[OpenID] OpenID Identity Consolidation
Steven Livingstone-Perez
weblivz at hotmail.com
Sun Nov 2 10:34:37 UTC 2008
Just so I can say I wrote it down ...
Say (as I mentioned in a previous post) that an OpenID is not *quite* as
tied to a single provider as it currently is. You enter an OpenID and the RP
library can then do a lookup of OpenID domains that have maybe gone out of
business... a blacklist I guess. The RP code also have a mapping file that
can tell the code one or more alternative OpenID domains where the user
accounts have been migrated to (so, it used to be at domain.com but can now
be found at domain.com - perhaps some standard OpenID equivalent to PoCo
allowed the entire OpenID profile to be migrated).
In the same manner a query against an OP is down or times out... you use the
same mapping file to see where a backup of that profile can be found (again
some equivalent to PoCo could have been used to synchronize).
In this case there is not *absolute* OpenID for a user - they are all
equivalent and the resolution is pretty much based on what server is
available to time of authentication.
In short, it means I could have my OpenID openid.livz.org but if my site is
down I can log into weblivz at gmail.com (and perhaps the claimed identifier
could still be openid.livz.org).
Doing this would mean nothing breaks I the existing mechanisms - just a
matter of extending support and providing some standard way of synching
OpenID accounts (and many seem to think the equivalent kind of thing will be
needed for data in cloud computing anyway).
steven
http://livz.org
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Chris Messina
Sent: 02 November 2008 10:03
To: Nate Klingenstein
Cc: Martin Atkins; OpenID List
Subject: [OpenID] OpenID Identity Consolidation (Was: Re: OpenID based on
email addresses... Just Works!)
This is where Portable Contacts comes in, since we already accommodate
sending other known identifiers for a person.
I can't say whether it's wise to separate OpenID identifiers from
others, though, and I also don't know how well RPs will trust data
provided either via AX or PoCo (i.e. if a list of OpenIDs is provided,
will/should an RP take for granted that the list is a valid list of
verified identifiers?).
In any case, making identity consolidation/fallback account
association easier or more automatic is certain a good idea and a best
practice that should be better defined. I've started documenting these
ideas here:
https://openid.pbwiki.com/Fallback-account-access
Chris
On Sun, Nov 2, 2008 at 12:10 PM, Nate Klingenstein <ndk at internet2.edu>
wrote:
> Shibboleth treats identifiers as attributes today, and I think it's worked
> out well for deployments. I'd definitely support your proposed approach
for
> OpenID as well.
>
> On 2 Nov 2008, at 01:48, Andrew Arnott wrote:
>
> Why not use the AX extension to supply the extra identifiers? AX supports
> multiple values for a single parameter type URI, so we could have
something
> like http://axschema.org/identifier/openid and the OP could send down all
> the other Identifiers the user controls.
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
--
Chris Messina
Citizen-Participant &
Open Technology Advocate-at-Large
factoryjoe.com # diso-project.org
citizenagency.com # vidoop.com
This email is: [ ] bloggable [X] ask first [ ] private
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list