[OpenID] Laws of id, openid with ssl

George Fletcher gffletch at aol.com
Fri Jan 25 16:37:02 UTC 2008


Hmm... I agree that the OpenID is "not intended to be public" but the 
fact of the matter is that the RP has to resolve the "directed identity" 
OpenID to verify that the OP is authoritative for that OpenID. In that 
sense (unless all this is behind some firewall) the OpenID is "public".

Initially I was thinking that the "pseudonymous" term from SAML would be 
applicable but maybe Martin's "obfuscated" term is more applicable? (I 
think I could go with either). 

However, should "directed identity" OpenIDs NOT be "browser" resolvable? 
Any best practices on what the OP should do in this case? Is there data 
exposure if the OP says that it's not authoritative for 
https://op.example.com/abcde but is authoritative for 
https:/op.example.com/bcdef?

Given that hopefully all this traffic is over SSL, the ability to find 
these identifiers and correlate them to some public usage should be 
difficult.

Thanks,
George

Drummond Reed wrote:
>> -----Original Message-----
>> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
>> Behalf Of Martin Atkins
>> Sent: Thursday, January 24, 2008 4:27 PM
>> Cc: 'OpenID List'
>> Subject: Re: [OpenID] Laws of id, openid with ssl
>>
>> Drummond Reed wrote:
>>     
>>> Peter, just to reinforce Dick's first step below -- in directed
>>>       
>> identity,
>>     
>>> the user does not give their own public identifier to the RP, only the
>>> identifier of their OP. That way the RP knows how to discover the OP's
>>>       
>> XRDS
>>     
>>> and connect to the service endpoint for the OP's directed identity
>>>       
>> service
>>     
>>> (<Type>http://specs.openid.net/auth/2.0/identifier_select</Type>).
>>>
>>> The OP then returns the user's selected identifier (either public or
>>>       
>> private
>>     
>>> -- user's choice).
>>>
>>>       
>> I think calling it a "private" identifier is a bit misleading. All
>> OpenID identifiers are public.
>>
>> Perhaps a terms to use would be "obfuscated", "single-use" or "throwaway".
>>     
>
> Disagree. A pairwise-unique identifier generated by an OP is not intended to
> be public. If it was shared publicly, i.e., could be associated with the
> public identifier of the user, it would lose its capability to privately
> identify the user's relationship with the RP.
>
> An OP-generated pairwise-unique identifier is the OpenID equivalent of the
> PPID ("Private Personal Identifier") in Cardspace.
>
> =Drummond 
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>   




More information about the general mailing list