Mozilla BrowserID
Dick Hardt
dick.hardt at gmail.com
Wed Jul 20 16:38:41 UTC 2011
On 2011-07-20, at 11:24 AM, John Kemp wrote:
> On Jul 20, 2011, at 12:10 PM, Dick Hardt wrote:
>
>>>>>> BrowserID is user-centric in that the RP can verify the signature of whichever email provider the user chooses. It doesn't rely on a prior agreements between the RP and IdP.
>>>>>
>>>>> I agree with your specific statement - so I won't quibble over whether this is necessarily "user-centric" or not ;)
>>>>
>>>> I think that is one of the key aspects of user-centricity. The user is making choices on which attributes to share. The user is determining "who" she wants to be in a given RP context.
>>>
>>> Yes, I understand what you mean. I'm just personally not sure that BrowserID is really so much more "user-centric" in the way you mean than OpenID (Connect).
>>
>> The flow is moving from my agent (the browser) to the RP rather than from the IdP to the RP.
>
> Isn't this *exactly* the same as using a browser plugin or an OS-level component invoked by the browser with OpenID performed "behind the scenes" with the RP? These solutions all assert the attributes directly from the user-agent, and the attributes are potentially signed by an IdP and stored as an assertion on the client.
OpenID Connect does not work that way. It is based on OAuth, which is great for delegating authority -- but once delegated, the user is not involved anymore.
OpenID 2.0 is user-centric. Did you watch my presentation? If so, I would love to hear how that was not clearly explained!
-- Dick
More information about the specs
mailing list