Implemented OpenID... why?

Johannes Ernst jernst+lists.danga.com at netmesh.us
Sat Apr 29 03:46:00 UTC 2006 

The Yadis idea is to augment the capabilities of OpenID with an open  
and extensible set of additional services that, collectively, should  
answer your question.

As you may know, this is the mailing list for both Yadis and OpenID.

OpenID sign-on -- like any other form of sign-on -- does exactly  
that, and no more.
That's a feature, not a bug, because it means it's modular and not  
too many things are packed into the same kitchen sink.

If you want relying parties to be able to obtain first and last name  
etc. from the identity host, you need some mechanism for "profile"  
exchange. You have several choices:
  - string your own and advertise it in the Yadis file that goes with  
your OpenID URL, potentially re-using VCard / FOAF etc. (as you like)
  - use the about-to-be defined simple registration service type,  
which may or may not be sufficient for what you have in mind
  - use LID VCard queries (see http://lid.netmesh.org/ ), which is  
very general-purpose

Having choices again is a feature, not a bug: there is no agreement  
so far in the industry whether the information should be pushed or  
pulled (see the archives on this list, for example), whether it  
should be XML or not, even what exactly constitutes a First and Last  
Name (in some cultures). [I personally have an opinion, which is why  
we did LID VCard queries, but you can find plenty people who have  
different ideas, I want to be fair ...]

Obtaining e-mail addresses may be another topic: for one, people  
don't like to hand out e-mail addresses any more, certainly not to  
some automated piece of software that may then pass them along to  
"everybody" (the end user can't really tell). But it may be that your  
requirement really isn't to get your users' e-mail addresses, but  
that you can send them e-mail e.g. for something like notifying them  
of price increases or decreases ;-) You can solve that requirement by  
making e-mail address part of the "profile", or you can create a  
different Yadis service for the same identity URL:

we did exactly that for mylid.net -- which hosts LID and OpenID  
identity URLs -- and which allows URL owner A to send an  
authenticated message to URL owner B. Authenticating through the same  
SSO as if the client was a web browser instead of a script sending  
messages. Maybe that's the protocol you are looking for? You can then  
automatically verify that incoming messages were indeed sent by who  
said sent them (no fake sender addresses, white / black / etc.  
listing) and forward them to e-mail, for example.

So the short answer is: you are right.
However, that's why so many people on this list have been taking it  
beyond OpenID to Yadis. And you found the community in which you can  
contribute making sure that your requirements are being addressed ...  
and you can build on their work, without being constrained by what  
one vendor defined ex cathedra ;-)

If you are at IIW Monday-Wed, corner some of us who'll be there to  
discuss ...

Cheers,



Johannes.




On Apr 28, 2006, at 19:42, Thom McGrath wrote:

> I just completed implementation of an OpenID server (this is home- 
> grown, not a standard library). This was hard without a good  
> tutorial and whatnot, but besides the point. I'm also planning on  
> creating the consumer end. But then I ran into a logic issue: why?
>
> Since OpenID doesn't appear to share any user information at all,  
> why on earth am I doing this. If I want to allow people to login to  
> my site via OpenID, I still need to ask them for all the standard  
> registration info, like name and e-mail. That seems very... useless.
>
> From openid.net: "There's no profile exchange component at all:  
> your profiile is your identity URL, but recipients of your identity  
> can then learn more about you from any public, semantically  
> interesting documents linked thereunder (FOAF, RSS, Atom, vCARD,  
> etc.)."
>
> Is there a defined API for second call for data, or are we on our  
> own for that one? I mean, OpenID seems like a fantastic idea and  
> implementation, but the process of actually *getting* to a user's  
> data seems to be completely undefined. Am I wrong?
>
> --
> Thom McGrath, <http://www.thezaz.com/>
> "You realize you've created God in your own image when God hates  
> all the same people you do."
>

Johannes Ernst
NetMesh Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
Url : http://lists.danga.com/pipermail/yadis/attachments/20060428/a85a77c9/lid.gif
-------------- next part --------------
  http://netmesh.info/jernst

More information about the yadis mailing list