On Mon, May 24, 2010 at 7:11 PM, Eran Hammer-Lahav <[email protected]>wrote:
> > > > -----Original Message----- > > From: [email protected] [mailto:openid-specs- > > [email protected]] On Behalf Of Dick Hardt > > Sent: Monday, May 24, 2010 6:29 PM > > > Connect is Discovery + OAuth 2.0 + a standard identity API. > > ... > > Labelling this as OpenID seems to be hijacking the OpenID brand. > > And this is where you got it all wrong! Labeling this as OpenID is giving > the OpenID brand once last chance to offer something useful and meaningful > that developers actually use. > > Calling it OAuth Connect would result in hijacking the community. I'm > clearly willing to do that (though my presence here should indicate my > interest in saving the OpenID brand). The question is, is this something the > OpenID community and board wants to risk? > Since I came up with the "OpenID Connect" terminology, I think I have some say in what I intended by it! First, Dick is essentially correct when he describes OpenID Connect as "Discovery + OAuth 2.0 + a standard identity API". However, I would layer in the ability to use OAuth tokens to achieve deeper integrations in ways that are currently undefined... something that OpenID 2.0 doesn't easily provide for. Second — and I've said this for a long time — OpenID is less about any particular technological solution and more about providing pragmatic solutions that move the industry forward, and create opportunities to leverage cross-site identity and profile. This is a piece of what OpenID originally set out to achieve and should be retained in subsequent iterations. I didn't call OpenID Connect OpenID 3.0 because I don't know that it SHOULD be v3.0 — as in the next version of the protocol — but I do know that there's a market demand for a fairly straight-forward protocol that makes incremental improvements over today's status quo. Third, v.Next may take years to evolve and develop. Or it may take months. No one really knows — and the outcome will be contingent upon the leader of v.Next driving forward both implementations and consensus (no easy task!). In the meantime, proprietary solutions are leading the industry — marginalizing OpenID's place in the conversation. Comparing the traffic between OpenID and "Facebook Connect" — the latter has gained considerable ground in a short amount of time, and that's only likely to increase if we don't continually improve our "product": http://google.com/trends?q=openid%2C+%22facebook+connect%22&ctab=0&geo=all&date=all&sort=1 Fourth, on that point — the needs for the consumer web (of today) seems somewhat at odds with what appears to me to be the needs of the enterprise web. I am not entirely clear which needs are driving the scope of inquiry for v.Next, but it seems like that latter. If that is the case, I worry that v.Next will result in a product that is not palatable for the consumer web marketplace, and given how much momentum there is there, OpenID will lose any ground it has whatsoever in the common story about internet identity. <rant> Finally, some personal context. I recall that there was a moment when I was about to get my hands dirty in the OpenID community, despite the crazy community politics. This was probably in late 2006. I was pushing hard to make the OpenID brand mean something — and to turn it into a consumer brand that people might someday recognize when traversing the web. There seemed to be little interest in this idea, and so I decided to do my own advocacy outside the community. As a result of that work, it became clear to me that OpenID 2.0 only solved half the problem — that is, sign in within the browser; it failed to address the API or client cases. Once this realization took hold — and became a primary obstacle in the way of getting Ma.gnolia and Twitter to adopt OpenID — a small number of folks decided to get together to create a solution for this problem — borrowing from existing implementations that we found in the wild. This was the start of the OpenAuth project: http://groups.google.com/group/openauth/browse_thread/thread/dff591a279522d06 At the time, I decided firmly to NOT deal with identity, since that was what OpenID was for, and I presumed that the OpenID community would continue to mature on its own while our little break-off group went and created what you now call "OAuth". I also specifically didn't want to bring OAuth to OpenID because it struck me as dysfunctional and not outcome-orientated. Once OAuth 1.0 was out, I decided that it was time to return to the OpenID community [1] and continue pushing forward, since now I could "sell" OpenID to the likes of Twitter and Ma.gnolia [2]. Except in the meantime, OAuth had become this really great solution to the problem of data access which indirectly (even accidentally!) solved the pertinent identity problem for people since the first payload that was usually delivered over OAuth included various profile attributes. Fast forward another year or so and we have OAuth 2.0, some solid advances on a discovery protocol, and yet little improvement in the foundational OpenID technology. I feel like history is repeating. I want OpenID Connect to be a technology that is produced within the OpenID WG process — and I want the OIDF to have a market-driven product to sell! I really don't want to have to wait another year or two to get to v.Next while the world continue to move away from us! As a long time advocate of OpenID and as an independent community-elected board member, we can't keep letting these opportunities pass us by, or let them get mired in process and bureaucracy. With David's proposal — the OIDF should have embraced this offering as a model for other people — to write something coherent that addresses a need, that can then be taken through the WG process to iron out any security issues or obvious omissions... and turned into a spec quickly, painlessly... and in a way that develops a host of complementary solutions to the many, many internet identity problems that are vexing the industry. Instead it seems like we're trying to solve every identity problem with v.Next (or at least explore all those that are known) and I'm extremely worried that by the time web come up with something that "everyone" agrees on, the world will indeed have moved on. I'm of course willing to be reasoned with on my impressions, but this is why I think OpenID Connect — as its own individual WG — is actually a very good thing for the OIDF — and its future. </rant> This is already in TL;DR territory, so I'll just quit my ranting there. Chris [1] http://factoryjoe.com/blog/2008/12/05/announcing-my-candidacy-for-the-board-of-the-openid-foundation/ [2] http://factoryjoe.com/blog/2007/12/06/oauth-10-openid-20-and-up-next-diso/ -- Chris Messina Open Web Advocate, Google Personal: http://factoryjoe.com Follow me on Buzz: http://buzz.google.com/chrismessina ...or Twitter: http://twitter.com/chrismessina This email is: [ ] shareable [X] ask first [ ] private
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
