Making identities persistent?

Hallam-Baker, Phillip pbaker at verisign.com
Wed Nov 1 14:38:17 UTC 2006


Bad statement of the principle. Centralized direction is inevitable if there are to be unique, mnemonic identifiers.
 
The questions are whether the centralized control is accountable, whether the system has checks and balances and the confidence that users can place in the registry continuing to be supported after the startup money has run out.
 
 


________________________________

	From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf Of Drummond Reed
	Sent: Tuesday, October 31, 2006 10:31 PM
	To: 'George Fletcher'; 'Stefan Görling'
	Cc: specs at openid.net
	Subject: RE: Making identities persistent?
	
	

	Good answer, George. The question applies mainly to delegated identifiers (e.g., email addresses delegated under a specific DNS domain like user at aol.com, third-or-lower level domain names like user.aol.com, or community i-names such as @aol*user), since they are by definition assigned within the context of (and thus under the ultimate control of) as specific identifier community (such as aol.com). 

	 

	For identifiers registered directly with a global registry (e.g., joesmith.com in DNS or =joe.smith in XRI), the identifiers themselves are portable across registrars and the registrant has direct control of the identifier and what it resolves to (e.g., the XRDS document).This portability is established by ICANN for DNS registries and XDI.org for XRI global registries.

	 

	So the section of the spec you cite should probably be clarified with regard to these points, i.e., something like: 

	 

	"OpenID is decentralized. No central authority must approve or register Relying Parties or OpenID Providers. An End User can freely choose which OpenID Provider to use. OpenID design also enables an End User to continue to use an OpenID Identifier if they switch OpenID Providers. Note that the portability and persistence of an OpenID identifier itself (URL or XRI) is a capability of the identifier and the registry authority and is out of scope for OpenID. End Users who wish to maintain persistent control of an OpenID Identifier SHOULD select an identifier and registry authority that offers these capabilities."

	 

	Thoughts?

	 

	=Drummond 

	
________________________________


	From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf Of George Fletcher
	Sent: Tuesday, October 31, 2006 7:36 AM
	To: Stefan Görling
	Cc: specs at openid.net
	Subject: Re: Making identities persistent?

	 

	This is a good use case and I think important for both users and IdPs (now OPs [OpenID Provider] per the latest "editor's conference") to consider.
	
	I see a number of options...
	
	1. There has been some discussion regarding a "change identifier" extension that would allow you to change your identifier at the relying party.  This would solve the use case and is necessary regardless of the other options.
	
	2. The OP (in this case AOL.com) could continue to provide an "identifier management" page that would allow the user to specify the OP of choice.  This requires the OP to continue to serve the XRDS doc or at least the indirection to a XRDS doc with the new OP.  This is not that much extra overhead for the OP, but it will likely be a business decision as to whether to support such a feature.
	
	3. The user gets to choose their OP so they can ensure that they don't get "locked in".  This is the ideal behind user-centric.  However, in practice, it will take good education and time for users to understand the ramifications of their decisions.
	
	Thanks,
	George
	
	Stefan Görling wrote: 

	Hi everybody,
	 
	I'm trying to get a grip around your great work and have one issue that 
	I'm not quite clear on, relevant to the discussion of using 
	user at example.com-style identifiers, but also in a more general context. 
	Please let me know if I've simply missunderstood my own question.
	 
	http://openid.net/specs/openid-authentication-2_0-09.html#anchor48 says:
	"OpenID is decentralized. No central authority must approve or register 
	Relying Parties or Identity Providers. An End User can freely choose 
	which Identity Provider to use. They can preserve their Identifier if 
	they switch Identity Providers."
	 
	Let us consider the case that I'm an AOL.com customer, and they act as 
	an IdP providing we with an identifier. I use this identifier for 3 
	years for identity management on most of the services I use, due to the 
	huge success of the standard... However, I'm starting to get fed up with 
	AOL and terminates my agreement with them. Is there any procedure for me 
	to switch to another IdP? How is this done?
	 
	Best Regards,
	 
	Stefan Görling
	 
	 
	 
	_______________________________________________
	specs mailing list
	specs at openid.net
	http://openid.net/mailman/listinfo/specs
	 
	  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20061101/5d289d8e/attachment-0002.htm>


More information about the specs mailing list