Agreed. <a href="http://openidconnect.com/#associations">http://openidconnect.com/#associations</a><div><br><br><div class="gmail_quote">On Tue, May 25, 2010 at 11:11 AM, Monroe, Grant <span dir="ltr"><<a href="mailto:grant@janrain.com">grant@janrain.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">As long as the technology supports dynamic associations, and<br>
preregistration isn't the status quo for authentication, I'll be<br>
happy. I think that these basic facts have allowed OpenID to be even<br>
remotely successful.<br>
<font color="#888888">-- Grant<br>
</font><div><div></div><div class="h5"><br>
On Tue, May 25, 2010 at 10:00 AM, David Recordon <<a href="mailto:recordond@gmail.com">recordond@gmail.com</a>> wrote:<br>
> Grant, I don't disagree with you. I have however seen this sort of<br>
> whitelisting requirement from both the provider (i.e. AOL initially) and<br>
> consumer (i.e. Federal Government) sides. OpenID 1.0 and 2.0 allowed them to<br>
> do this. As Eran said, it's really not about the technology but rather<br>
> trust, liability, and policy. I also believe that most large providers will<br>
> support dynamic associations for accessing at least basic information and<br>
> others will not have any form of preregistration at all.<br>
> --David<br>
><br>
> On Tue, May 25, 2010 at 10:35 AM, Eran Hammer-Lahav <<a href="mailto:eran@hueniverse.com">eran@hueniverse.com</a>><br>
> wrote:<br>
>><br>
>> It isn't much different from white listing providers, or using buttons<br>
>> instead of an input box as is common today. Reality is that until we solve<br>
>> the legal issues around trust and liability, the technical solution doesn't<br>
>> matter. Standard machine readable TOS is just the first step. Figuring out<br>
>> the issue of liability is a much bigger issue which is key to any meaningful<br>
>> OpenID adoption.<br>
>><br>
>> I view the OpenID Connect proposal as a to-do list for the OAuth community<br>
>> to fill in the missing pieces. For example, OAuth needs to support endpoint<br>
>> discovery, unregistered clients, basic immediate mode and username support,<br>
>> and request and response signatures with either symmetric or asymmetric<br>
>> secrets. These are all *OAuth* elements that should be standardized by the<br>
>> OAuth community in the IETF.<br>
>><br>
>> However, putting these components together for a coherent identity<br>
>> framework is what I expect from the OpenID community. It will probably mean<br>
>> that the OpenID WG will need to work closely with the OAuth WG and provide<br>
>> feedback and requirements. But at the end, someone will need to write a spec<br>
>> that puts this all together and that should be the OpenID foundation, even<br>
>> if this spec is not much more than glue.<br>
>><br>
>> EHL<br>
>><br>
>> > -----Original Message-----<br>
>> > From: <a href="mailto:openid-specs-bounces@lists.openid.net">openid-specs-bounces@lists.openid.net</a> [mailto:<a href="mailto:openid-specs-">openid-specs-</a><br>
>> > <a href="mailto:bounces@lists.openid.net">bounces@lists.openid.net</a>] On Behalf Of Monroe, Grant<br>
>> > Sent: Tuesday, May 25, 2010 5:36 AM<br>
>> > To: David Recordon<br>
>> > Cc: Joseph Smarr; OpenID Board (public); <a href="mailto:openid-specs@lists.openid.net">openid-specs@lists.openid.net</a><br>
>> > Subject: Re: Why Connect?<br>
>> ><br>
>> > > Eran Hammer-Lahav (with a +1 from Chuck Mortimore):<br>
>> > >><br>
>> > >> My guess is that an OAuth identity layer will not be a good thing for<br>
>> > >> OpenID adoption. OAuth providers will get it for free.<br>
>> ><br>
>> > You know what's not good for adoption? Having to go to 20 different<br>
>> > developer portals. Trying to figure out how to create an OAuth<br>
>> > application in<br>
>> > 20 different ways. Verifying your domain in 20 different ways. Agreeing<br>
>> > to 20<br>
>> > different terms of service.<br>
>> ><br>
>> > I know that the OpenID Connect proposal mentions an association step,<br>
>> > but<br>
>> > if all the major providers wind up requiring preregistration, it is a<br>
>> > moot point.<br>
>> > My gut is that using OAuth as the base will be very good for a few<br>
>> > players,<br>
>> > and bad for identity on the whole.<br>
>> ><br>
>> > --<br>
>> > Grant Monroe<br>
>> > JanRain, Inc.<br>
>> > _______________________________________________<br>
>> > specs mailing list<br>
>> > <a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br>
>> > <a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
>> _______________________________________________<br>
>> specs mailing list<br>
>> <a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br>
>> <a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
><br>
><br>
</div></div></blockquote></div><br></div>