Comments on: A Venn of identity in web services, now with OAuth http://www.xmlgrrl.com/blog/2009/10/02/a-venn-of-identity-in-web-services-now-with-oauth/ XML, identity, crafting, and other tangled musings Tue, 16 Mar 2010 18:34:34 -0700 http://wordpress.org/?v=2.8.4 hourly 1 By: Eve http://www.xmlgrrl.com/blog/2009/10/02/a-venn-of-identity-in-web-services-now-with-oauth/comment-page-1/#comment-255017 Eve Fri, 16 Oct 2009 18:32:49 +0000 http://www.xmlgrrl.com/blog/?p=1772#comment-255017 Good point! I think all such taglines need to be taken with a grain of salt, as they're partly about marketing. (I also notice openid.net now says "OpenID is a safe, faster, and easier way to log in to web sites," and yet "safe" is an awfully big promise -- as are "faster" and "easier"! What's it being compared to?... Local logins are still probably the fastest, once you've registered.) Good point! I think all such taglines need to be taken with a grain of salt, as they’re partly about marketing. (I also notice openid.net now says “OpenID is a safe, faster, and easier way to log in to web sites,” and yet “safe” is an awfully big promise — as are “faster” and “easier”! What’s it being compared to?… Local logins are still probably the fastest, once you’ve registered.)

]]> By: Praveen Alavilli http://www.xmlgrrl.com/blog/2009/10/02/a-venn-of-identity-in-web-services-now-with-oauth/comment-page-1/#comment-255016 Praveen Alavilli Fri, 16 Oct 2009 18:26:51 +0000 http://www.xmlgrrl.com/blog/?p=1772#comment-255016 true - the language used to define what OpenID and OAuth are is very confusing. OpenID for example used to have "OpenID is an open, decentralized, free framework for user-centric digital identity." but now on it's redesigned website it says "OpenID is a decentralized authentication protocol that makes it easy for people to sign up and access web accounts. " OpenID an Authentication protocol ? should have called it an SSO or Identity Exchange Protocol instead ? true – the language used to define what OpenID and OAuth are is very confusing. OpenID for example used to have “OpenID is an open, decentralized, free framework for user-centric digital identity.” but now on it’s redesigned website it says “OpenID is a decentralized authentication protocol that makes it easy for people to sign up and access web accounts. ” OpenID an Authentication protocol ? should have called it an SSO or Identity Exchange Protocol instead ?

]]> By: Eve M. http://www.xmlgrrl.com/blog/2009/10/02/a-venn-of-identity-in-web-services-now-with-oauth/comment-page-1/#comment-255013 Eve M. Fri, 16 Oct 2009 18:04:15 +0000 http://www.xmlgrrl.com/blog/?p=1772#comment-255013 Hi Praveen-- I think I used their own original description for themselves (though they do describe it as a protocol in the modern era...guess I should revise the diagram!). I see it as a protocol myself, and do think there's a useful distinction between them, even if it's sometimes fuzzy. A protocol defines a contract, and APIs assist in implementation and deployment of real-world endpoints that are parties to that contract, creating distance but also ease. (I had some thoughts about this subject <a href="http://www.xmlgrrl.com/blog/2007/10/31/the-i-files-the-truth-is-out-there/" rel="nofollow">a couple of years back</a>, wrt interop.) Framework and platform mostly get too fuzzy for useful distinctions. :-) Hi Praveen– I think I used their own original description for themselves (though they do describe it as a protocol in the modern era…guess I should revise the diagram!). I see it as a protocol myself, and do think there’s a useful distinction between them, even if it’s sometimes fuzzy. A protocol defines a contract, and APIs assist in implementation and deployment of real-world endpoints that are parties to that contract, creating distance but also ease. (I had some thoughts about this subject a couple of years back, wrt interop.) Framework and platform mostly get too fuzzy for useful distinctions. :-)

]]> By: Praveen Alavilli http://www.xmlgrrl.com/blog/2009/10/02/a-venn-of-identity-in-web-services-now-with-oauth/comment-page-1/#comment-255011 Praveen Alavilli Fri, 16 Oct 2009 17:56:36 +0000 http://www.xmlgrrl.com/blog/?p=1772#comment-255011 I am confused why OAuth was categorized as an API - it's more a security framework for WebAPIs and obviously as with any other frameworks it does have a protocol (token exchange and authorization) that helps in bootstrapping APIs built using the OAuth framework. No? I always feel it's confusing to draw a line between "API - Protocol - Framework - Platform" - given that each one of them weaves together with another in one way or other to become another. :-) I am confused why OAuth was categorized as an API – it’s more a security framework for WebAPIs and obviously as with any other frameworks it does have a protocol (token exchange and authorization) that helps in bootstrapping APIs built using the OAuth framework. No? I always feel it’s confusing to draw a line between “API – Protocol – Framework – Platform” – given that each one of them weaves together with another in one way or other to become another. :-)

]]> By: Henry Story http://www.xmlgrrl.com/blog/2009/10/02/a-venn-of-identity-in-web-services-now-with-oauth/comment-page-1/#comment-253502 Henry Story Fri, 02 Oct 2009 21:33:29 +0000 http://www.xmlgrrl.com/blog/?p=1772#comment-253502 I would be interested in your view on how foaf+ssl fits into this diagram. http://esw.w3.org/topic/foaf+ssl I don't have much experience with much of the technology described here, so it is difficult for me to position it in there. foaf+ssl is completely RESTful, so it would be a good candidate to look at how far a RESTful effort can go. A very initial first thought: 1. foaf+ssl is based on URIs. URIs - Universal Resource Identifiers - deal with identity at the most general level. 2. foaf+ssl uses the RDF, a framework to describe anything, that is modular and composable. 3. foaf+ssl uses the linked data pattern for deploying RDF, such that dereferencing URLs using their canonical dereferencing mechanism, gives you information about the meaning of that ID. This gives you an the discovery service. 4. foaf+ssl uses SSL to tie a user agent to a URI. This is similar to what openid does. I think one can do something similar to OAuth quite easily by following this RESTful pattern. I would be interested in your view on how foaf+ssl fits into this diagram.
http://esw.w3.org/topic/foaf+ssl

I don’t have much experience with much of the technology described here, so it is difficult for me to position it in there. foaf+ssl is completely RESTful, so it would be a good candidate to look at how far a RESTful effort can go.

A very initial first thought:

1. foaf+ssl is based on URIs. URIs – Universal Resource Identifiers – deal with identity at the most general level.
2. foaf+ssl uses the RDF, a framework to describe anything, that is modular and composable.
3. foaf+ssl uses the linked data pattern for deploying RDF, such that dereferencing URLs using their canonical dereferencing mechanism, gives you information about the meaning of that ID. This gives you an the discovery service.
4. foaf+ssl uses SSL to tie a user agent to a URI. This is similar to what openid does.

I think one can do something similar to OAuth quite easily by following this RESTful pattern.

]]>