[OpenID] query regarding OP migration

Peter Williams pwilliams at rapattoni.com
Fri May 30 18:14:25 UTC 2008 

If the user has established in his/her metadata that several OPs can speak for just 1 delegated OpenID, the RP has to account for this "feature" of the model in its programming. On any 2 runs of the protocol, an RP cannot assume the users metadata has the same OPs or the same binding of delegate to OP. It must discover these facts and account for the current user requirements.

The usability of this regime is generally address in the consumer-grade RP by allow the N OpenIDs (delegate or otherwise) of a single Person to account link to the RP signin-account. Once signed-in, non-normative processes are generally used by the user, allowing the user (as principal) to remove/cleanup account-linking bindings records.

I don't believe an RP is conforming if its allows its cache (or non-normative account linking records) to over-ride user managed metadata. It would disarm the mandatory discovery security controls.

Lets remember that while its common for user's metadata to be managed by the users OP (particularly in the OpenID2 case applying YADIS), the security model does not assume this deployment practice. I was nicely able to use a third party XRI server to control both OP selection and delegation handling to RPs, in trials conducted a few months ago.

_________________________
Peter Williams



From: Nate Klingenstein
Sent: Fri 5/30/2008 8:02 AM
To: Babu.N
Cc: general at openid.net
Subject: Re: [OpenID] query regarding OP migration


Babu, 


The short answer: "yes, but."  It is possible to address this use case with delegation.  It's a good feature but may be too advanced for some users.  It's certainly not standard practice.  This Wiki article might help:


http://wiki.openid.net/Delegation


Remember that this needs to be part of the initial setup.  This is because once the RP has cached an identifier associated with an account, it's difficult to reconfigure that link.  That OpenID is your login.  How do you prove that a different OpenID is the correct new identifier?  Unless your old, unloved provider is willing to help, manual reconciliation is the only way, in many cases, and that's a really expensive and difficult process.


Take care,
Nate.


On 30 May 2008, at 13:52, Babu.N wrote:


Hi,


As I understand, OpenID allows a digital identity to be created at an 
OP & let this be used at multiple sites. After creating the digital 
identify & using it some websites, suppose the doesn't like the OP 
for service reasons (say frequent downtime, prone to compromises 
etc). Does OpenID technology allow the user to migrate from this OP 
to another, yet retaining the same identity (remember this is already 
used by him in registering at some websites..) ? If not, should this 
not be supported going forward ?




Thanks,
Babu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080530/4d280862/attachment-0001.htm>

More information about the general mailing list