Yet Another Delegation Thread

Pete Rowley prowley at redhat.com
Wed Oct 25 18:40:13 UTC 2006


Josh Hoyt wrote:
> On 10/25/06, Pete Rowley <prowley at redhat.com> wrote:
>> Is it a goal to not allow correlation of identifiers? If so, I do not
>> think this meets that goal.
>>
>> Looking at the parties involved here, I necessarily have to trust my
>> IdP, but I certainly don't want to trust RPs. So if there is to be
>> leakage of information, it should go to the IdP, who is charged with the
>> protection of my data. This appears to construct what amounts to a map
>> of all my online identifiers nicely formatted so that a bot can harvest
>> it easily. Perhaps non-correlation is a non-goal for this particular
>> feature - but I would hope that it would be a high priority.
>
> The IdP can issue as many identifiers as it wants to the user, and the
> user can use a different IdP-specific identifier for each of their
> separate portable identifiers.
I don't understand why this would help - it really doesn't matter if I 
use one IdP with multiple identifiers or multiple IdPs or how many 
portable identifiers I use if all of them can be correlated through 
specified OpenID discovery mechanisms.
>
> Every proposal so far has had the IdP-specific identifier discovered
> through the standard discovery mechanism, so this criticism would
> apply to OpenID portable identifier support in general, not this
> specific proposal.
OK, so it applies more broadly. In that case I take it non-correlation 
of identifiers is not a goal of OpenID in general?



-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20061025/c7465093/attachment-0002.bin>


More information about the specs mailing list