[OpenID] Uniting two identifiers: revisited

Drummond Reed drummond.reed at cordance.net
Mon Jan 1 23:35:25 UTC 2007 

Martin Atkins wrote:

Hi all,

I realise this has been discussed before, but I don't believe a suitable 
solution was reached. The issue here is how to indicate that two 
identifiers represent "the same" identity in a machine-readable fashion. 
(This would, of course, be optional.)

For example, I'd like both my HTTP URL and my i-number to both represent 
the same identity.

Some existing implementations of OpenID relying party (LifeWiki, for 
example) currently allow this by logging in with one identifier and then 
authenticating with additional identifiers to associate them. Of course, 
this only creates the association for that website, meaning that I have 
to repeat this process for every site.

Most OpenID implementations currently use the identifier as the primary 
key for an "account" or "identity". I consider this a dreadful practice 
as it prevents not only identity synonyms but also makes migration 
between identifiers difficult. (though I'm not discussing the latter 
here, of course.)

So the two things that need to be done to address this, as I see it, are:
  * Strongly advise all OpenID relying party implementations to allow 
multiple identifiers per "account" or "identity" wherever this makes sense.
  * Devise a machine-readable way to express identity synonyms which can 
cross the boundary between HTTP URLs and XRI URLs. (the XRI stuff 
already allows synonyms, but that doesn't help me when some of my 
identifiers are HTTP URLs.)
  * Find some way to get all of the existing RP implementations to start 
using the mechanism from the previous point to automatically establish 
the relationship between two identifiers when logging in.

I think one pertinent question is what the correct behavior would be in 
the case where a pair of identifiers that were previously connected 
cease to be so. I'm sure there are other hairy cases.

Discuss? :)

[Drummond Reed wrote:]

Holy moly, does nobody on this list take time off on New Year's? ;-) Here I
am already working between football games trying answering another thread
about "Why is XRI so obtuse?" and then Martin comes along with this monster
topic.

Seriously, Martin, GREAT question, because synonym management was another
one of the key use cases that XRI architecture was developed to handle. So
I'll expand the response I'm writing to "Why is XRI so obtuse?" (which
Kaliya is also doing a good job answering) to explain why part of the
solution for what you are looking for is already built into XRI and XRDS
architecture, and even more will be built into XRI Resolution 2.0 Working
Draft 11 as we fold in more support for discovering XRDS documents from
URLs.

However once I finish that I'll respond directly with the key security
issues we've run into in developing XRI synonym architecture that are the
"hairy cases" you refer to. I hope the end result will be a OpenID synonym
management architecture all of us -- URL and XRI proponents alike -- can
live with.

Back at you as soon as I can,

=Drummond

More information about the general mailing list