[OpenID] Uniting two identifiers: revisited
Martin Atkins
mart at degeneration.co.uk
Mon Jan 1 20:51:44 UTC 2007
Hi all,
I realise this has been discussed before, but I don't believe a suitable
solution was reached. The issue here is how to indicate that two
identifiers represent "the same" identity in a machine-readable fashion.
(This would, of course, be optional.)
For example, I'd like both my HTTP URL and my i-number to both represent
the same identity.
Some existing implementations of OpenID relying party (LifeWiki, for
example) currently allow this by logging in with one identifier and then
authenticating with additional identifiers to associate them. Of course,
this only creates the association for that website, meaning that I have
to repeat this process for every site.
Most OpenID implementations currently use the identifier as the primary
key for an "account" or "identity". I consider this a dreadful practice
as it prevents not only identity synonyms but also makes migration
between identifiers difficult. (though I'm not discussing the latter
here, of course.)
So the two things that need to be done to address this, as I see it, are:
* Strongly advise all OpenID relying party implementations to allow
multiple identifiers per "account" or "identity" wherever this makes sense.
* Devise a machine-readable way to express identity synonyms which can
cross the boundary between HTTP URLs and XRI URLs. (the XRI stuff
already allows synonyms, but that doesn't help me when some of my
identifiers are HTTP URLs.)
* Find some way to get all of the existing RP implementations to start
using the mechanism from the previous point to automatically establish
the relationship between two identifiers when logging in.
I think one pertinent question is what the correct behavior would be in
the case where a pair of identifiers that were previously connected
cease to be so. I'm sure there are other hairy cases.
Discuss? :)
More information about the general
mailing list