[OpenID] Google OpenID IDP is now live
Dick Hardt
dick.hardt at gmail.com
Thu Nov 6 17:19:04 UTC 2008
On 6-Nov-08, at 8:58 AM, Ben Laurie wrote:
> On Thu, Nov 6, 2008 at 4:44 PM, SitG Admin
> <sysadmin at shadowsinthegarden.com> wrote:
>>>>> Are you suggesting that Google would serve an opaque ID in the
>>>>> user's
>>>>> domain?
>>>>
>>>> sure, why not?
>>>
>>> Well, no particular problem serving one, but migrating it seems a
>>> bit
>>> more problematic.
>>
>> Migrating opaque (RP-unique) ID's is exactly the same process as
>> for two
>> entirely different OpenID's: they can't be associated
>> automatically, but the
>> user can authenticate to a RP with both of them in succession.
>
> That is not the migration in question: the migration is when the
> domain owner wants to change OPs.
Agreed.
Directed identities present more of a migration challenge. Would need
to be able to export the RP / identifier binding, which needs to
secure as it otherwise defeats the advantages of directed identify
since they are all suddenly correlated!
If it is an opaque identifier (such as what Yahoo! does now) rather
then a directed identity, then migration is pretty easy. (your comment
was the ID being opaque, not directed)
-- Dick
More information about the general
mailing list