[OpenID] OpenID 2.1 clarification on use of LocalID
John Bradley
john.bradley at wingaa.com
Sat Apr 11 06:00:31 UTC 2009
inline
On 10-Apr-09, at 10:33 PM, Peter Williams wrote:
>
> Not sure I agree that
>
>> Delegation via XRDS is equally broken.
We are referring to the fact that a user needs to know the details of
the OPs configuration to delegate to the OP with ether XRDS or HTML
delegation as it stands now.
One of the things that would improve delegation is only needing to
specify the ID you are delegating to. This leads to an extra
discovery step so the OP can discover the relevant information about
the OP. The OP endpoint and information about extensions the OP
supports.
The claimed ID would remain that of the first identifier (vanity ID)
not that of the OP.
That as Allan points out allows a OP to add a new extension or change
an endpoint without having to notify all the people delegating to it
to update there XRDS.
If you don't think that is reasonable I would like to understand why.
>>
>
> [Peter Williams] I have not decide what to do with openid. Given
> what's happening, I'm more prone to site on the fence - though
> support of the efforts at redesign, from analyzing the core
> principles that matter, those that must be discarded, and those than
> must be added.
>
> Openid 1.0 was an evangelical sham. The 26,000 adopting sites were
> unverifiable. It did ignite a movement (which is quite a remarkable
> feat).
>
> Openid 2.0 obviously never happened, outside the lab. It did
> facilitate consensus, however (which is also quite a remarkable feat).
>
> Openid 2.1 is likely to impose op-centric federation models, based
> on hub/spoke management controls systems. Though I support OAUTH
> cooperating with openid (because it adds a delegation model,
> targeting web services rather than web browsing), I can also see the
> downside: OAUTH brings with it more policy control than UCI as a
> necessary function of the notion of delegation, and that's a shame.
> Perhaps the UCI-aficionados who started openid will force some
> hybrid..that preserves and guarantees user independence, autonomy,
> portability, etc. from providers.
>
> But,
OpenID 2.1 is not done yet or even started so I don't know if we can
reach any conclusion on the direction it will take.
Personally I am working on a way to allow individuals to be there own
OP or rather assert a openID without any OP.
The trick is it has to be simple enough for a lawyer to use.
Yes there is a browser plugin but no redirect or OP.
PS I don't like delegation because 99% of the people don't use SSL on
there vanity IDs and they are just too easily compromised via DNS.
John Bradley
More information about the general
mailing list