As long as the technology supports dynamic associations, and preregistration isn't the status quo for authentication, I'll be happy. I think that these basic facts have allowed OpenID to be even remotely successful. -- Grant
On Tue, May 25, 2010 at 10:00 AM, David Recordon <[email protected]> wrote: > Grant, I don't disagree with you. I have however seen this sort of > whitelisting requirement from both the provider (i.e. AOL initially) and > consumer (i.e. Federal Government) sides. OpenID 1.0 and 2.0 allowed them to > do this. As Eran said, it's really not about the technology but rather > trust, liability, and policy. I also believe that most large providers will > support dynamic associations for accessing at least basic information and > others will not have any form of preregistration at all. > --David > > On Tue, May 25, 2010 at 10:35 AM, Eran Hammer-Lahav <[email protected]> > wrote: >> >> It isn't much different from white listing providers, or using buttons >> instead of an input box as is common today. Reality is that until we solve >> the legal issues around trust and liability, the technical solution doesn't >> matter. Standard machine readable TOS is just the first step. Figuring out >> the issue of liability is a much bigger issue which is key to any meaningful >> OpenID adoption. >> >> I view the OpenID Connect proposal as a to-do list for the OAuth community >> to fill in the missing pieces. For example, OAuth needs to support endpoint >> discovery, unregistered clients, basic immediate mode and username support, >> and request and response signatures with either symmetric or asymmetric >> secrets. These are all *OAuth* elements that should be standardized by the >> OAuth community in the IETF. >> >> However, putting these components together for a coherent identity >> framework is what I expect from the OpenID community. It will probably mean >> that the OpenID WG will need to work closely with the OAuth WG and provide >> feedback and requirements. But at the end, someone will need to write a spec >> that puts this all together and that should be the OpenID foundation, even >> if this spec is not much more than glue. >> >> EHL >> >> > -----Original Message----- >> > From: [email protected] [mailto:openid-specs- >> > [email protected]] On Behalf Of Monroe, Grant >> > Sent: Tuesday, May 25, 2010 5:36 AM >> > To: David Recordon >> > Cc: Joseph Smarr; OpenID Board (public); [email protected] >> > Subject: Re: Why Connect? >> > >> > > Eran Hammer-Lahav (with a +1 from Chuck Mortimore): >> > >> >> > >> My guess is that an OAuth identity layer will not be a good thing for >> > >> OpenID adoption. OAuth providers will get it for free. >> > >> > You know what's not good for adoption? Having to go to 20 different >> > developer portals. Trying to figure out how to create an OAuth >> > application in >> > 20 different ways. Verifying your domain in 20 different ways. Agreeing >> > to 20 >> > different terms of service. >> > >> > I know that the OpenID Connect proposal mentions an association step, >> > but >> > if all the major providers wind up requiring preregistration, it is a >> > moot point. >> > My gut is that using OAuth as the base will be very good for a few >> > players, >> > and bad for identity on the whole. >> > >> > -- >> > Grant Monroe >> > JanRain, Inc. >> > _______________________________________________ >> > specs mailing list >> > [email protected] >> > http://lists.openid.net/mailman/listinfo/openid-specs >> _______________________________________________ >> specs mailing list >> [email protected] >> http://lists.openid.net/mailman/listinfo/openid-specs > > _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
