[OpenID] Supporting OpenID

Paul Madsen paulmadsen at rogers.com
Fri Apr 11 21:02:37 UTC 2008 

Will/Nate, my understanding of the directed feature is that the 
'typical' sequence would be

1) user provides 'yahoo.com' to RP
2) OP gives a randomized (and targetted) identifier to the RP

I wouldn't expect that a user would normally be presenting the random 
URI, not sure why Yahoo displays it for the user other than perhaps to 
allow them to talk about the different privacy characteristics it affords?

paul

Will Merydith wrote:
> Paul, actually Yahoo! appends something like "#f8407" to the end of 
> those identity uris when negotiating authentication.  So the uri 
> retrieved back from Yahoo is not the same as the one sent.
>
> On Fri, Apr 11, 2008 at 3:49 PM, Paul Madsen <paulmadsen at rogers.com 
> <mailto:paulmadsen at rogers.com>> wrote:
>
>     Hi Nate, the identifiers that Yahoo creates do not append randomness,
>     but rather replace the non-randomness, e.g. my nickname
>
>     Yahoo shows me 2 URIs I can use
>
>     https://me.yahoo.com/mudmanish
>     https://me.yahoo.com/a/f5cCqMMk3cHENnlFB.2yrouEXWAl7KEe7hp84I.jA--
>
>     I assume (hope) that, were I to use the second at some RP, Yahoo!
>     would
>     subsequently give me a different one at another RP
>
>     paul
>
>     Nate Klingenstein wrote:
>     > Paul,
>     >
>     > I can appreciate the pseudonyms and the use of directed
>     identity, but
>     > how does this enhance the privacy of users, if it's really just an
>     > appended string?  Isn't it trivially more difficult to correlate by
>     > simply truncating the URL?  Maybe I'm misinterpreting something, but
>     > if an RP turned rogue, I don't think that #abc123 would be much to
>     > overcome.
>     >
>     > Thanks,
>     > Nate.
>     >>
>     >
>     >> 1) the opaque characters you are seeing in the Yahoo OpenIDs
>     support
>     >>
>     >> enhanced privacy (by inhibiting correlation), its a feature called
>     >>
>     >> 'directed identity'
>     >>
>     >>>
>     >>> Yahoo! (and Flickr) - we've got it working,  it would have
>     been a snap
>     >>>
>     >>> except that Yahoo! is appending an alpha numeric string to the
>     end of
>     >>>
>     >>> the identity URL.  We cannot find documentation detailing the
>     purpose
>     >>>
>     >>> of that string.
>     >>>
>     >
>
>     --
>     Paul Madsen            e:paulmadsen @ ntt-at.com <http://ntt-at.com>
>     NTT                    p:613-482-0432
>                           m:613-282-8647
>                           aim:PaulMdsn5
>                           web:connectid.blogspot.com
>     <http://connectid.blogspot.com>
>
>     _______________________________________________
>     general mailing list
>     general at openid.net <mailto:general at openid.net>
>     http://openid.net/mailman/listinfo/general
>
>
>
>
> -- 
> will.merydith at gmail.com <mailto:will.merydith at gmail.com>
>
> cell 641.233.7548
>
> CTO - 3Mix.com
> Blog - LivingInSmallSizes.com 

-- 
Paul Madsen            e:paulmadsen @ ntt-at.com
NTT                    p:613-482-0432
                       m:613-282-8647
                       aim:PaulMdsn5
                       web:connectid.blogspot.com

More information about the general mailing list