I would be happy with any of these organizations running <a href="http://xauth.org">xauth.org</a>. I believe the problem is not prying the site loose from anyone's grip, but finding a stable home for it with enough budget, longevity, and credibility to make it work.<div>
<br clear="all"><div dir="ltr">--<br>John Panzer / Google<br><a href="mailto:jpanzer@google.com" target="_blank">jpanzer@google.com</a> / <a href="http://www.abstractioneer.org/" target="_blank">abstractioneer.org</a> / @jpanzer</div>
<br><div class="gmail_quote">On Tue, Jun 8, 2010 at 1:59 PM, Dick Hardt <span dir="ltr"><<a href="mailto:dick.hardt@gmail.com">dick.hardt@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
I am opposed to the OIDF running it. Might make sense for OIX, but I am not involved in that organization.<br>
<div><div></div><div class="h5"><br>
On 2010-06-08, at 11:31 AM, David Recordon wrote:<br>
<br>
> I am opposed given that it's unclear how the operational costs would<br>
> be covered and there is increased liability since whomever runs the<br>
> domain could do something malicious with the data. At least the OpenID<br>
> Foundation isn't setup to provide this sort of infrastructure today.<br>
><br>
> --David<br>
><br>
><br>
> On Tue, Jun 8, 2010 at 11:29 AM, Brian Kissel <<a href="mailto:bkissel@janrain.com">bkissel@janrain.com</a>> wrote:<br>
>> Are folks opposed to the OIDF or OIX running the domain? Don has<br>
>> suggested that in the past. If not them, any other suggestions?<br>
>><br>
>> Cheers,<br>
>><br>
>> Brian<br>
>> ___________<br>
>><br>
>> Brian Kissel<br>
>> CEO - JanRain, Inc.<br>
>> <a href="mailto:bkissel@janrain.com">bkissel@janrain.com</a><br>
>> Mobile: 503.342.2668 | Fax: 503.296.5502<br>
>> 519 SW 3rd Ave. Suite 600 Portland, OR 97204<br>
>><br>
>> Increase registrations, engage users, and grow your brand with RPX. Learn<br>
>> more at <a href="http://www.rpxnow.com" target="_blank">www.rpxnow.com</a><br>
>><br>
>><br>
>> -----Original Message-----<br>
>> From: <a href="mailto:openid-specs-bounces@lists.openid.net">openid-specs-bounces@lists.openid.net</a><br>
>> [mailto:<a href="mailto:openid-specs-bounces@lists.openid.net">openid-specs-bounces@lists.openid.net</a>] On Behalf Of Allen Tom<br>
>> Sent: Tuesday, June 08, 2010 11:24 AM<br>
>> To: Eran Hammer-Lahav; John Panzer<br>
>> Cc: <a href="mailto:openid-specs@lists.openid.net">openid-specs@lists.openid.net</a><br>
>> Subject: Re: XAuth critiques<br>
>><br>
>> I think that nearly everyone agrees that many of the UX, privacy, and<br>
>> security issues that we have today with internet identity could<br>
>> potentially<br>
>> be solved using new identity features baked into browsers.<br>
>><br>
>> However, while we wait for users to have browsers that support these<br>
>> features, is there something that we can deploy today? Xauth could be an<br>
>> interim solution until we do have support in the browser. It is<br>
>> conceivable<br>
>> that browsers could reuse the same Xauth JS interface.<br>
>><br>
>> Again - I don't see why we can't work on both server based and browser<br>
>> based<br>
>> solutions in parallel.<br>
>><br>
>> Regarding the privacy issues of having a centralized domain - the<br>
>> overwhelming majority of sites already deploy centralized JS that already<br>
>> correlates users across domains - so in this respect, Xauth is really<br>
>> nothing new. Ad networks, website analytics, and "Like" buttons are just a<br>
>> few examples.<br>
>><br>
>> As far as I know, all of the serious proposals for using Xauth is just to<br>
>> store the user's OP preference - a simple boolean flag that indicates that<br>
>> the user behind the browser happens to be concurrently logged into a<br>
>> particular IdP. This is already "public" information that some IdPs<br>
>> already<br>
>> support - for instance both Facebook and Google already support this<br>
>> today:<br>
>><br>
>> Facebook Connect Status:<br>
>> <a href="http://wiki.developers.facebook.com/index.php/Detecting_Connect_Status" target="_blank">http://wiki.developers.facebook.com/index.php/Detecting_Connect_Status</a><br>
>><br>
>> Google's openid.ui.mode=x-has-session:<br>
>> <a href="http://code.google.com/apis/accounts/docs/OpenID.html#Parameters" target="_blank">http://code.google.com/apis/accounts/docs/OpenID.html#Parameters</a><br>
>><br>
>> The only new thing in Xauth is that RPs can just query a single API<br>
>> (potentially loaded entirely from the browser's cache) to check all IdPs<br>
>> where the user could be logged into. This is information that RPs can<br>
>> already get by directly querying each IdP. The only difference is that<br>
>> Xauth<br>
>> can reduce the network overhead of checking the login status.<br>
>><br>
>> It is true that there are serious challenges with having a centralized<br>
>> domain - who runs this domain? How is it governed? Where does the data go?<br>
>> These are real issues - however they're not really technical issues, and I<br>
>> think they can be solved, if a "trusted third party" can run it. I still<br>
>> have yet to see a serious proposal to actually run this domain though - so<br>
>> perhaps this is not realistic.<br>
>><br>
>><br>
>> Allen<br>
>><br>
>><br>
>><br>
>> On 6/7/10 10:17 PM, "Eran Hammer-Lahav" <<a href="mailto:eran@hueniverse.com">eran@hueniverse.com</a>> wrote:<br>
>><br>
>>><br>
>>> If Google, Yahoo, Microsoft, and the rest of the companies supporting<br>
>> the<br>
>>> OpenID effort deployed the server-side half of this proposal, and spent<br>
>> a<br>
>>> little money on developing plug-ins for all the major browsers (with<br>
>> Google<br>
>>> and Microsoft able to also include it in the next release of their<br>
>> browser),<br>
>>> it will create the tipping point in getting some form of identity<br>
>> selector in<br>
>>> the browser.<br>
>><br>
>> _______________________________________________<br>
>> specs mailing list<br>
>> <a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br>
>> <a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
>> _______________________________________________<br>
>> specs mailing list<br>
>> <a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br>
>> <a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
>><br>
> _______________________________________________<br>
> specs mailing list<br>
> <a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
<br>
_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
</div></div></blockquote></div><br></div>