"><div>--David</div></font></div></div>
<br>_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
<br></blockquote></div><br>
_______________________________________________<br>specs mailing list<br><a href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
</blockquote></div><br></div></div></div></div></blockquote></div><br>