Identifier portability: the fundamental issue
Chris Drake
christopher at pobox.com
Sat Oct 14 04:18:31 UTC 2006
Hi Drummond,
DR> CASE 1: the protocol supports only IdP-specific identifiers and no portable
DR> identifiers.
DR> RESULT: IdPs can achieve identifier lockin. Not acceptable. End of Case 1.
Please explain? If I've got an OpenID URL (eg: my vanity domain), I
can "transfer" this via DNS (or just update my OpenID <LINK>). If
I've got an i-name, I can transfer this too. Where's the "lock in" ?
I do not believe the RP needs to know the IdP-specific identifier ever
(worse: I think it should never be allowed to know it, or even be
allowed to see it!). Yes - we need 2 identifiers - but from the point
of view of the specs - the OpenID protocol really only needs to deal
with one.
There seem to be a lot of people on this list who want to hate and
loathe the IdP, and grant all power to the RP. I do not understand
this reasoning: our users will select the IdP they trust and like,
then they will be using a multitude of possibly hostile RPs
thereafter: the reverse is simply not true.
Can we not adopt my earlier suggestion: just ensure OpenID can permit
IdP-initiated logins. This permits every scenario of portability (and
privacy) that everyone wants, without us having to continue to debate
it ?
This really *is* only an hour or two's worth of code: after which,
market forces can decide which bells and whistles relating to
portability and privacy the IdPs choose to implement - from the OpenID
point of view, it's all "just going to work".
Kind Regards,
Chris Drake,
=1id.com
Saturday, October 14, 2006, 5:59:23 AM, you wrote:
DR> CASE 2: the protocol supports only portable identifiers and no IdP-specific
DR> identifiers.
DR> RESULT: IdP is forced to know and store all portable identifiers for a user,
DR> including identifiers for which the IdP is not authoritative, and users
DR> would be forced to register all their portable identifiers with their IdP,
DR> and to update these registrations every time the user adds or deletes a
DR> portable identifier. Highly undesirable if not impossible.
DR> *********
DR> Please post if you do not agree with this postulate.
DR> =Drummond
DR> _______________________________________________
DR> specs mailing list
DR> specs at openid.net
DR> http://openid.net/mailman/listinfo/specs
More information about the specs
mailing list