Grant, I don't disagree with you. I have however seen this sort of whitelisting requirement from both the provider (i.e. AOL initially) and consumer (i.e. Federal Government) sides. OpenID 1.0 and 2.0 allowed them to do this. As Eran said, it's really not about the technology but rather trust, liability, and policy. I also believe that most large providers will support dynamic associations for accessing at least basic information and others will not have any form of preregistration at all.
--David On Tue, May 25, 2010 at 10:35 AM, Eran Hammer-Lahav <[email protected]>wrote: > It isn't much different from white listing providers, or using buttons > instead of an input box as is common today. Reality is that until we solve > the legal issues around trust and liability, the technical solution doesn't > matter. Standard machine readable TOS is just the first step. Figuring out > the issue of liability is a much bigger issue which is key to any meaningful > OpenID adoption. > > I view the OpenID Connect proposal as a to-do list for the OAuth community > to fill in the missing pieces. For example, OAuth needs to support endpoint > discovery, unregistered clients, basic immediate mode and username support, > and request and response signatures with either symmetric or asymmetric > secrets. These are all *OAuth* elements that should be standardized by the > OAuth community in the IETF. > > However, putting these components together for a coherent identity > framework is what I expect from the OpenID community. It will probably mean > that the OpenID WG will need to work closely with the OAuth WG and provide > feedback and requirements. But at the end, someone will need to write a spec > that puts this all together and that should be the OpenID foundation, even > if this spec is not much more than glue. > > EHL > > > -----Original Message----- > > From: [email protected] [mailto:openid-specs- > > [email protected]] On Behalf Of Monroe, Grant > > Sent: Tuesday, May 25, 2010 5:36 AM > > To: David Recordon > > Cc: Joseph Smarr; OpenID Board (public); [email protected] > > Subject: Re: Why Connect? > > > > > Eran Hammer-Lahav (with a +1 from Chuck Mortimore): > > >> > > >> My guess is that an OAuth identity layer will not be a good thing for > > >> OpenID adoption. OAuth providers will get it for free. > > > > You know what's not good for adoption? Having to go to 20 different > > developer portals. Trying to figure out how to create an OAuth > application in > > 20 different ways. Verifying your domain in 20 different ways. Agreeing > to 20 > > different terms of service. > > > > I know that the OpenID Connect proposal mentions an association step, but > > if all the major providers wind up requiring preregistration, it is a > moot point. > > My gut is that using OAuth as the base will be very good for a few > players, > > and bad for identity on the whole. > > > > -- > > Grant Monroe > > JanRain, Inc. > > _______________________________________________ > > specs mailing list > > [email protected] > > http://lists.openid.net/mailman/listinfo/openid-specs > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs >
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
