W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

the openid para

From: peter williams <home_pw@msn.com>
Date: Wed, 27 Apr 2011 19:50:14 -0700
Message-ID: <SNT143-ds1970FFADA81048577F4859929B0@phx.gbl>
CC: "'WebID XG'" <public-xg-webid@w3.org>

"OpenID reduces the account multiplication issue by allowing users to login
to every site using the same global identifier. This provides a base from
which WebId can be deployed, procuring the following extra advantages:
Protocol simplicity: the WebID protocol is a lot simpler, requiring only one
more connection over and above the connection to the requested resource,
where the result is cacheable. OpenID requires seven TLS connections,
significantly more than WebID. These additional steps create opportunities
for denial of service attacks, making it more difficult to secure and to
debug."

I think we are still learning to make effective pitches. The above, for
example, now submitted, sounds somewhat catty. If my sales team used that
tone about our competition, Id consider him jaded and time for retirement.

What Id expect us to have said was:

Openid offers several security services that webid does not currently
consider vital to the world of federated social networking. Arguably
important, the differences between openid and webid result in openid using
several more message flows, with additional connections. For example, openid
enables the party releasing information about a user to confirm that the
party receiving the user information is still authorized - by connecting to
a metadata file that expresses the site's authorizations to operate at a
particular URI - since owners of URIs and authorities can change overnight
as domain names are bought and sold. In a tighter security culture, the
asserting party might confirm that this file exists on the web each time an
assertion is release - ensuring use information never goes to a party no
longer entitled to receive it. This kind of precision in determining status
has yet to be fully understood in the openid community, and the world of
federated social networking in particular. Thus, we considered these type of
features to be out of scope, for the moment.

Now, that's too wordy. But, look at the difference in tone. One carps about
the competitions most negative points. If I was an openid author, Id be
showing no love for webid, at this point (simply because of the tone,
taken). The other notes the differences in design schools, arguing our case
for eliminating certain openid flows. In doing so, we happen to also
indicate the limits of webid, so it's harder to portray our work as
something that simply has done insufficient analysis of the requirements.

I think we have to learn to go for a multi-protocol world, that ADMITS
websso, now. I note how the long fought multi-scheme URI made it
successfully into the description. Good! Several more religion points to
eliminate further, yet - simply so that the conditions for mass-adoption are
encountered.
Received on Thursday, 28 April 2011 03:20:22 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:24 UTC