Do We Agree on the Problem We're Trying to Solve?
Dick Hardt
dick at sxip.com
Tue Jun 12 19:14:19 UTC 2007
On 11-Jun-07, at 1:45 PM, Josh Hoyt wrote:
>
> If I understand Dick, he's proposing using multiple identifiers as a
> kind of multi-factor authentication, where the user has to present
> more than one credential in the form of identifiers to take an action.
> This is very similar to your interpretation of two URLs being
> necessary. It's an interesting idea, and it has a lot of nice
> properties, but it seems like a pretty big leap at this point. I think
> the biggest drawback is that the nice properties only really appear
> when each identifier is issued by a separate authority.
The multiple identifiers resolves problem B of losing control of an
identifier, and would also enable identifier recycling.
If you pull back and look at current mechanisms, many of them are
multiple identifiers. If you forget your password, equivalent to
losing control of an identifier, you can get a new one sent to your
email address and you can change your password (identifier). If you
don't have access to your email anymore, some sites ask you a number
of "secret" questions, and if you have that information, then it is
another "identifier".
Just to clarify, I do *not* propose we add support for multiple
identifiers in OpenID 2.0 -- but hope that this discussion sheds
light that there are other ways of solving the problem besides having
a permanent directory of identifiers aka the i-names/i-numbers
mechanisms.
-- Dick
More information about the specs
mailing list