[OpenID] Identity transfer

Hamish Allan hamish at gmail.com
Thu Mar 1 18:04:12 UTC 2007


Hi,

I am currently writing a web application and am considering using
OpenID for authentication. I do not wish to be a producer, so I would
direct my users to MyOpenID et al to sign up for an identity if they
do not already have one. The problem I have with that is that I am
asking them to trust a third party to allow them to associate their
future use of my web app with their current use. Of course I have no
specific reason to distrust MyOpenID, but I cannot guarantee that they
will not be bought by some corporation or other at some future point.
I could recommend to them that they get their own domain and use
delegation, but this presents a considerable barrier to their easy
adoption of my web app.

What I really want is to be sure a mechanism exists whereby users can
easily transfer their identity from one provider to another. Of
course, I could offer that service myself by providing the ability to
associate multiple OpenIDs with a single account, but I would be much
more comfortable in supporting adoption of OpenID if there was a more
automatic way of doing this. You can imagine something along the lines
of additional header info at openid.mydomain.com:

<link rel="openid.server" href="http://www.myopenid.com/server"/>
<link rel="openid.delegate" href="http://myname.myopenid.com"/>
<link rel="openid.replaces" href="http://myblog.livejournal.com"/>
<link rel="openid.replaces" href="http://openid.aol.com/myname"/>

When a consumer reads this, if the identity myname.myopenid.com is not
known to them, they should check for the identities
myblog.livejournal.com and openid.aol.com/myname; if either of these
is found, they should be confirmed and  then replaced by the identity
openid.mydomainname.com (for which the service is actually provided by
openid.com). There might also be a directive to specify that
openid.mydomainname.com should be added as an additional identifier
rather than replacing myblog.livejournal.com or openid.aol.com/myname,
which I might use if I wanted redundancy in case of
openid.mydomain.com being unavailable.

If this were implemented, all users would have to do is to log into
sites using their new OpenID to replace their old one, rather than
having to go to a specific page on each site to add or change
identifiers (and something I read on Planet OpenID suggests that many
consumers do not even offer this facility).

Admittedly there would be certain issues for consumers, such as what
should happen if I try to replace one existing identity with another
and they cannot be merged. But are there other problems, or would
people like to see this sort of thing adopted?

Best wishes,
Hamish



More information about the general mailing list