+1 to one key takeaway from this whole thread: that the marketing/evangelism/messaging around OpenID MUST be very careful to clearly communicate, in Gabe's words, "what it can and cannot do right now". Especially when it comes to hard problems like authentication context and circles of trust that SAML and Liberty Alliance have been cranking for 5+ years at. As long as we " communicated clearly so expectations aren't raised and then not met" then we should give OpenID the runway it needs to grow into those problems, just like 802.11 started "thin" and grew to become nearly ubiquitous.
=Drummond -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gabe Wachob Sent: Wednesday, October 04, 2006 9:09 PM To: 'Chris Drake' Cc: email@example.com Subject: RE: Re: [PROPOSAL] authentication age Chris- I don't mean to be pessimistic about OpenID *AT ALL* - I truly do believe that OpenID *WILL* get to the point where its valuable for the Visas of the world. I don't want to stall it for the other use cases that are motivating the people who are currently involved - I think OpenID can quickly evolve when needed. OpenID should be as lightweight as needed for the use case - and I so I think OpenID is great where it is. Its just that we have to be clear what its trying to do today and what it is NOT trying to do. I think we'll surprise some people (like you) - but in the long run, the credibility will be there - I *KNOW* the folks who are involved with OpenID are smart and know what it can and cannot do right now. We just have to make sure that its being communicated clearly so expectations aren't raised and then not met... -Gabe > -----Original Message----- > From: Chris Drake [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 04, 2006 9:00 PM > To: Gabe Wachob > Cc: 'Kevin Turner'; firstname.lastname@example.org > Subject: Re: [PROPOSAL] authentication age > > Hi Gabe, > > Beautifully worded, and (IMHO) an extremely valuable real-world > opinion. I too believe OpenID is currently a "non-starter". I have > dual vested interests: I want OpenID to succeed, *especially* for RPs > like Visa, since my IdP makes money from supporting OpenID only when > OpenID ends up getting used. I also believe that an IdP (and mine in > particular) is well suited for deploying secure technology (eg: two > factor tokens). If, aside from making OpenID actually *work* for the > likes of Visa, we can build in the ability to provide a tangible > *benefit* to Visa from using it (that is: allow visa to REQUIRE that a > user has authenticate via two-factor means, to an accredited - i.e: > explicitly trusted by Visa - IdP) then we've not only cemented the > future of OpenID, we've gone an improved a pile of security problems > along the way. > > Kind Regards, > Chris Drake > 1id.com > > Thursday, October 5, 2006, 1:41:34 PM, you wrote: > > GW> Chris- > GW> As someone who has recently come from working in the financial > GW> sector (Visa), its clear that OpenID is NOT intended for > authentication > GW> where the *relying party* cares about how the authentication is > performed. > > GW> At places like Visa and for home banking, this means that OpenID, > GW> without something more, is clearly a . These relying parties want > GW> to know exactly how their users are being authenticated because their > GW> business is all about risk management and creating business > opportunities > GW> around very good knowledge of the risk profile of each transaction > type. > > GW> That all being said, I believe it should be possible to layer on > GW> OpenID a form of IDP control such that a relying party can require a > certain > GW> class or group of IDPs be used when presenting authentication > assertions to > GW> them. The actual *policy* for how these IDPs are approved is probably > GW> orthogonal to the protocol spec, but "secure" identification of those > IDPs > GW> (relative to some trust root, etc) could probably be made into an > extension > GW> usable for those parties who want it. > > GW> My guess is that culturally, most people involved in OpenID have > GW> *not* been interested in addressing these concerns. However, > expectations > GW> need to be better managed around these sort of "relying-party cares" > GW> scenarios, because its not obvious without actually reading the specs > GW> themselves... > > GW> -Gabe > > >> -----Original Message----- > >> From: [EMAIL PROTECTED] > >> [mailto:[EMAIL PROTECTED] On Behalf > >> Of Chris Drake > >> Sent: Wednesday, October 04, 2006 8:26 PM > >> To: Kevin Turner > >> Cc: email@example.com > >> Subject: Re: [PROPOSAL] authentication age > >> > >> Hi Kevin, > >> > >> Sounds like you're leaning towards a root authority for IdPs who can > >> audit procedures and verify protection in order to sign the IdP's > >> keys? > >> > >> Joe blogger doesn't care much about identity assertions from an IdP, > >> but it's a reasonable bet to expect that a Bank might care... > >> > >> Kind Regards, > >> Chris Drake > >> > >> > >> _______________________________________________ > >> specs mailing list > >> firstname.lastname@example.org > >> http://openid.net/mailman/listinfo/specs > _______________________________________________ specs mailing list email@example.com http://openid.net/mailman/listinfo/specs _______________________________________________ specs mailing list firstname.lastname@example.org http://openid.net/mailman/listinfo/specs