Yet Another Delegation Thread

Dick Hardt dick at sxip.com
Wed Oct 25 16:22:40 UTC 2006


On 25-Oct-06, at 8:57 AM, Drummond Reed wrote:

> Sure, Dick, here's the list of reasons that Josh and David and I  
> discussed
> for allowing the RP to do the mapping between a Claimed Identifier and
> IdP-Specific Identifier:
>
> 1) The first is the reason Brad designed this mechanism in the  
> first place
> -- it allows the user to control the binding of their Claimed  
> Identifier
> (the portable identifier the user controls) to an IdP-Specific  
> Identifier
> (which the IdP controls). This means the user doesn't have to  
> register their
> Claimed Identifier with the IdP (which may not even be possible -- for
> example, LiveJournal may only recognize you by your LiveJournal  
> login name,
> but you can get still use them as your IdP by pointing your vanity  
> domain
> name at your LiveJournal blog page). This also prevents IdP  
> "lockin" on a
> Claimed Identifier.

this is done with the current method, correct? in this case, you only  
send the IdP specific identifier

>
> 2) Since the RP has to do discovery on the Claimed Identifier  
> anyway, if it
> discovers a mapping between the Claimed Identifier and an IdP-Specific
> Identifier, the RP can send the IdP-Specific Identifier to the IdP  
> and save
> the IdP from having to repeat discovery.

unfortunately that disco information could be modified in route, so  
the IdP can't trust it

>
> 3) Allowing the user to control Claimed
> Identifier-to-IdP-Specific-Identifier mapping gives the user the  
> ability to
> establish any number of OpenID "synonyms" that do not require any
> involvement on the part of the IdP. In many ways this is the user- 
> facing
> compliment of the directed identity value proposition: in directed  
> identity,
> the user can have the IdP create any number of pseudonyms for  
> different RPs.
> But the user is dependent on the IdP for this functionality. With  
> Claimed
> Identifier-to-IdP-Specific-Identifier mapping, the user controls which
> Claimed Identifier maps to which IdP-Specific-Identifier, and is NOT
> dependent on the IdP for this mapping (which means it is entirely  
> portable).

I read this a couple times and don't understand what is different  
between it and (1) above ...

>
> Hope this helps,

It does, but also confirms my thinking that one identifier works fine.

-- Dick



More information about the specs mailing list