[OpenID] query regarding OP migration

Babu N babun at intoto.com
Sat May 31 06:21:46 UTC 2008 

Hi Nate,

Please see inline..

On Sat, May 31, 2008 at 1:57 AM, Nate Klingenstein <ndk at internet2.edu>
wrote:

> Babu,
>
>  When such features get included, may be we should call it as "OpenProfile"
>> ( as it contains more details than just ID :) ).
>>
>
> I think of identity as including all kinds of things about someone.  The
> term you're probably thinking of is identifier.  The "ID" is a bit ambiguous
> as to which it refers to. :D
>

Babu> Okay. Agreed :)


>
>  Now assuming OpenID has these too in its roadmap, whats does it mean to
>> end user when he switches from one OP to another (say using the delagation
>> feature) ? He looses all the details that he has been maintaining at the
>> earlier OP. This is undesirable.
>>
>
> There's a second half: your details maintained at the earlier OP are still
> controlled by that OP unless you contact the RP to have them removed.  I
> don't think there's any way in the OpenID protocols to do deregistration.
>

Babu> Migration, De-registration should be the functions that are expected
from an OP. So a user will choose only such OPs which abide by the
standards.
As Shade was mentioning, such de-registration is not possible when OP server
is compromised. But this is an issue even other functions (not just
de-registration) and with OP-specific-digital-identities supported by OpenID
today.

So this issue doesn't hinder us to support global digital identity,
selection of an OP based on some central digital indentity server, data
migration across OPs.


>
>  I believe that "digital identity" problem should have been solved in this
>> fashion:
>>        1. Let there be some central digitalID server to issue a digital
>> identity, which is not attached to any URL (say I go this server, register
>> myself & ask for a digital identity "babu_n"). And in this same server, I
>> would also associate my digital identity with "OP details".
>>        2. I would select an OP & register with OP. Provide my digital id
>> here & associate my digital ID with "my details" (like password,
>> personal/profession details, etc etc..). It should be mandated how OPs
>> should store "my details".
>>        3. I go to some OpenID enabled website & provide my id as "babu_n".
>> Here the OpenID enabled website now contacts the "central digitalID server"
>> & gets the OP details of the user (here "babu_n"). After that it allows the
>> user to get authenticated via OP.
>>
>
> Replace "central digitalID server" with "DNS hierarchy administered by
> ICANN" and your dream is basically today's reality.  There's just no trust
> fabric, which is something I'd like to see added as an optional layer for
> applications that care.
>

Babu> The problem with today's reality is that my "digital identity" is lost
if the OP shuts down his services or I would like to migrate. But in the
case of DNS, the registered domain name remains forever. So thats what a
user expects from a digital indeitity solution like OpenID.


>
>  It should be mandated that OPs store user details in some standard format.
>> And when user likes to migrate, the OP should let these details be exported.
>> The details exported this way may be used by the user in importing at his
>> new OP.
>>
>
> Data portability is certainly not part of today's dream.  I'd like to see
> it happen too, but there are all kinds of disincentives that are likely to
> hinder its rapid or complete adoption.  Here are two major fun problems to
> solve:
>
> (1)  To whom should an OP be willing to export details, and when?


Babu> to whichever place the end user is asking the OP to do (say to his
desktop, to some other place/server in internet, ..). And whenever requested
by end user. The details should be exported in standard format. Using this
feature, a user might take back-up now-and then or may have some automated
way of taking backup to some other place in internet. These details can be
worked out anyway, if we believe that data portability should be one of the
goals of OpenID.


>
> (2)  If a user is phished and the attacker migrates their OpenID to another
> OP, how do you get control of linked accounts back?
>

Babu> Even with today's OP-specific-digital-identities, we have phishing
issue. What does an user do if he is phished. After this if the attacker
changes the password, does the user not loose all the webiste accounts at
which this OP-specific-digital-identity was used ?

So, again, I dont see phishing as a hindrance to "support global digital
identity, selection of an OP based on some central digital identity server,
data migration across OPs".


Thanks,
Babu


>
> Take care,
> Nate.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080531/6355ce42/attachment-0002.htm>

More information about the general mailing list