Announcing YADIS...again

[Brad Fitzpatrick]

Whoa, whoa, confusion, everybody....

YADIS is not an identity/auth protocol at all.  It's just a capability
discovery protocol.  In practice it'll say "I only do OpenID" or "I do
LID" or "I do OpenID and Sxip" or "I do LID and Foo."

It's a hacky solution until more work is done in the identity space, but a
very needed one.  The idea of YADIS was incredibly well received by nearly
everybody at the 2005 Internet Identity Workshop this week.  We may end up
using XRI's XRID stuff for capability payloads (which are pretty much
identical to the mock example YADIS ones), but /something/ will happen.

While all the identity players are trying to figure this stuff out, we
need to at least announce what rules we're playing by.

As far as OpenID and LID go, that's entirely outside YADIS, but version
2.0 of either OpenID or LID (or what their new name together is) will
require something like YADIS to exist for consumers (aka "relying parties,
membersites") to cope well.

More than likely OpenID and LID will merge but will have a bunch of
optional components.  In the bare most minimal state, supporting no
capabilities except OpenID auth, it'll be exactly OpenID 1.0 as it is
today.

As for Six Apart sprinkling buzzwords to sell identity solutions or
whatever that rubbish I heard was:  false.  Six Apart didn't write that
document... NetMesh (Johannes of LID) did.  So blame him.  :-)

Hopefully this sheds some light on things.

- Brad


On Fri, 28 Oct 2005, Kurt Raschke wrote:

>
> On Oct 28, 2005, at 6:52 PM, Adrian.Blakey at kp.org wrote:
>
> > Yadis is a very serious attempt made by some seriously smart people
> > to develop someting useful.
>
> And where is the evidence of this?  As pointed out by several others
> on the list (NOT just me), all we have thus far is a set of buzzword-
> riddled specifications that seem to ruin the simplicity of OpenID by
> apparently merging it with LID, a far-from-lightweight protocol.
>
> > Stop complaining.
>
> If you want me to stop complaining, then show me hard evidence that
> YADIS is an improvement over OpenID.  I would not say that
> interoperability alone is an improvement.  As Martin Atkins noted,
> intermediaries and multi-protocol identity servers are both feasible
> solutions to the problem of multiple, incompatible identity protocols
> that don't require tampering with existing protocols.  Look at
> TypeKey, for example.  TypeKey added OpenID support, and now every
> TypeKey user has an OpenID identity as well.  They could just as
> easily add support for LID or whatever the next big identity protocol
> is, without requiring consumers to change anything.
>
> YADIS, on the other hand, seems to want for every party to be _both_
> a LID and OpenID producer or consumer, and that doesn't make sense.
> How does that improve LID?  How does that improve OpenID?  It makes
> OpenID bulkier, and I can't see at all what it does for LID.  Similar
> to the situation with TypeKey, if an OpenID producer site wants its
> users to have LID identities as well, they're free to add that
> functionality if they want.  And it certainly doesn't take the bulk
> of YADIS to do that.
>
> Finally:  Is stand-alone OpenID as it exists today going away?  If
> not, then I'll shut up.  But if OpenID (a useful, lightweight
> protocol) as we know it is going away, then I think there needs to be
> a serious discussion of the merits of this decision.
>
> And can we keep this on-list, please?
>
> -Kurt
>
>