Yet Another Delegation Thread
Dick Hardt
dick at sxip.com
Wed Oct 25 16:22:40 UTC 2006
On 25-Oct-06, at 8:57 AM, Drummond Reed wrote:
> Sure, Dick, here's the list of reasons that Josh and David and I
> discussed
> for allowing the RP to do the mapping between a Claimed Identifier and
> IdP-Specific Identifier:
>
> 1) The first is the reason Brad designed this mechanism in the
> first place
> -- it allows the user to control the binding of their Claimed
> Identifier
> (the portable identifier the user controls) to an IdP-Specific
> Identifier
> (which the IdP controls). This means the user doesn't have to
> register their
> Claimed Identifier with the IdP (which may not even be possible -- for
> example, LiveJournal may only recognize you by your LiveJournal
> login name,
> but you can get still use them as your IdP by pointing your vanity
> domain
> name at your LiveJournal blog page). This also prevents IdP
> "lockin" on a
> Claimed Identifier.
this is done with the current method, correct? in this case, you only
send the IdP specific identifier
>
> 2) Since the RP has to do discovery on the Claimed Identifier
> anyway, if it
> discovers a mapping between the Claimed Identifier and an IdP-Specific
> Identifier, the RP can send the IdP-Specific Identifier to the IdP
> and save
> the IdP from having to repeat discovery.
unfortunately that disco information could be modified in route, so
the IdP can't trust it
>
> 3) Allowing the user to control Claimed
> Identifier-to-IdP-Specific-Identifier mapping gives the user the
> ability to
> establish any number of OpenID "synonyms" that do not require any
> involvement on the part of the IdP. In many ways this is the user-
> facing
> compliment of the directed identity value proposition: in directed
> identity,
> the user can have the IdP create any number of pseudonyms for
> different RPs.
> But the user is dependent on the IdP for this functionality. With
> Claimed
> Identifier-to-IdP-Specific-Identifier mapping, the user controls which
> Claimed Identifier maps to which IdP-Specific-Identifier, and is NOT
> dependent on the IdP for this mapping (which means it is entirely
> portable).
I read this a couple times and don't understand what is different
between it and (1) above ...
>
> Hope this helps,
It does, but also confirms my thinking that one identifier works fine.
-- Dick
More information about the specs
mailing list