On 2010-06-05, at 10:47 AM, Chris Messina wrote: > On Sat, Jun 5, 2010 at 7:35 AM, Dick Hardt <[email protected]> wrote: > > OAuth 2.0 does NOT solve the problems that OpenID was trying to solve. It is > NOT a distributed identity system. If you can make discovery work for OAuth, > then you can make it work for OpenID. OAuth implementations today do NOT have > discovery. > > Perhaps standards groups like the OpenID Foundation operate in a slightly > different marketplace-twilight zone, but I'm curious how we define our > customers — and how that definition should or shouldn't affect the work that > gets done. > > For example, Luke — representing Facebook — is saying that there's not been > sufficient adoption of OpenID over the past several years, and for the use > cases that I've cared most about, I would agree with that assessment. It is > not the case that OpenID hasn't been adopted — but that OpenID simply isn't > the only game in town anymore, and that the market demand in the consumer > space was unearthed and capitalized on by the likes of Facebook and Twitter, > and NOT the many other OpenID providers.
The Facebook and Twitter identity systems are silos. We have seen this game before in online communities and email systems. The truly distributed system eventually wins, but short term it is easier when it is all packaged up nice. Facebook Connect is clearly a better solution than OpenID today. That is because the distributed identity problem is much harder than the federated, single vendor problem. > > Facebook is saying that they want to work through the OpenID Foundation to > help develop a technology solution that is more like what the market has > already adopted — but that adds in discovery to aid in decentralizing > identity, at least in a very primitive way (hence the Connect proposal). > > Dick, you seem to be saying that OAuth is not a distributed identity system, > but that if discovery were defined for it (along with auto-registration of > clients), then it would be useful as a distributed identity technology. Am I > getting that right? I am saying that OAuth is missing what was hard in OpenID. The hard thing about distributed identity is discovery. > > I think the divide here comes down to whether the OIDF should be focused on > what the market demands and is willing to adopt *today*, or instead on the > set of technologies that may enable distributed identity solutions *tomorrow*. There are many other members of the market than Facebook. Regardless, I would welcome a REAL technical discussion about what we do. I have raised a number of technical issues with Connect. The answers tend to be "we will solve that later". > > My fear — which has been consistent — is that if we don't respond to the > market's desires today (represented by Facebook, Yahoo, and other's comments) > then we won't be part of the conversation when potential adopters are looking > for better solutions tomorrow. v.Next was responding to the market's requirements for changes in OpenID. We have not been very good at moving that forward to date. Hopefully that will change. > > So, if we spin out the Connect proposal — or cause it so much friction that > it can't effectively proceed here — then by the time the ill-named v.Next > proposal is completed (with all of the "necessary" use cases addressed), the > world may have moved on, and the Foundation proven irrelevant. I don't see it > as an all-or-nothing situation, but as others have said, there will be an > identity piece baked into OAuth sooner than later, and if that work doesn't > happen within the OIDF, we're going to be pitching a product that no one has > really said that they want, or are currently signing up to implement, based > on the lack of clarity in the description of v.Next today, whereas there are > already working prototypes of the Connect proposal in the wild. > > There needs to be a bridge between OpenID 2.0 — which is a perfectly fine > solution for many use cases today — and the next iterations of OpenID 2.x and > beyond. I am ok with us having a Connect WG. I am not ok with the current charter. I provided significant constructive feedback on the charter. I would like to see a revised charter that we can all work on. Then we can have the technical discussion. fwiw: I truly appreciate your tone and you taking the time to respond! :) -- Dick
_______________________________________________ board mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-board
