Thanks for weighing in, just saw your post as well. In the spirit of
open discussion...
On Mon, Apr 19, 2010 at 15:52, Chris Messina <
chris....@gmail.com> wrote:
> I'm totally sympathetic (and supportive) to distributing and decentralizing
> XAuth but have come to be more pragmatic recently, if only because there are
> two paths forward:
> * centralize your list of preferred services in the browser (meaning upgrade
> EVERYONE's browser)
> * centralize everyone's preferred services on a single server (with
> appropriate controls for opting-out and controlling data access)
I thought "personal discovery" was all about the third way. For
example, you can webfinger me and get a list of services that I prefer
to use. This tells you which services I use (and in the case of my
example, also how to communicate with them, OExchange). E.g.
http://webfingerclient-dclinton.appspot.com/lookup?identifier=wi...@willmeyer.com&format=web.
Granted, XAuth is a more general case, "get the services on which I
have accounts" identified by domain as opposed to some other spec, but
its the same concept. Webfinger, or at least the spirit of personal
discovery, would provide a way to allow users to have service
preferences be discoverable without having to share javascript and
allocate one domain/js for a shared cookie space.
> Unfortunately, it's really hard to get browser makers to take the identity
> opportunity seriously, and as a result, the industry decided to move in this
> direction.
I'm all for industry moving forward... Who owns
xauth.org? Who
updates the JS? Who controls that CDN? For example, AddThis has a
ton of this kind of data (who uses what services to share content),
and an api to get at it, though I wouldn't have positioned it as a
standard; its a product feature.
> Now, it's important to note that XAuth is not a unique approach to this
> problem. In fact it's what many institutions in Europe and academia do using
> SAML:
>
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.html
>
> I think XAuth is somewhat clever in how it leverages HTML5 localStorage and
> postMessage, and provides a way forward for how the browser could actually
> get more involved in service publication/discovery.
This is basically how most proprietary implementations of this kind of
thing work today. Getting around x-domain by sharing some JS and
having it post back to the parent is well-known. I'd also argue that
just because its html5 storage as opposed to cookies doesn't get
around the issues, both real and perceived, currently plaguing 3rd
party cookies.
In any case, I'm a big fan of things moving forward in real, practical
terms. So kudos there to concrete progress. This to me just reads to
me more like a product-level integration than it does an open model,
and one that has a lot of technical concerns at that. Maybe I got too
excited about Webfinger's potential for personal discovery, if we're
all just going to do this with x-domain cookie hacks and shared JS.
Will be anxious to participate in the XAuth discussion once it opens
up somewhere (I did email the meebo account on the spec page).