2010/5/16 David Recordon <[email protected]> > The past few months I've had a bunch of one on one conversations with a lot > of different people – including many of folks on this list – about ways to > build a future version of OpenID on top of OAuth 2.0. Back in March when I > wrote a draft of OAuth 2.0 I mentioned it as one of my future goals as well > (http://daveman692.livejournal.com/349384.html). > > Basically moving us to where there's a true technology stack of TCP/IP -> > HTTP -> SSL -> OAuth 2.0 -> OpenID -> (all sorts of awesome APIs). Not just > modernizing the technology, but also focusing on solving a few of the key > "product" issues we hear time and time again. >
+1 * *Coincidentally this post comes exactly 5 years after the original OpenID / Yadis proposal: http://community.livejournal.com/lj_dev/683939.html * Consider this my public announcement of Yadis (a temporary name). Yadis is a distributed identity system. In a nutshell: -- Your FOAF file points to your chosen identity server. (your LJ FOAF file already contains this, as of last night) -- Your identity server is responsible for telling the rest of the world if you're you or not, and digitally signing a receipt saying that you said so, but only if you've told your identity server if you want to. -- Clients on the web that want to verify your identity: ask for your blog or FOAF URL. ("bradfitz.livejournal.com") fetch your blog HTML, find your FOAF URL, fetch your FOAF, find your identity server, then ask the identity server if you're who you said you are. If you're not, or you're not logged in, or you haven't setup trust... in all 3 cases the identity server just tells the client "Sorry, I can't tell you. Throw there user to this URL." So client provides link, or redirects user. User sets up trust on identity server, goes back to site, logs in again. -- Your global identifier throughout the web isn't "happygirl234324" or an email address, or "[email protected]", but your FOAF URL. So you also choose how much info you do or do not want to share in there. -- If you don't trust LiveJournal to be your identity server, run your own identity server, and point your FOAF at that. Or use somebody you trust more. * I think it's interesting to note that Yadis started out supporting FOAF, but that seems now to have been dropped somewhere along the road. There have been some criticisms of FOAFs, something around how it's possible to do access control. Most notabily I remember this one from 2004. http://blog.plaxo.com/archives/000007.html *Summary of Open Issues: * *- Importing and exporting rich contact information with FOAF - Incorporating permissions and restricted viewing into a FOAF framework - Offering FOAF features without confusing people that don't use FOAF - Sharing your contact list without compromising the privacy of you or your contacts - Using plain text e-mail addresses vs. SHA1 sums (which is better where) * I think there's perhaps an argument to say that these issues were well enough addressed in the period that followed, and understandably, there was some interest lost. The slightly better news is that there has been growing activity in the FOAF community, particularly in the last year or so since Henry Story designed a FOAF+SSL, and some of these issues are not starting to have solutions. The bulk of the effort is coming out of MIT, and Tim Berners-Lee's research group. Here are some of the proposals set forth: http://dig.csail.mit.edu/2009/Papers/ISWC/rdf-access-control/paper.pdf In summary, I glad the original motivating OpenID concepts (federated login etc.) are being mentioned again. I think both the FOAF community and OpenID community are actively involved in solving some of these issues. I think there is an argument to say that the FOAF community did not respond quickly enough to some the concerns presented, but are now after 5 years, starting to solve some of these difficult issues. These technologies are not mutually exclusive, in fact, more federated technologies are designed to compliment each other. I would hope that this kind of conversation could be seen an opportunity for different communities to learn from each other. > > I took the past few days to write down a lot of these ideas and glue them > together. Talked with Chris Messina who thought it was an interesting idea > and decided to dub it "OpenID Connect" (see > http://factoryjoe.com/blog/2010/01/04/openid-connect/). And thanks to Eran > Hammer-Lahav and Joseph Smarr for some help writing bits of it! > > So, a modest proposal that I hope gets the conversation going again. > http://openidconnect.com/ > > --David > > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs > >
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
