concerns about each user having a unique "URL"

Drummond Reed drummond.reed at cordance.net
Wed Nov 8 11:02:31 PST 2006 

>>Kevin Turner wrote:
>> On Thu, 2006-11-02 at 17:31 -0500, Peter Watkins wrote:
>>> Also, while the obvious user identifier would be something like 
>>>   username + "id." + domain name ("plumbers.co")
>>> For years we have allowed characters in the username field that are
>>> not compatible with RFC 952,
>> 
>> Can you side-step this by putting the username in the path component,
>> i.e. "id.plumbers.co/Patrick O'Rourke"?
>
>Peter Watkins wrote:
>Not really -- see my points about password-less authentication and name
>changes. Many of our users authenticate without usernames; others change
>names after marriage, divorce, etc. Our only good unique identifier is,
>well, the "Plumber Identification Number", which is a 10-15 digit number
>that nobody should ever have to remember, much less type. Even if they
>did remember their PIN unique identifier, I don't want my users having
>to disclose their PIN to log in for privacy reasons. If a member wants
>to participate in some discussion forum about bathtub repair, it should
>suffice that our IdP is willing to assert that he's a licensed plumber
>with first name "Rob" or some such. If a Service Provider wants to
>required the GUID (which for us would probably be the PIN, or some
>unique-per-user derivative of the PIN) for one of our users, our OpenID
>IdP interface should let the user decide if that was acceptable.
>
>I don't quite understand this about OpenID -- the materials illustrate
>some sort of user choice, but since all OpenID assertions use the same
>constant-per-user claimed identifier, the net effect of giving different
>pieces of info to different parties is that Service Providers, since
>they all see the same claimed identifier for a given individual, could
>collude to reconstruct more complete assertion sets than the user would
>ever disclose to a single Service Provider.

Peter,

The "directed identity" feature in OpenID Authentication 2.0 should give you
what you want. You as the IdP could instruct your users to simply login to
any OpenID-enabled site (RP) with your IdP identifier (plumbers.co). Then
plumbers.co as the IdP can return whatever identifier you and the user agree
should be used for that RP -- and it can be different for every RP if you or
the user desires this behavior.

In this case, RPs cannot collude on the identifier itself (they may still be
able to collude on any shared data -- that's a separate problem). The only
one that can do the mapping between all the identifiers given out is the
IdP, but in the case of directed identity the user is trusting the IdP.

Hope this helps,

=Drummond

More information about the general mailing list