On Mon, Apr 19, 2010 at 8:38 PM, Nate Klingenstein <[email protected]>wrote:
> > This service, again, does many things we're uncomfortable with: stores > active user sessions at third parties, stores trust lists on behalf of third > parties, tightly couples a specific discovery service to the rest of the > federated identity infrastructure, and contingent on other checks, it could > present its users' bearer tokens/sessions, if those are represented by > extenders' XAuth tokens. > > As I mentioned earlier, I can think of ways I could leverage XAuth to avoid > some of those drawbacks, but not others. I'm not against trusted services: > they're important and necessary for infrastructure. I'm not suggesting any > of those attacks is probable. But it means xauth.org would have to be an > immensely trusted and well-governed service, and federated identity > infrastructure would be much more centralized than it is today. > > So, having it randomly pop up from Meebo based on a bunch of ideas floated > by Google with absolutely no information about governance, ownership, > security measures, etc. gives me the willies. Address some of those things, > confirm that the appropriation I described earlier is okay, and I'll feel a > little better, maybe even like this could be useful. > > The place to address these issues is on the XAuth list: http://groups.google.com/group/xauth The issues you raise are all the right ones, and the answers are not well formulated yet. That said, Meebo demonstrated a very strong desire to be able to move "at a startup's pace" and really just get something out to demonstrate a concept in practice (to a new audience, I suppose!) and then iterate from here. Less than perfect, yes, but ideal for making progress and forcing these conversations into concrete outcomes. Chris -- Chris Messina Open Web Advocate, Google Personal: http://factoryjoe.com Follow me on Buzz: http://buzz.google.com/chrismessina ...or Twitter: http://twitter.com/chrismessina This email is: [ ] shareable [X] ask first [ ] private
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
