[OpenID] Recycling OpenIDs (Was: What's broken in OpenID 2.0? (IIW session))
Peter Watkins
peterw at tux.org
Fri May 18 19:01:11 UTC 2007
On Mon, May 14, 2007 at 02:05:46AM +0100, Martin Atkins wrote:
> damnian wrote:
> > I don't recall this ever being proposed. I apologize in advance if it was.
> >
> > What if a hash (e.g. SHA256) of the user's email addreess is used as a
> > canonical ID? Here are 5 reasons why this should work (off the top of
> > my head):
> >
> > 1. OpenID needs canonical IDs (duh!).
> > 2. Email addresses rarely change.
> > 3. Email addresses are verifiable by OPs.
> > 4. Email addresses would remain hidden from RPs.
> > 5. OpenID would remain decentralized.
Dmitry, since you've stated that onlt Martin voiced an objection to
this proposal, I guess I should chime in. I don't like it, either.
I don't understand point #1. Each RP needs a unique identifier for an
individual for a given session that is secured by OpenID. In many cases,
RPs will need the unique identifier to remain constant for a given
real user (so the user can return to the RP and have the RP "remember"
the user). But OpenID doesn't need to use the same globally unique
identifier to be presented by a given OP to every RP every time.
But having a single "global" identifier per user introduces privacy and
RP data-mining/collusion issues. I believe the SAML model (and the CardSpace
model) is that the Identity Provider (IdP/OP) can use an identifier that
is unique, and different for each RP. Drummond Reed suggested that 2.0
allows this (http://openid.net/pipermail/general/2006-November/000579.html)
but I didn't see it in Draft 10 (not *reliably* -- it seemed that "directed
identity" was only available if the RP sent an *optional* request param),
and I'm just now sitting down, again, to plow throgh Draft 11.
My concerns are still largely what I expressed in November
(http://openid.net/pipermail/general/2006-November/000541.html) and I don't
know if draft 11 has addressed those. I've been quiet larely because I
have not found the time to read the draft and catch up on months of
mailing list traffic. I would still very much like my company to become
an OP, and, management willing, an RP, too. To that end, we *need* "directed
identity" to work reliably (i.e. not depend on any optional behavior, even
SHOULD behavior). It would be nice to offer per-RP identifiers to help
combat RP collusion, but "private URL"/"directed identity" is an absolute
requirement for our hundreds of thousands of "plumbers".
-Peter
More information about the general
mailing list