[PROPOSAL] Separate Public Identifier from IdP Identifier
Dick Hardt
dick at sxip.com
Fri Oct 6 02:07:10 UTC 2006
I like making all identifiers work the same way. The wording around
directed identity is somewhat confusing. Would be clearer if there
was a complete description of what happened. ie. complete the
transaction. In Directed Identity, the RP needs to do discovery on
the identifier provided to make sure the IdP is authoritative for it.
I think "Token" is not a good name, so many other meanings. Perhaps
"handle"?
-- Dick
On 4-Oct-06, at 11:34 AM, Martin Atkins wrote:
>
> Currently the conceptual model is that each user has a "public" (that
> is, presented to RPs) identifier, but can optionally create additional
> identifiers which "delegate" to the real identifier. The delegate
> functionality has several purposes, including:
> * "Vanity" identifiers on personal domains while letting someone
> else
> do the hard work in running the IdP.
> * Ability to switch IdPs without losing identity
>
> However, experience has shown that the above model is often
> difficult to
> grasp for those new to OpenID. This proposal is really just a set of
> terminology changes and an alternative conceptual model that aim to
> make
> the delegate functionality easier to understand. It does not change
> the
> mechanism of delegation at all, though it does change the discovery
> protocol.
>
> I've placed the full proposal on the OpenID wiki:
> <http://www.lifewiki.net/openid/SeparateIdentifierFromIdPToken>
>
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>
More information about the specs
mailing list