how different is OpenID from SXIP?

[Dick Hardt]

On 15-Mar-06, at 7:57 AM, Josh Hoyt wrote:

> On 3/15/06, John Merrells <merrells at sxip.com> wrote:
>> The discovery phase of the protocol is based
>> on the user providing the name of their 'homesite' rather than
>> providing their identifier, which has privacy advantages for the
>> end user.
>
> It is easy to add another level of indirection to LID or OpenID or any
> other URL-based identity system. I do not consider this a significant
> difference at all.

SXIP does not have another level of indirection.

I think you are missed reading "privacy advantages" above

> Also, I believe users will usually want to identify themselves by
> their *identifier* (URL) rather than the name of a particular service
> provider.

Well, now the user has uniquely identified themselves with one of a  
small number of URLs that they can remember to type in. Are we really  
that much further along then passwords?

The identity exchange might just be for the user's name and email[1],  
but another unique identifier has been provided that was not required  
(breaking one of Kim Camerons laws)

> I think this is a big usability issue.

I would argue that it is much easier (and natural) for the user to  
type in a domain name then a full URL

> It is also true that
> SXIP can be modified to allow entering the identity URL *or* the
> homesite URL, and I think that it should, if it is meant to be a
> solution for the masses.

[1] also, if the email is pushed to the RP instead of being pulled,  
the Homesite can generate a unique email just for that RP, so that  
the RP does not have a triangulating identifier, and also the user  
can kill the unique email if it is abused