[OpenID] What Should an OpenId Be? [WAS: RE: Proposal for Modularizing Auth 2.0 Discovery]

David Fuelling sappenin at gmail.com
Thu Mar 1 07:07:25 UTC 2007


> -----Original Message-----
> From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
> Of Gabe Wachob
> Sent: Wednesday, February 28, 2007 3:02 PM
> To: 'Drummond Reed'; 'Martin Atkins'; specs at openid.net
> Subject: Proposal for Modularizing Auth 2.0 Discovery
>
<snip>
> 
> Basically, the Discovery Spec would specify that for any identifier scheme
> to work with OpenID, it MUST define a way of being constructed into an
> HTTP
> URI and then returning a XRDS with an HTTP GET on that HTTP URI. If there
> are other ways of resolving it, then implementations MAY use those other
> methods of resolution ("native resolution", if you will). In essence, this
> is a requirement for HTTP gateway(s) to whatever resolution infrastructure
> exists today.

+1.  

Wherever we go from here, we need to be clear and define exactly what *is*
and what *is not* an Open Id Identifier.  

A while back there was <understatement>some talk</understatement> about
whether email addresses should be used as 1st-Class or 2nd-Class OpenIds
(see the wiki here
http://openid.net/wiki/index.php/Debating_Emails_as_1st-Class_or_2nd-Class_C
itizens).  I think it is important to be clear that it is *not* a great idea
to use certain "other" identifiers (email address, phone number, etc) *as*
OpenIds.  Rather, these should instead map to OpenId Http URL's (or XRI's if
possible).

This is important because profile attributes like email address, telephone
number, etc may or may not be private in certain circumstances. 

For example, logging-in with my email address at an RP, which maps my email
address to a publicly-displayable OpenId, is an ok thing to do assuming I
trust the RP with my email address (The RP will hopefully respect my privacy
by displaying my mapped OpenId URL or XRI on publicly facing pages where
appropriate).  

If we drift into the territory that says "emails addresses (or other profile
attributes) *are* OpenIds", then RP's and end-users will run into lots of
problems -- E.g., an RP has a publicly facing page that needs to show a
user's identifier, but doing so with an email OpenId would be bad for the
end user, so the RP is stuck.  

Bottom Line (repeating myself): We need to be clear and define exactly what
*is* and what *is not* an Open Id Identifier.  I think the current spec is
right on the money here:  OpenId Identifiers should be an Http URI or an
XRI.






More information about the general mailing list