Hi Martin,
Yes - sorry - I accidentally hit "reply" instead of "reply all". I
later did re-post to the list though. For the benefit of the list,
your reply is at the end here.
Re-reading my reply, I think my wording sounded pretty strong, and I
might not have made it clear that I'm not pushing for 100% of data to
"live" at the OP: rather - I want to give the user a choice in the
matter (that is - after all - the entire spirit of "user-centric"). I
want users to have the *option* to decide whether to "sign up" to RP#A
or RP#B, and be able to base their decision upon the data-handling and
protection practices of the RP. Some RP's will want to store
everything just like they do today. Some will want to embrace user
centricity and give their customers full control, and most will
probably tread a line somewhere inbetween.
As long as we build something that supports all this, then we can
leave it up to the normal market forces to steer the "Identity future"
the way they want - with the key issue (for us) being that OpenID has
the chance to persist in this future. Right now - OpenID is right at
the bottom of the pile, being almost the worst "Identity 2.0" protocol
currently on the market. IMHO - this is a problem that's easily
fixed.
I wrote:
>> Yes - this could be a tough drain on RP and OP resources. Tough.
You wrote:
MA> You can't just wash your hands of this problem because it doesn't suit
MA> your rather bizarre idea about how the world should be. Sites need to be
I contest that I *am* allowed to "wash my hands" at this point,
because it is absolutely my problem: I operate an OP, and I'm involved
in helping RPs accomplish "Web 2.0" goals. I'm smack in the middle of
all the consequences that flow from allowing users to control their
own data howsoever they wish.
I further contest that the idea of me being in control of my own
information about me is not bizarre. It might not be how anything on
the web works today - true - but I'm pretty confident this is
something most people do, or will, want.
Imagine you're at the newsagent buying a magazine. You hand over
your credit card, and the shopkeeper says "No problem - I'm happy to
sell you your goods, but I need you to first agree to let me make a
photocopy of your credit card, grab you name and email address, and
keep it in all on our files for the next 10 years. Oh - and we'll
need to be sending you the occasional marketing message from time to
time over those 10 years as well."
Now *that* is something that almost everyone will agree is bizarre.
Imagine, instead, the exact same thing occurs on a web site, instead
of at a newsagent. Nobody even blinks when this gross misuse of *my*
information actually does occur. I would go as far as to say that
opinions contrary to mine about "how the world (internet) should be"
are in fact the "bizarre" ones!!
---
My suggestion for how an OP might choose to present the kinds of
data-protection defaults users might want would be for the OP to have
a set of "per-user global account preferences". Mum and Dad users can
click the "convenient" radiobutton. Political activists can click the
"strong protection" radiobutton. Folks inbetween can be given
middle-road defaults, and/or anyone can be given per-use overrides.
Whichever OPs (or OP software packages that you choose to download
and run yourself) that do these things the best, should then quite
quickly become the market leaders. As long as the protocol supports
the protection, the market can innovatively offer it.
The challenges I see at present, are these:
1. How should an RP advertise to an OP what it's server-to-server
endpoint is.
2. How should an OP advertise to an RP the same thing.
3. How should an RP indicate to user-agents (eg: browser plugins like
SSO enablers, secure chrome/anti-phishing/anti-virus addons,
form-fillers, OP helpers [or even OP software itself, if running on
an end-users home machine]) that it is an "OpenID 2.0" enabled
service in the first place. I've pushed for this to be
standardized and enforced, because it offers the absolute strongest
future support for new technologies - and I do so again now. If my
web browser, upon visiting www.example.com, can immediately detect
that it's an OpenID 2.0 site (eg: through a tag on every
page, or the root or base URL, or HTTP headers, or whatever) - a
massive pile of cool opportunities all spring up to make "Web 2.0"
*seriously* more compelling, useful, and protective for everyone.
Heck - Cardspace already did this - so we don't even have to argue
the merits: They learned the long, hard, and painful way that
excluding the user agent seriously undermines the trust and
usefulness of Identity management.
Kind Regards,
Chris Drake
Thursday, April 5, 2007, 5:14:58 PM, you wrote:
MA> Not sure if you deliberately took this off-list, but I'll reply directly
MA> and let you divert it back to list if you want. :)
MA> Chris Drake