[OpenID] Opt out of Yahoo OpenID?
Peter Williams
pwilliams at rapattoni.com
Fri Jan 18 23:57:02 UTC 2008
we need to standardize (or issue design notes for) for the two cases, then
1. a pseudonym is generated for each relying party, presumably on the basis of the per-association keying material
2 a common pseudonym is generated/used for a nominated group of relying parties who affiliate
If something in the yahoo E() function and URL pattern must be understood by the relying party code, then obviously a design note is insufficient - it must be standardized.
Im only just getting my head around the SAML2 equivalents, having finally found an initiator of the saml request that can invoke all various facets of the nameid protocols. In the SAML2 world, I do believe that the "directed identity" can considered either provisioned by the IDP or not provisioned (i.e.merely generated on the fly, per comms security policy for that specific run of sp-initiated websso (aka openid auth).
________________________________
From: Simon Willison [mailto:simon at simonwillison.net]
Sent: Fri 1/18/2008 3:39 PM
To: Peter Williams
Cc: sknvn-openid at yahoo.com; Hans Granqvist; openid-general
Subject: Re: [OpenID] Opt out of Yahoo OpenID?
On 1/18/08, Peter Williams <pwilliams at rapattoni.com> wrote:
> We cannot say that this is not openid (the use of a uri element that could be ciphertext). I assume it has the same purpose as the pseudonym name format in the saml standard. What we should perhaps question is whether openid is deficient in its use-case work given it did not standardize what yahoo felt compelled to add
As I understand it, the thing Yahoo! are doing (providing a unique
one-time OpenID for each user on a per-site basis, to prevent third
parties from correlating user behaviour across multiple sites without
the user's permission) is an intended consequence of the OpenID 2.0
specification. The official term for it is "directed identity", but
it's not widely understood (in fact that term isn't used in the OpenID
2.0 specification at all). It would be useful if this concept was
expanded upon in a set of design notes (or similar) to accompany the
specification.
There's a thread about directed identity here:
http://openid.net/pipermail/general/2006-November/thread.html#541
More information about the general
mailing list