Fwd: [OpenID board] Why Connect?

There is an interesting debate going on in the openid-specs mailing
list, regarding future paths for "OpenID" (as brand, and as
technology), including its relationship with OAuth. See below for a
sampler, and some perspective on what those looking to OpenID are
hoping to get from it.

Dan


---------- Forwarded message ----------
From: Brian Kissel <bkissel@janrain.com>
Date: Tue, May 25, 2010 at 7:04 AM
Subject: RE: [OpenID board] Why Connect?
To: Eran Hammer-Lahav <eran@hueniverse.com>, Dick Hardt
<dick.hardt@gmail.com>, Nat Sakimura <sakimura@gmail.com>
Cc: openid-specs@lists.openid.net, Joseph Smarr <jsmarr@google.com>,
Robert Harles <rharles@searshc.com>, "OpenID Board (public)"
<board@lists.openid.net>, Daniel Jacobson <DJacobson@npr.org>,
fronsms@nytimes.com


I won't purport to know the answer to some of the tough questions
we're wrestling with here, but do agree with Eran that whatever we do
should be "market driven."  To that end, what I'd really like to hear
is from existing and prospective RPs who are following this list.
We’ve had plenty of input from OPs and technologists.  If we don't
have enough input from RPs on this list, how do we get it?  I’ve seen
a post or two on this thread recently saying that we’ve evolved beyond
the point where a few folks can say “we know what’s best for the
market” and others will follow.  I agree with that sentiment, we need
broader involvement and feedback, not necessarily on the
specifications, but on the MRDs and PRDs that should be the precursors
to our specifications work.



I spoke with Daniel Jacobson of NPR today who is the chairman of the
Adoption Committee, and a prospective RP, and asked him to provide his
input to this discussion – which he will be doing shortly.  I've also
asked Rob Harles of Sears and Marc Frons of the NY Times, both OIDF
board members, to provide input. At Janrain we're talking to existing
and prospective RPs every day.  While each have some unique
requirements, many have similar objectives and concerns.  Here's my
take so far, but would really like to hear from other existing and
prospective RPs across a range of applications: social web,
enterprise, ecommerce, government, news & media, etc.



·         They want something that is backward and forward compatible
if possible.  Ripping and replacing core technologies is painful.  If
we’re going to make changes that break backwards compatibility (which
it sounds like both OpenID V.Next and OpenID Connect have the
potential of doing), let’s make sure that the new platform is
extensible enough to support future expected use cases and expanded
functionality – richer industry/application specific data, security
enhancements, commerce enhancements, reputation management, multiple
platforms (PC, mobile, game consoles, etc.)  If we do end up having to
break backward compatibility, let’s make sure we have a clear and
consistent migration path that’s as seamless as possible for existing
RPs.  This doesn’t mean that the baseline lowest common denominator
platform should be complex and difficult to deploy (to the contrary),
but it should support extensions and enhancements that enable broader
used cases than the lowest common denominator.

·         They want a clear message on how all the related
technologies can and should work together: OpenID, OAuth, SREG, AX,
Portable Contacts, Activity Streams, Open Social, Artifact Binding,
Contract Exchange, Discovery, UX Extension, etc. – both functionality
and timing (roadmap).

·         They want something that is easy to deploy and maintain, and
intuitive and compelling for end users.  They can accept that for
advanced features, additional effort and complexity will likely be
involved.

·         They would like to see OPs behave in a consistent and
predictable way as they evolve and enhance their services.  If OPs
behave erratically and without clear and timely communications, it’s
harder to buy into the ecosystem.



I hope I’ve accurately captured some of the feedback we’ve been
hearing and if not I trust that the RPs that are monitoring this list
will provide their feedback and recommendations.



I’d encourage each of us who is monitoring this list to invite more
RPs (existing and prospective) to the discussion.



Cheers,

Brian

___________



Brian Kissel

CEO - JanRain, Inc.

bkissel@janrain.com

Mobile: 503.342.2668 | Fax: 503.296.5502

519 SW 3rd Ave. Suite 600  Portland, OR 97204



Increase registrations, engage users, and grow your brand with RPX.
Learn more at www.rpxnow.com



-----Original Message-----
From: openid-specs-bounces@lists.openid.net
[mailto:openid-specs-bounces@lists.openid.net] On Behalf Of Eran
Hammer-Lahav
Sent: Monday, May 24, 2010 7:01 PM
To: Dick Hardt
Cc: Joseph Smarr; OpenID Board (public); openid-specs@lists.openid.net
Subject: RE: [OpenID board] Why Connect?







> -----Original Message-----

> From: Dick Hardt [mailto:dick.hardt@gmail.com]

> Sent: Monday, May 24, 2010 6:20 PM

> To: Eran Hammer-Lahav

> Cc: Allen Tom; David Recordon; Joseph Smarr; OpenID Board (public);

> openid-specs@lists.openid.net

> Subject: Re: [OpenID board] Why Connect?

>

>

> On 2010-05-24, at 6:08 PM, Eran Hammer-Lahav wrote:

>

> > The question is:

> >

> > Is the OIDF interested in taking the lead in building an identity layer for

> OAuth 2.0?

> >

> > I'm willing to bet that if the answer is no, it will be the beginning of the end

> for OpenID. OAuth 2.0 + identity will fully cover the OpenID 2.0 use cases in a

> cleaner, more secure way.

>

> OpenID Connect as currently envisioned misses many of the internet identity

> use cases.



And covers most of the ones desired by those currently implementing
OpenID. For those using OpenID 2.0 today, this proposal offers a full
and significantly better replacement. This proposal is 100%
market-driven, which is not something I can say about OpenID now or in
the past. This proposal is driven by developers, providers, and end
users.



> >

> > This is very much an issue of timing. If the problem is the name, call it the

> "OAuth Identity Framework",

>

> OpenID Connect has very little to do with OpenID, and lots to do with OAuth.

> That sounds like a better name.



True if you define OpenID as nothing but a protocol. But if that is
your definition, I think OpenID best days are behind it. People don't
care about protocols, they care about products. I think it would be a
mistake for the OpenID foundation to let OAuth take over such a huge
chunk of the current OpenID use cases.



> > leaving OpenID to be whatever the v.next WG decides it will be a year or

> two from now.

>

> That sounds like a challenge I am will to take on. :)



Well, that's something the foundation will have to figure out. All I
can do is offer my perspective.



EHL

_______________________________________________

specs mailing list

specs@lists.openid.net

http://lists.openid.net/mailman/listinfo/openid-specs

_______________________________________________
specs mailing list
specs@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs

Received on Tuesday, 25 May 2010 09:12:04 UTC