[OpenID] OpenID 2.1 clarification on use of LocalID

Santosh Rajan santrajan at gmail.com
Sat Apr 11 06:18:47 UTC 2009


Maybe we just need one extra step in OpenID spec, where a user can specify
his "preferred OP" at a centralized location when he comes into any RP the
first time?

John Bradley-7 wrote:
> 
> inline
> 
> On 10-Apr-09, at 10:33 PM, Peter Williams wrote:
> 
>>
>> Not sure I agree that
>>
>>> Delegation via XRDS is equally broken.
> 
> We are referring to the fact that a user needs to know the details of  
> the OPs configuration to delegate to the OP with ether XRDS or HTML  
> delegation as it stands now.
> 
> One of the things that would improve delegation is only needing to  
> specify the ID you are delegating to.  This leads to an extra  
> discovery step so the OP can discover the relevant information about  
> the OP.   The OP endpoint and information about extensions the OP  
> supports.
> 
> The claimed ID would remain that of the first identifier (vanity ID)  
> not that of the OP.
> 
> That as Allan points out allows a OP to add a new extension or change  
> an endpoint without having to notify all the people delegating to it  
> to update there XRDS.
> 
> If you don't think that is reasonable I would like to understand why.
> 
>>>
>>
>> [Peter Williams] I have not decide what to do with openid. Given  
>> what's happening, I'm more prone to site on the fence - though  
>> support of the efforts at redesign, from analyzing the core  
>> principles that matter, those that must be discarded, and those than  
>> must be added.
>>
>> Openid 1.0 was an evangelical sham. The 26,000 adopting sites were  
>> unverifiable. It did ignite a movement (which is quite a remarkable  
>> feat).
>>
>> Openid 2.0 obviously never happened, outside the lab. It did  
>> facilitate consensus, however (which is also quite a remarkable feat).
>>
>> Openid 2.1 is likely to impose op-centric federation models, based  
>> on hub/spoke management controls systems. Though I support OAUTH  
>> cooperating with openid (because it adds a delegation model,  
>> targeting web services rather than web browsing), I can also see the  
>> downside: OAUTH brings with it more policy control than UCI as a  
>> necessary function of the notion of delegation, and that's a shame.  
>> Perhaps the UCI-aficionados who started openid will force some  
>> hybrid..that preserves and guarantees user independence, autonomy,  
>> portability, etc. from providers.
>>
>> But,
> 
> OpenID 2.1 is not done yet or even started so I don't know if we can  
> reach any conclusion on the direction it will take.
> 
> Personally I am working on a way to allow individuals to be there own  
> OP or rather assert a openID without any OP.
> The trick is it has to be simple enough for a lawyer to use.
> 
> Yes there is a browser plugin but no redirect or OP.
> 
> PS I don't like delegation because 99% of the people don't use SSL on  
> there vanity IDs  and they are just too easily compromised via DNS.
> 
> John Bradley
> 
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
> 
> 

-- 
View this message in context: http://www.nabble.com/OpenID-2.1-clarification-on-use-of-LocalID-tp22977099p22998370.html
Sent from the OpenID - General mailing list archive at Nabble.com.




More information about the general mailing list