[OpenID] OpenID 2.1 clarification on use of LocalID

John Bradley john.bradley at wingaa.com
Sat Apr 11 06:00:31 UTC 2009


On 10-Apr-09, at 10:33 PM, Peter Williams wrote:

> Not sure I agree that
>> Delegation via XRDS is equally broken.

We are referring to the fact that a user needs to know the details of  
the OPs configuration to delegate to the OP with ether XRDS or HTML  
delegation as it stands now.

One of the things that would improve delegation is only needing to  
specify the ID you are delegating to.  This leads to an extra  
discovery step so the OP can discover the relevant information about  
the OP.   The OP endpoint and information about extensions the OP  

The claimed ID would remain that of the first identifier (vanity ID)  
not that of the OP.

That as Allan points out allows a OP to add a new extension or change  
an endpoint without having to notify all the people delegating to it  
to update there XRDS.

If you don't think that is reasonable I would like to understand why.

> [Peter Williams] I have not decide what to do with openid. Given  
> what's happening, I'm more prone to site on the fence - though  
> support of the efforts at redesign, from analyzing the core  
> principles that matter, those that must be discarded, and those than  
> must be added.
> Openid 1.0 was an evangelical sham. The 26,000 adopting sites were  
> unverifiable. It did ignite a movement (which is quite a remarkable  
> feat).
> Openid 2.0 obviously never happened, outside the lab. It did  
> facilitate consensus, however (which is also quite a remarkable feat).
> Openid 2.1 is likely to impose op-centric federation models, based  
> on hub/spoke management controls systems. Though I support OAUTH  
> cooperating with openid (because it adds a delegation model,  
> targeting web services rather than web browsing), I can also see the  
> downside: OAUTH brings with it more policy control than UCI as a  
> necessary function of the notion of delegation, and that's a shame.  
> Perhaps the UCI-aficionados who started openid will force some  
> hybrid..that preserves and guarantees user independence, autonomy,  
> portability, etc. from providers.
> But,

OpenID 2.1 is not done yet or even started so I don't know if we can  
reach any conclusion on the direction it will take.

Personally I am working on a way to allow individuals to be there own  
OP or rather assert a openID without any OP.
The trick is it has to be simple enough for a lawyer to use.

Yes there is a browser plugin but no redirect or OP.

PS I don't like delegation because 99% of the people don't use SSL on  
there vanity IDs  and they are just too easily compromised via DNS.

John Bradley

More information about the general mailing list