I would certainly not argue for DNSSEC in its current form, in fact I was pointing out the serious issues with DNSSEC at RSA this year. At the moment there is no protocol for getting your zone key into DNSSEC, so the idea that it is imminent is rather optimistic. One way to look at the situation is that the same people who proposed the failed PEM PKI scheme have proposed the same architecture and got to the same point they did with PEM.
XRI is the only OASIS TC to have failed to gain approval for its specifications from the membership. It was rejected specifically because Sir Tim Berners-Lee and the W3C TAG argued against it as an unnecessary fragmentation of the naming space. Describing it as 'moving forward' as if it was a train that could pull OpenID in its wake is optimistic in the extreme. A more realistic assessment is that XRI is essentially dead for all purposes and OpenID is the only remaining chance for resurrection. A technical proposal that ignores an existing infrastructure that is open, deployed and used by every Internet user in favor of one that is unproven is tilting at wind mills. I see no reason to think that XRI is going to be any different to UDDI, RealNames, X.500, AOL corporate names or any of the other directory schemes that have come and gone. Remember the days when companies would mention their AOL keyword in ads? Not seen that for a decade now. There was no shortage of people running round telling me why UDDI was going to be the biggest thing ever and how it was amazingly great in vague and unspecified terms. UDDI had Microsoft and IBM behind it pushing it, and it still went nowhere. I see no reason to doubt that XRI will go the same way as X.500. The directory system will never actually have a funeral, but cease to be an operative concept. Meanwhile some of the infrastructure originally intended to support the directory (XRD) will continue on its own. Saying that "OpenID is about identity, not trust" might be more meaningful if we had solid consensus on what was meant by identity or what is meant by trust. In my view the one key to establishing an identity scheme is to develop a uniform identifier space where there is a widespread consensus as to what the authoritative interpretation of a name should be. There are two basic designs that can be employed for that purpose, the first is to use an identifier that is indexical such that it serves as a locator for at least some attributes associated with the identifier. The second is to use a non-indexical identifier that does not support location. Since one of the features we want in the OpenID scheme is that the authorized subject of an identifier have the ability to authenticated a claim to being the subject of the assertion, it seems that we are going to be talking about an identifier that is indexical with respect to authenticating the subject's claim of use. So we need a discovery scheme that maps an identifier to a resource that can verify the subject claim. I do not see the possibility of any other form of discovery being complete. For example, I have a private address book on my machine here that makes assertions about the subject of the identifier '[email protected]'. There is no imaginable architecture (outside the NSA) that could be developed that is going to make those identifiers discoverable unless I choose to make them so. That does not matter though, if I want my assertions to be public, I am going to take some steps towards publishing them. For example, I may have a blog with a comment section and I make have a section that contains a comment that I purport was posted by Michael. In that case I am going to gloss over some RDFa markup to that effect. On Wed, Apr 14, 2010 at 1:48 AM, SitG Admin <[email protected]> wrote: >> Five years ago, the OpenID world was making a lot of arguments >> premised on the need to move very quickly. > > I'm mindful of "OpenID is about identity, not trust", here. > > Perhaps the advantage is to be flexible with which trust system OpenID is > attached to; rather than relying on DNS, developers who don't trust it (or > the PKI in DNSSEC) can try something else instead. Kind of pessimistic to > anticipate failure, that way, but I see it as them trying Webfinger now > because they have the most support for it (internally), and others are free > to work on their own favored trust systems. (I know XRI is moving forward; > I've been looking a bit at how Tor might integrate with OpenID on the rest > of the web even *without* going through XRI.) > > -Shade > -- -- New Website: http://hallambaker.com/ View Quantum of Stupid podcasts, Tuesday and Thursday each week, http://quantumofstupid.com/ _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
