From conversations at IIW, I would say that David/Facebooks design goal is something as simple as possible for RP to get the minimum information.
That may well translate into weak, in this version of the proposal. Talking to Brenno and others, variations on this approach may be significantly less weak. Once there is a openID WG considering the issue under our IPR policy I will feel significantly more comfortable contributing. As a community director doing openID standards development outside of the foundation is not something that I can personally participate in. I am looking forward to the vNext working group getting to work. I hope as a member you will be participating as well. Regards John B. On 2010-05-19, at 2:25 AM, Ben Laurie wrote: > > > On 16 May 2010 00:57, David Recordon <[email protected]> wrote: > The past few months I've had a bunch of one on one conversations with a lot > of different people – including many of folks on this list – about ways to > build a future version of OpenID on top of OAuth 2.0. Back in March when I > wrote a draft of OAuth 2.0 I mentioned it as one of my future goals as well > (http://daveman692.livejournal.com/349384.html). > > Basically moving us to where there's a true technology stack of TCP/IP -> > HTTP -> SSL -> OAuth 2.0 -> OpenID -> (all sorts of awesome APIs). Not just > modernizing the technology, but also focusing on solving a few of the key > "product" issues we hear time and time again. > > I took the past few days to write down a lot of these ideas and glue them > together. Talked with Chris Messina who thought it was an interesting idea > and decided to dub it "OpenID Connect" (see > http://factoryjoe.com/blog/2010/01/04/openid-connect/). And thanks to Eran > Hammer-Lahav and Joseph Smarr for some help writing bits of it! > > So, a modest proposal that I hope gets the conversation going again. > http://openidconnect.com/ > > If the goal is to get something as weak as possible without it instantly > collapsing around your ears, then this sounds like a great plan. > > If, OTOH, you are interested in actually protecting peoples' identities, then > OAuth 2.0 doesn't seem like a great starting point. > > > --David > > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs > > > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
