[OpenID] query regarding OP migration

Nate Klingenstein ndk at internet2.edu
Fri May 30 20:27:40 UTC 2008 

Babu,

> When such features get included, may be we should call it as  
> "OpenProfile" ( as it contains more details than just ID :) ).

I think of identity as including all kinds of things about someone.   
The term you're probably thinking of is identifier.  The "ID" is a  
bit ambiguous as to which it refers to. :D

> Now assuming OpenID has these too in its roadmap, whats does it  
> mean to end user when he switches from one OP to another (say using  
> the delagation feature) ? He looses all the details that he has  
> been maintaining at the earlier OP. This is undesirable.

There's a second half: your details maintained at the earlier OP are  
still controlled by that OP unless you contact the RP to have them  
removed.  I don't think there's any way in the OpenID protocols to do  
deregistration.

> I believe that "digital identity" problem should have been solved  
> in this fashion:
>         1. Let there be some central digitalID server to issue a  
> digital identity, which is not attached to any URL (say I go this  
> server, register myself & ask for a digital identity "babu_n"). And  
> in this same server, I would also associate my digital identity  
> with "OP details".
>         2. I would select an OP & register with OP. Provide my  
> digital id here & associate my digital ID with "my details" (like  
> password, personal/profession details, etc etc..). It should be  
> mandated how OPs should store "my details".
>         3. I go to some OpenID enabled website & provide my id as  
> "babu_n". Here the OpenID enabled website now contacts the "central  
> digitalID server" & gets the OP details of the user (here  
> "babu_n"). After that it allows the user to get authenticated via OP.

Replace "central digitalID server" with "DNS hierarchy administered  
by ICANN" and your dream is basically today's reality.  There's just  
no trust fabric, which is something I'd like to see added as an  
optional layer for applications that care.

> It should be mandated that OPs store user details in some standard  
> format. And when user likes to migrate, the OP should let these  
> details be exported. The details exported this way may be used by  
> the user in importing at his new OP.

Data portability is certainly not part of today's dream.  I'd like to  
see it happen too, but there are all kinds of disincentives that are  
likely to hinder its rapid or complete adoption.  Here are two major  
fun problems to solve:

(1)  To whom should an OP be willing to export details, and when?
(2)  If a user is phished and the attacker migrates their OpenID to  
another OP, how do you get control of linked accounts back?

Take care,
Nate.

More information about the general mailing list