LWN: Comments on "FUDCon report from the Fedora Project Leader (Red Hat Magazine)"

OpenID provider vs relying party

tialaramex — Sat, 02 Aug 2008 15:47:30 +0000

[This reply is a bit late coming, sorry]

OpenID doesn't forbid you from attaching some site-specific conditions to usage. I see that
the CLA process requires contributors to give you a telephone contact number and a home or
work address. You could easily also ask them to provide an OpenID at this point.

If someone signs into the site using an OpenID that doesn't have a CLA on file, you can send
them to information about joining Fedora. For existing members you can add an account page
which lets them add or remove an OpenID on their account, in the same way that they can
currently change their contact details or password.

If the CLA is taken very seriously (do you follow-up and check that every telephone number is
valid and contacts the person who filled out the form? that every address given is a
residential or office address and that the person lives or works there?) then you might want
to Whitelist OpenID providers based on their authentication policies, but in any case there is
no legal blocker to being a relying party. I hope you can make it happen.

OpenID provider vs relying party

mmcgrath — Tue, 24 Jun 2008 18:51:52 +0000

> Setting up an OpenID _provider_ like this is very nearly useless. Fedora
> ought to be looking at becoming an OpenID relying party, not a provider.

I wouldn't say useless.  People like being able to, for example, make comments on livejournal
without needing an account.  Lots of bloggers (including myself) use livejournal.

As far as being a consumer, we're in an odd position there.  We have an OpenID plugin for our
wiki that we could enable right now, the problem is in our Contributor License Agreement.
Without having signed it, we can't accept someone's content... basically making an account with
us useless without the CLA.  I'm still looking into a couple of options but without something
like an agreement between our CLA and some other organization's CLA, Fedora's future as an
OpenID consumer is, unfortunately, limited.  We knew this was a possibility but made the
changes anyway and are hoping the Legal system can catch up :)

OpenID provider vs relying party

rahulsundaram — Tue, 24 Jun 2008 17:28:14 +0000

Being a relaying party is the next step. Patience, it is happening. There are places where it
can be done and that needs to move carefully.

OpenID provider vs relying party

tialaramex — Tue, 24 Jun 2008 17:18:46 +0000

This means that the identity you create in the Fedora Project can be used across thousands of
web sites.

... but the identity you already have cannot be used at the Fedora Project.

Setting up an OpenID _provider_ like this is very nearly useless. Fedora ought to be looking
at becoming an OpenID relying party, not a provider.

Let me provide an analogy. Being an OpenID provider is like setting up a credit card company.
Maybe you want to do that, if you're a big financial organisation and you have all the
know-how to do a good job of it, and you feel that you can offer something better (low
interest rate, convenient payment, etc.) than competitors. But if you don't have the expertise
then you're producing Monopoly money, everyone will stick with their VISA.

But if you want to reduce how many different credit cards people carry, you don't want to set
up a credit card company, you want to start accepting the most common existing credit cards.
Offering your own brand of card is actually counter-productive, that's just another card
everyone has to carry.

Adding relying party support to Fedora's site and services would be much harder, but it
wouldn't be an empty gesture like this, it would be a real achievement. There would be solid
benefits for Fedora and its users. Worried about "break-ins" ? No-one can steal your user's
passwords, because you don't have them, you don't even have a password hash, you just know
their OpenID which is public. Concerned about integration? The use of URIs in OpenID makes it
child's play to join two arbitrary account systems together, and if they need to be separated
again later you can safely do that too. No more "all passwords will need to be changed, sorry"
emails or "please note that now the password from site A is used on site B".