[OpenID] Dare to Trust OpenID

Dick Hardt dick at sxip.com
Fri Mar 7 08:08:45 UTC 2008 

To clarify

You can either enter your OP or your OpenID. (in prior art in SXIP /  
DIX we had the user entering their OP)

Providing an RP your OP instead of your OpenID provides a number of  
benifefits:

1) privacy, the RP does not know which OpenID you want to be until it  
gets the response back from the OP -- and also gives the OP a chance  
to ask the user "are you sure you want to login to a site known to be  
a phishing site? etc...

2) convenience for managing mulitple OpenIDs. The OP can remember  
which OpenID you used at which site and make that be the default one  
to provide to that site.

3) The OP can make an identifier on the fly or use a directed  
identifier for that specific RP and send that to the RP. Site specific  
identifiers or directed identifiers are inconvenient for users to  
manage directly, but easy for an OP to manage) (see Sxipper !!! :-)

-- Dick


On 6-Mar-08, at 11:54 PM, Drummond Reed wrote:

> Prabath,
>
> What they are referring to is the feature called "OP Identifier" in  
> the 2.0
> spec. See section "7.3.2.1.1. OP Identifier Element" and also search  
> for the
> other references to "OP Identifier".
>
> The spec is unfortunately doesn't really explain much about the  
> intended use
> of this option, but in the OpenID community this feature is often  
> called
> "directed identity" (after Kim Cameron's Fourth Law of Identity),  
> and it
> simply means you can login with the identifier of your OP rather  
> than your
> own OpenID identifier.
>
> Yahoo chose to implement OpenID that way (at least for the present)  
> and is
> promoting the idea that websites just stick a "Login with Yahoo" on  
> their
> login page that will send the login request to yahoo.com. Yahoo will  
> then
> generate a unique OpenID identifier as the user's Claimed Identifier.
>
> =Drummond
>
>> -----Original Message-----
>> From: general-bounces at openid.net [mailto:general- 
>> bounces at openid.net] On
>> Behalf Of Prabath Siriwardena
>> Sent: Thursday, March 06, 2008 10:47 PM
>> To: general at openid.net
>> Subject: [OpenID] Dare to Trust OpenID
>>
>> Quoted from [1]:
>>
>> "Instead of asking you for your log-in, a site could ask you for your
>> OpenID, which takes the form of a URL, such as
>> myname.openid-provider.net. In fact, with the newer 2.0 version of
>> OpenID, you may just have to provide the domain, such as yahoo.com
>> (yes, Yahoo supports such usage for its members)."
>>
>> I could not find a section in OpenID Authentication 2.0 spec, which
>> has a reference to the statement "with the newer 2.0 version of
>> OpenID, you may just have to provide the domain".
>>
>> Any thoughts? [ have I misread it?]
>>
>>
>> Thanks & regards.
>> - Prabath
>>
>> [1]: http://www.eweek.com/c/a/Security/Dare-to-Trust-OpenID/
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>

More information about the general mailing list