[OpenID] OpenId downtime - Resiliency Protocol Suggestion

Martin Fick mogulguy at yahoo.com
Wed Dec 12 22:01:32 UTC 2007 

Perhaps there could be a way to wrap openid 
with a higher level protocol that is 
resilient and even provides simpler userids,
something more akin to the way email and 
jabber and sipp addresses work?  What if 
current openids were seen as more like an 
IP address and the simpler userids were 
higher level addresses that could be 
translated to one or more openids using a 
DNS mechanism thus allowing for resiliency.

For example user John Smith might currently 
have an openid of:  
  http://myopenidprovider.com/openid/John.Smith
but he wants to have a secondary backup 
openid of:
  http://backupprovider.com/openid/John.Smith

Ultimately he owns the TheSmiths.org domain 
and he wants his userid to be:   
  John.Smith at TheSmiths.org  
and he  wants it to refer to the 2 openids 
mentioned above using some DNS mechanism so 
that it is more resilient.


How could this be done?



As a rather naive user I would suggest some 
implementations that are sure to be broken, but
perhaps someone smarter than me can take this
and make something real out of it?

It seems like what would be needed to do this
is either:

  A) some way of looking up a URL in DNS
     (instead of an IP/hostname) 

or

  B) a naming convention that can be used 
     to translate a userid + a hostname 
     into a URL.

So, for (A), imagine distorting SRV records 
so that they can return a full URL or creating
a new DNS record type which can return a URL.

This way looking up TheSmiths.org for openid
would return http://myopenidprovider.com/openid
with say a priority of 10 and 
http://backupprovider.com/openid with a 
priority of 20

The user id John.Smith would simply be 
appended to either of these and tried in 
their order of priority.



The alternative (B) which would require some 
form of conformance on the part of openid
providers would simply take advantage of the
current DNS SRV record support for returning
a hostname.

This way looking up TheSmiths.org for service
opeind would return only myopindprovider.com 
and port 80 with say a priority of 10 and 
backupprovider.com with port 80 and a priority 
of 20.

The simplest convention then would be to build
up an openid URL from the hostname by simply
assuming http (since it was port 80) and 
starting with a default directory such as 
'openid' to attempt to not steal a server's 
entire URl namespace.  Adding the user name
thereafter is the next simplest solution, this
will end up with the same example URLs as 
above.


One obvious problem with both of these 
solutions is how can an openid provider 
provide namespace support for people who
have the same name under different domains?  

In other words suppose that there is 
another unrelated 'John Smith' who wants 
his userid to be:  John.Smith at TheDoes.com
(because he is married to Jane Doe who
manages TheDoes.com).  Using the mechanisms 
outlined above if they both use 
myopenidprovider.com as their primary
providers, they will have a namespace 
clash!

Perhaps openid providers could support
many domain names with a URL scheme
such as:


http://myopenidprovider.com/openiddomains/<domain>/<user>

thus the 2 John Smiths above coule be supported
by the following openid URLs:


http://myopenidprovider.com/openiddomains/TheSmiths.org/John.Smith

http://myopenidprovider.com/openiddomains/TheDoes.com/John.Smith


Or, perhaps what we really need is an RFC that
opens up a whole new DNS namespace just for IDS?
But don't ask me how to organize that! ;)

Thoughts? Be friendly with the darts!


-Martin



      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

More information about the general mailing list