[OpenID] Uniting two identifiers: revisited

Martin Atkins mart at degeneration.co.uk
Mon Jan 1 20:51:44 UTC 2007

Hi all,

I realise this has been discussed before, but I don't believe a suitable 
solution was reached. The issue here is how to indicate that two 
identifiers represent "the same" identity in a machine-readable fashion. 
(This would, of course, be optional.)

For example, I'd like both my HTTP URL and my i-number to both represent 
the same identity.

Some existing implementations of OpenID relying party (LifeWiki, for 
example) currently allow this by logging in with one identifier and then 
authenticating with additional identifiers to associate them. Of course, 
this only creates the association for that website, meaning that I have 
to repeat this process for every site.

Most OpenID implementations currently use the identifier as the primary 
key for an "account" or "identity". I consider this a dreadful practice 
as it prevents not only identity synonyms but also makes migration 
between identifiers difficult. (though I'm not discussing the latter 
here, of course.)

So the two things that need to be done to address this, as I see it, are:
  * Strongly advise all OpenID relying party implementations to allow 
multiple identifiers per "account" or "identity" wherever this makes sense.
  * Devise a machine-readable way to express identity synonyms which can 
cross the boundary between HTTP URLs and XRI URLs. (the XRI stuff 
already allows synonyms, but that doesn't help me when some of my 
identifiers are HTTP URLs.)
  * Find some way to get all of the existing RP implementations to start 
using the mechanism from the previous point to automatically establish 
the relationship between two identifiers when logging in.

I think one pertinent question is what the correct behavior would be in 
the case where a pair of identifiers that were previously connected 
cease to be so. I'm sure there are other hairy cases.

Discuss? :)

More information about the general mailing list