[OpenID] Google OpenID IDP is now live
Ben Laurie
benl at google.com
Thu Nov 6 18:38:05 UTC 2008
On Thu, Nov 6, 2008 at 5:19 PM, Dick Hardt <dick.hardt at gmail.com> wrote:
>
> On 6-Nov-08, at 8:58 AM, Ben Laurie wrote:
>
>> On Thu, Nov 6, 2008 at 4:44 PM, SitG Admin
>> <sysadmin at shadowsinthegarden.com> wrote:
>>>>>>
>>>>>> Are you suggesting that Google would serve an opaque ID in the user's
>>>>>> domain?
>>>>>
>>>>> sure, why not?
>>>>
>>>> Well, no particular problem serving one, but migrating it seems a bit
>>>> more problematic.
>>>
>>> Migrating opaque (RP-unique) ID's is exactly the same process as for two
>>> entirely different OpenID's: they can't be associated automatically, but
>>> the
>>> user can authenticate to a RP with both of them in succession.
>>
>> That is not the migration in question: the migration is when the
>> domain owner wants to change OPs.
>
> Agreed.
>
> Directed identities present more of a migration challenge. Would need to be
> able to export the RP / identifier binding, which needs to secure as it
> otherwise defeats the advantages of directed identify since they are all
> suddenly correlated!
>
> If it is an opaque identifier (such as what Yahoo! does now) rather then a
> directed identity, then migration is pretty easy. (your comment was the ID
> being opaque, not directed)
Apologies. We believe in directed IDs.
More information about the general
mailing list