[OpenID] Laws of id, openid with ssl

Peter Williams pwilliams at rapattoni.com
Thu Jan 24 23:55:43 UTC 2008 

I'm comfortable with that flow, as addressing a "UCI" version of the control objective that law 4 seems to aiming for.
 
Rather than law 4 be to do with assured discovery (which address multiple OPs supporting n regimes of private id provisioning/asserting), in openid2 law 4 is addressed WITHIN the openid auth protocol machine, ONLY. That is: send the OP identifier and let an interactive page on the OP allow the user to select which of the private identities/cards managed by that OP may be (a) created/provisioned, and/or (b) sent back.
 
Was the flow I described consistent with the objective of the security control expressed in law 4, anyone?
 
Presumably, if it _is_ consistent, it is not "the" openid directed-identity model, but it is "a" directed-identity model.
 
we clearly should take up the suggestion of writing engineering notes - i.e. non normative documents that "authoritatively" discuss such topics. Version 1 is presumably nothing more than 1 page, reformating Dick's email - with a few comments added.

________________________________

From: Drummond Reed [mailto:drummond.reed at cordance.net]
Sent: Thu 1/24/2008 3:40 PM
To: 'Dick Hardt'; Peter Williams
Cc: 'OpenID List'
Subject: RE: [OpenID] Laws of id, openid with ssl



Peter, just to reinforce Dick's first step below -- in directed identity,
the user does not give their own public identifier to the RP, only the
identifier of their OP. That way the RP knows how to discover the OP's XRDS
and connect to the service endpoint for the OP's directed identity service
(<Type>http://specs.openid.net/auth/2.0/identifier_select</Type>).

The OP then returns the user's selected identifier (either public or private
-- user's choice).

=Drummond

> -----Original Message-----
> From: Dick Hardt [mailto:dick at sxip.com]
> Sent: Thursday, January 24, 2008 1:33 PM
> To: Peter Williams
> Cc: Drummond Reed; OpenID List
> Subject: Re: [OpenID] Laws of id, openid with ssl
>
>
> On 24-Jan-08, at 4:15 PM, Peter Williams wrote:
> >
> > Now, when we say that OpenId2 supports directed identity (complying
> > with Law 4), is the above flow pattern what we mean?
>
> That is not what I mean when we say directed identity.
>
> 1) The user provides their OP identifier to the RP.
>
> 2) The RP does discovery to find the OP's entry point and redirects
> the users browser with the OpenID request.
>
> 3) The OP processes the request and asks the user which identifier
> the user wants to present to the RP. This answer may be cached so the
> user does not need to provide this answer each time. If the user
> indicates they want to use a directed identity, the OP generates a
> new, random OpenID for the user if the user has not been to the RP
> before, otherwise the OP will likely use the directed OpenID used by
> the user at this site in the past.
>
> 4) The OP signs the response including the directed identifier and
> sends it to the RP.
>
> 5) The RP does discovery on the identifier and confirms that the OP
> is authoritative for the identifier.
>
> Note that the OP will likely not provide the same identifier to other
> RPs, thus making it  a directed identity per how Liberty and
> InfoCards refer to the term. :-)
>
> This is what Sxipper does when you choose to provide a private
> identifier to an OpenID site.
>
> -- Dick

More information about the general mailing list