- From: peter williams <home_pw@msn.com>
- Date: Wed, 27 Apr 2011 19:50:14 -0700
- CC: "'WebID XG'" <public-xg-webid@w3.org>
"OpenID reduces the account multiplication issue by allowing users to login to every site using the same global identifier. This provides a base from which WebId can be deployed, procuring the following extra advantages: Protocol simplicity: the WebID protocol is a lot simpler, requiring only one more connection over and above the connection to the requested resource, where the result is cacheable. OpenID requires seven TLS connections, significantly more than WebID. These additional steps create opportunities for denial of service attacks, making it more difficult to secure and to debug." I think we are still learning to make effective pitches. The above, for example, now submitted, sounds somewhat catty. If my sales team used that tone about our competition, Id consider him jaded and time for retirement. What Id expect us to have said was: Openid offers several security services that webid does not currently consider vital to the world of federated social networking. Arguably important, the differences between openid and webid result in openid using several more message flows, with additional connections. For example, openid enables the party releasing information about a user to confirm that the party receiving the user information is still authorized - by connecting to a metadata file that expresses the site's authorizations to operate at a particular URI - since owners of URIs and authorities can change overnight as domain names are bought and sold. In a tighter security culture, the asserting party might confirm that this file exists on the web each time an assertion is release - ensuring use information never goes to a party no longer entitled to receive it. This kind of precision in determining status has yet to be fully understood in the openid community, and the world of federated social networking in particular. Thus, we considered these type of features to be out of scope, for the moment. Now, that's too wordy. But, look at the difference in tone. One carps about the competitions most negative points. If I was an openid author, Id be showing no love for webid, at this point (simply because of the tone, taken). The other notes the differences in design schools, arguing our case for eliminating certain openid flows. In doing so, we happen to also indicate the limits of webid, so it's harder to portray our work as something that simply has done insufficient analysis of the requirements. I think we have to learn to go for a multi-protocol world, that ADMITS websso, now. I note how the long fought multi-scheme URI made it successfully into the description. Good! Several more religion points to eliminate further, yet - simply so that the conditions for mass-adoption are encountered.
Received on Thursday, 28 April 2011 03:20:22 UTC