Do We Agree on the Problem We're Trying to Solve?

Dick Hardt dick at sxip.com
Tue Jun 12 19:14:19 UTC 2007


On 11-Jun-07, at 1:45 PM, Josh Hoyt wrote:
>
> If I understand Dick, he's proposing using multiple identifiers as a
> kind of multi-factor authentication, where the user has to present
> more than one credential in the form of identifiers to take an action.
> This is very similar to your interpretation of two URLs being
> necessary. It's an interesting idea, and it has a lot of nice
> properties, but it seems like a pretty big leap at this point. I think
> the biggest drawback is that the nice properties only really appear
> when each identifier is issued by a separate authority.

The multiple identifiers resolves problem B of losing control of an  
identifier, and would also enable identifier recycling.

If you pull back and look at current mechanisms, many of them are  
multiple identifiers. If you forget your password, equivalent to  
losing control of an identifier, you can get a new one sent to your  
email address and you can change your password (identifier). If you  
don't have access to your email anymore, some sites ask you a number  
of "secret" questions, and if you have that information, then it is  
another "identifier".

Just to clarify, I do *not* propose we add support for multiple  
identifiers in OpenID 2.0 -- but hope that this discussion sheds  
light that there are other ways of solving the problem besides having  
a permanent directory of identifiers aka the i-names/i-numbers  
mechanisms.

-- Dick




More information about the specs mailing list