[OpenID] Proposal for a new XDI.ORG service (i-service) for SSO

Chris Drake christopher at pobox.com
Tue Jan 16 05:48:22 UTC 2007

Hi Drummond,

I'm looking for a way to let my customers use their identities safely
online.  In particular, this includes protecting them from

Can you suggest a way that =Christopher can log in to www.site-a.com
and then later into www.site-b.com such that site-a and site-b cannot
later "share data" about =Christopher without his permission?  This
control is, after all, the whole point of "user centric" ?

My proposal is for XDI.org to host an HTTPS redirection proxy
application, that can take HTTPS POST data directly from RP web forms,
resolve the entered i-name =Christopher (or ask for the i-name if none
was provided - eg - I clicked "login" without entering my i-name), and
redirect the browser to the customers preferred authentication
endpoint (the endpoint can then allow my customers to decide which
persistent identifier to provide back to site-x for this login).

Basically - anything that blocks i-names from getting posted directly
to RP web sites will do, and I think XDI is the best place to do this?
Infocards already have this functionality built-in, using the owners
operating system as the "selector".  I think XDI can build something
much better, that will continue to work whether or not our customer is
in front of his own PC.

Kind Regards,
Chris Drake,

More information about the general mailing list