[OpenID] [LIKELY_SPAM]Re: FW: general Digest, Vol 26, Issue 57

Peter Williams pwilliams at rapattoni.com
Tue Oct 21 23:05:21 UTC 2008


I have not done this level of low-level fiddling for a while (when I added openid1 metadata tags to the template of some blog site, and later made an OpenID2 XRDS file stored at live.com).  Spending 2m only, I cannot find either now (but cannot imagine where else Id put it other than my live.com http-based file store). It had 1 delegate entry (not 100) but the point doesn't change (and it didn't have any PAPE advertisement extensions, since they were not (and still are not) standard).

I also did the delegation trick with some or other freeid XRI site unrelated to the myopenid OP, where freeid*lockbox delegated to an http URL  at myopenid (This is all in the archives, since I report, profusely, to create a public record of prior art). There was also a variant  in which the XRI server merely redirected to an http URI, rather than "delegated" (the formal distinction is important).

Delegation to me is pretty simply - and I find it one of the CRITICAL design aspects of Openid. But I'm the least capable here... so beware of conceptual errors. So, I went through all the cases trying to understand the text by praxis  (and without personally programming).


The ditty always went like this:

. Type in url to YOUR XRDS file on YOUR server (somewhere) at RP's openid form control
. RP discovers file, normalizes, redirects as required, eventually reads XRDS, and notes 1-100 services options and their delegation rules(*)
. RP picks one service provider, based on its criteria
. RP remembers my file's http URI, but cites the delegated openid value in OpenID auth run with OP.
. If positive claim received by RP from OP about delegated value, create local session with remembered openid.

There has never at any time been any relationship between the site hosting the XRDS file and the 1-100 OPs doing there thing.

I'll try to recreate or find stuff. Cannot be far away.

(*) its obviously trivial for this file to be a dynamically programmed stream output (and programmed by me, that is, not some OP). Based  on the country of origin of the IP address of the consumer app, I might also just redirect from that URL to a file containing only a subset (e.g. 1 element) of all my 100 element db of stored service references (and each one's delegated openID, one OP for one RP). Thus I DO get some control of what the RP can see me as, as I get to control which delegates I release. RP Processing of delegates is MANDATORY, in OpenID Auth.



From: Andrew Arnott [mailto:andrewarnott at gmail.com]
Sent: Tuesday, October 21, 2008 3:07 PM
To: Peter Williams
Cc: SitG Admin; Nathan; general at openid.net
Subject: [LIKELY_SPAM]Re: [OpenID] FW: general Digest, Vol 26, Issue 57

Where is your XRDS file?  I'd like to see how this mapping works.  I thought delegation rules were all about "at this OP use this identity".  But it sounds like you've got "at this RP use this identity".  How does that work?
On Tue, Oct 21, 2008 at 2:38 PM, Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>> wrote:
And this is the 100% delegation model. I have a XRDS file on the web, a 100 links to consumer apps, and there are a 100 delegations in the XRDS file. I only login to RP by noting the openid to myfile, whereupon delegation rules and bilateral discovery maps that to the OP provider the RP site is willing to use. If using PAPE extensions in the XRDS, RP might choose between two OPs based on auth policy/level advertisement.

This is rather different to the properties provided by directed identity at a single OP, note. Any OP of any large size, e.g. one bound by EV rules, will be spying on me. It's irrelevant what they say do: they have to retain the data, for correlation of who is communicating with whom (a trivially easy wiretap order to obtain).

-----Original Message-----
From: general-bounces at openid.net<mailto:general-bounces at openid.net> [mailto:general-bounces at openid.net<mailto:general-bounces at openid.net>] On Behalf Of SitG Admin
Sent: Tuesday, October 21, 2008 2:27 PM


And let's say you're willing to give up this convenience: NOTHING is
preventing you from having more than one ID! You can easily use one
OpenID per site, preventing those sites from connecting your ID at
one site with your ID at another site just by comparing notes.

-Shade
_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081021/f2b0f2e0/attachment-0002.htm>


More information about the general mailing list