[OpenID] Laws of id, openid with ssl

Drummond Reed drummond.reed at cordance.net
Thu Jan 24 23:40:09 UTC 2008 

Peter, just to reinforce Dick's first step below -- in directed identity,
the user does not give their own public identifier to the RP, only the
identifier of their OP. That way the RP knows how to discover the OP's XRDS
and connect to the service endpoint for the OP's directed identity service
(<Type>http://specs.openid.net/auth/2.0/identifier_select</Type>). 

The OP then returns the user's selected identifier (either public or private
-- user's choice).

=Drummond 

> -----Original Message-----
> From: Dick Hardt [mailto:dick at sxip.com]
> Sent: Thursday, January 24, 2008 1:33 PM
> To: Peter Williams
> Cc: Drummond Reed; OpenID List
> Subject: Re: [OpenID] Laws of id, openid with ssl
> 
> 
> On 24-Jan-08, at 4:15 PM, Peter Williams wrote:
> >
> > Now, when we say that OpenId2 supports directed identity (complying
> > with Law 4), is the above flow pattern what we mean?
> 
> That is not what I mean when we say directed identity.
> 
> 1) The user provides their OP identifier to the RP.
> 
> 2) The RP does discovery to find the OP's entry point and redirects
> the users browser with the OpenID request.
> 
> 3) The OP processes the request and asks the user which identifier
> the user wants to present to the RP. This answer may be cached so the
> user does not need to provide this answer each time. If the user
> indicates they want to use a directed identity, the OP generates a
> new, random OpenID for the user if the user has not been to the RP
> before, otherwise the OP will likely use the directed OpenID used by
> the user at this site in the past.
> 
> 4) The OP signs the response including the directed identifier and
> sends it to the RP.
> 
> 5) The RP does discovery on the identifier and confirms that the OP
> is authoritative for the identifier.
> 
> Note that the OP will likely not provide the same identifier to other
> RPs, thus making it  a directed identity per how Liberty and
> InfoCards refer to the term. :-)
> 
> This is what Sxipper does when you choose to provide a private
> identifier to an OpenID site.
> 
> -- Dick

More information about the general mailing list