[OpenID] Can one use Generic OpenIds
Josh Hoyt
josh at janrain.com
Tue May 22 16:44:37 UTC 2007
On 5/22/07, David Fuelling <sappenin at gmail.com> wrote:
> Seems like it's not a good idea to mix the identifier with an attribute of
> the identifier. If you want to say that "beth" (e.g.) is a member of a
> given group (like "staff"), then this should somehow be reflected in some
> kind of attribute for Beth's OpenId. You might want to look at the
> Attribute Exchange spec for this kind of thing (although I don't know if
> group/role data is part of that spec, but I don't see why not).
I think you're right, but I think it's also important to note the
subtle distinction that the attribute is not an attribute of the
*identifier*, but an attribute of the *subject*. There are valid cases
for proving that you are a member of a group without having to reveal
your identifier. I don't think that the proposal to have group
identifiers is the best solution to this privacy problem (because it
*doesn't* let you provide the group membership as an attribute).
Another problem with using group identifiers is that it's cumbersome
at best to provide information about membership in more than one group
at a time.
Dick Hardt's third-party claims[1] as attributes (which depend on
OpenID 2.0 authentication and attribute exchange, as well as
additional crypto technology) do solve these problems and they solve
the problems in a way that scales. There are some hurdles in the way
of adoption[2], but I think that in the long run, third-party claims
have the best properties.
Josh
1. Claims not made by the OP, the RP or the user. Perhaps fourth-party
claims? ;)
2. Just to name a few off the top of my head:
* getting people in this community to let the OpenID 2.0
authentication specification be called complete
* quality cryptography routines in commonly used languages
* getting authorities to provide claims
More information about the general
mailing list