Making identities persistent?

John Kemp frumioj at mac.com
Wed Nov 1 16:33:05 UTC 2006 

Hello,

I think you need the ability for a user to change his identifier at the
RP (as George notes below) and also at the IdP. In addition, it should
be possible for the IdP to providing OpenID "forwarding" if the user
leaves for another IdP (perhaps the user will even pay for a forwarding
service?)

We're not talking about persistence as such (a particular users OpenID
can surely change over time?), but more the ability for the user to
update her OpenID when she switches from one IdP to another. At the IdP,
this would I guess be kind of like leaving a forwarding address, as the
user is "leaving" one IdP and moving to another. At the RP, the user is
telling the RP that he is using a new IdP.

So, I think George's (1) is a necessity, and agree that (2) is a
business decision, but certainly offers the ability for an IdP to be
"community-friendly" if it so wishes, and may even be a good business
decision.

Isn't this all about the likely /lack/ of persistence in a particular
OpenID though?

Regards,

- John

Hallam-Baker, Phillip wrote:
> If we want identities to be persistent then we are going to need to
> introduce a layer of indirection.
> 
> This normally gets me worried about patents and such. Fortunately
> Multics did this, so did UNIX and VMS. Plenty of prior art.
> 
> If we are serious about decentralization then map the user identifier
> onto a randomly assigned machine readable GUID.
> 
>> -----Original Message----- From: specs-bounces at openid.net 
>> [mailto:specs-bounces at openid.net] On Behalf Of Stefan Görling Sent:
>> Wednesday, November 01, 2006 10:52 AM To: Shutra Zhou Cc:
>> specs at openid.net Subject: Re: Making identities persistent?
>> 
>> 
>> The reasons for raising this question was partly that I've been
>> doing some research on how people use e-mail addresses and sad to
>> say, you can not expect the user to make wise choices. And even so,
>> companies go broke even the best ones. Services comes and
>> disappear. In my research over half of the population use
>> non-portable e-mail addresses tied to an employer, university, etc.
>> and is likely to only live a few years.
>> 
>> E-mail is not a stable address/identity identifier. We must not
>> rely on it as such.
>> 
>> If we want an identity to be persistent, it must contain a 
>> migration feature, so that I can move all their trust relations
>> from one place to another. This of course creates a number of other
>> issues such as security and complexibility, but it is my sincere
>> belief that the issue should be addressed by the system and not
>> only delegated to be dependent on wise user decisions.
>> 
>> Therefore, my +1 is on (1) below. I will try to read back on what
>> has been said in the past on a 'change identifier' extension and
>> see if there is anything I can do to help.
>> 
>> /Stefan
>> 
>>> Yes, this is important thing I thought. We should privide a
>> spec for
>>> the consumer to change their end user's OpenID URL,
>> optionally the end
>>> user can use multiple OpenIDs in this consuemr. And this
>> case can be
>>> expended as this, the IdP(OpenID Server) is closed down.
>>> 
>>> 2006/10/31, George Fletcher <gffletch at aol.com
>> <mailto:gffletch at aol.com>>:
>>> This is a good use case and I think important for both users and 
>>> IdPs (now OPs [OpenID Provider] per the latest "editor's 
>>> conference") to consider.
>>> 
>>> I see a number of options...
>>> 
>>> 1. There has been some discussion regarding a "change
>> identifier"
>>> extension that would allow you to change your identifier at the 
>>> relying party.  This would solve the use case and is necessary 
>>> regardless of the other options.
>>> 
>>> 2. The OP (in this case AOL.com) could continue to provide an 
>>> "identifier management" page that would allow the user
>> to specify
>>> the OP of choice.  This requires the OP to continue to serve the 
>>> XRDS doc or at least the indirection to a XRDS doc with the new 
>>> OP.  This is not that much extra overhead for the OP,
>> but it will
>>> likely be a business decision as to whether to support
>> such a feature.
>>> 3. The user gets to choose their OP so they can ensure that they 
>>> don't get "locked in".  This is the ideal behind user-centric. 
>>> However, in practice, it will take good education and time for 
>>> users to understand the ramifications of their decisions.
>>> 
>>> Thanks, George
>>> 
>>> Stefan Görling wrote:
>>> 
>>>> Hi everybody,
>>>> 
>>>> I'm trying to get a grip around your great work and have one
>>>> issue that I'm not quite clear on, relevant to the discussion
>>>> of using
>>>> 
>>>> user at example.com-style <mailto:user at example.com-style>
>> identifiers, but also in a more general context.
>>>> Please let me know if I've simply missunderstood my own
>>>> question.
>>>> 
>>>> 
>>>> http://openid.net/specs/openid-authentication-2_0-09.html#an
> chor48 says:
>>>> "OpenID is decentralized. No central authority must approve or
>>>>  register Relying Parties or Identity Providers. An End User
>> can freely
>>>> choose
>>>> 
>>>> which Identity Provider to use. They can preserve their
>> Identifier if
>>>> they switch Identity Providers."
>>>> 
>>>> Let us consider the case that I'm an AOL.com customer, and
>> they act as
>>>> an IdP providing we with an identifier. I use this identifier
>>>> for 3
>>>> 
>>>> years for identity management on most of the services I use,
>>>> due to the huge success of the standard... However, I'm
>>>> starting
>> to get fed
>>>> up with AOL and terminates my agreement with them. Is there any
>>>>  procedure for me
>>>> 
>>>> to switch to another IdP? How is this done?
>>>> 
>>>> Best Regards,
>>>> 
>>>> Stefan Görling
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________ specs mailing
>>>> list
>>>> 
>>>> specs at openid.net <mailto:specs at openid.net> 
>>>> http://openid.net/mailman/listinfo/specs
>>>> 
>>>> 
>>>> 
>>> _______________________________________________ specs mailing
>>> list specs at openid.net <mailto:specs at openid.net> 
>>> http://openid.net/mailman/listinfo/specs
>>> 
>>> 
>>> 
>> _______________________________________________ specs mailing list 
>> specs at openid.net http://openid.net/mailman/listinfo/specs
>> 
> _______________________________________________ specs mailing list 
> specs at openid.net http://openid.net/mailman/listinfo/specs

More information about the specs mailing list