[OpenID] Problems with delegation and directed identity OPs

Deron Meranda deron.meranda at gmail.com
Thu Nov 6 18:16:06 UTC 2008 

On Thu, Nov 6, 2008 at 12:51 PM, Peter Watkins <peterw at tux.org> wrote:
> With Yahoo!, have you tried setting the
> LocalID to "https://me.yahoo.com/a/3Uz4wakJ.....etc....."?

Yes, I figured that out, and it makes sense.

Of course, from an OP usability perspective, it's not exactly straight
forward for somebody to determine their actual Yahoo identity(-ies),
although it is possible.

And, just from curiosity, why are the randomly generated URIs
(both Google and Yahoo!) so long?  You certainly don't need anywhere
near that number of bytes to have a completely unguessable amount
of entropy.  But it certainly makes them practically non-human-readable
and impossible to type without using cut-n-paste.


> The per-RP business sounds a little tricky. You could dynamically generate
> your XRDS and populate the LocalID differently for each RP, if you're
> able to infer the RP identity from the IP address of the system attempting
> discovery. With Yahoo that'd be overkill. If you want to use Yahoo as
> an OP vouching for your own domain, you'd pick one Yahoo OpenID identifier
> and embed that in the XRDS -- and in that case, I believe the Yahoo OP
> will use that identifier rather than ask you to choose (but you could still
> use Yahoo to provide alternate URLs from time-to-time, even for the same
> RPs you use your normal Yahoo deron.meranda.us ID for, if you asked an RP
> to use https://me.yahoo.com instead of http://deron.meranda.us/). For Google,
> RP inference & dynamic XRDS generation might be necessary if Google refuses
> to return the same identity to different RPs. I haven't read their spec at
> all (I'm waiting til they open up the service such that I don't have to ask
> our general counsel to review any "agreement"), but can you not find the
> identity that Google uses for one RP, and use that instead of the
> /accounts/o8/id URL to get Google to use the same ID for different RPs?

Dynamic generation may be possible, but it really sounds like a
bad idea.

So, the current Google situation makes it almost impossible to use delegation!

First, there is no way for a user to even find out what their identity URIs
are, which I'm sure is complicated because they are RP realm specific.
But you can't even view a log of which identities have been used.
Even on the Google authentication page, it doesn't display the identity
that is about to be sent to the RP; unlike just about every other OP I've
used.

The biggest problem, I think, is that it is not possible for a Google user to
create their own additional "fixed" identities (even if still random).  Yahoo
for example not only generates a random identity (but not RP-specific), it
also lets you create additional identities and then lets you choose among
them when you authenticate.

If more OPs follow Google's lead on using RP-specific identities without
the ability to also have fixed identities, that's going to undermine the ability
to unify your identities using delegation if you choose to do so.


BTW, the wiki documentation <http://wiki.openid.net/Delegation>
really needs a rewrite; it is so out of date and incomplete.  I'd do it if I
was sure I really understood all the nuances.
-- 
Deron Meranda

More information about the general mailing list