[OpenID] [LIKELY_SPAM]Re: Problems with delegation and directed identity OPs

Martin Atkins mart at degeneration.co.uk
Thu Nov 6 20:40:26 UTC 2008 

To be clear, there's no reason at all why you can't use delegation with 
any compliant OpenID RP, whether they support directed identity or not. 
The important thing is that the openid2.local_id value *must* be an 
OpenID identifier, *not* an OP identifier. (that is, you can't delegate 
to bare "yahoo.com".)

However, there are two cases where delegation and directed identity 
interact in a sub-optimal way:

  * If you have an OP like Yahoo! that ignores the identifier in the 
requests and treats all requests as directed identity, and the response 
from the OP ends up having a different identifier than what's in 
openid2.local_id, then the RP will fail out with a crazy error because 
the delegation verification fails.

  * If you have an OP that issues different identifiers to each unique 
openid.realm value, you may run into trouble with delegation since 
you'll have to choose one identifier to use as openid2.local_id. 
However, such a provider would ideally allow you to *explicitly* 
authenticate with any identifier you own regardless of RP if you don't 
make a directed identity request. I've not verified whether this is true 
of Google.



Peter Williams wrote:
> This is beginning to sound like EAP/802.1x and cisco, where every vendor now does their own profile (which works with nobody else's supplicants/authenticators).
> 
> I just dont like directed, I dont do it. Tough UCI user!
> I just dont like delegation, I dont do it. Tough UCI user!
> I just dont like delegation with directed, I dont do it. Tough UCI user!
> 
> In that culture in general, the average SP working with the average user...cannot work with 1 IDP the way it works with another use yesterday (e.g. myopenid) - undermining UCI therefore. Sites HAVE to be tuned for the IDP in question.
> 
> What a shame! OpenID had SO MUCH potential to do better than idp-centric federation networks.
> 
> or, we create a conformance/interoperability forum, like WIFI, to stop the mess before it undermines public confidence in end-end **interoperability** of ALL the major modes of interworking defined in the OpenID2 spec.
>

More information about the general mailing list