[OpenID] [LIKELY_SPAM]Re: OpenID based on email addresses... Just Works!
Peter Williams
pwilliams at rapattoni.com
Wed Oct 29 16:09:41 UTC 2008
So what is the "full" extent of your concept?
Let's say, the confirmation type required is for machine/host registration, rather than email.
User types auchentoshan.cs.ucl.ac.uk at consumer/RP
During rp-based discovery, DNSSEC asserts/confirms that server Y and namespace X have (respective) authorities over the named host's resource records - and its confirmed to be a host.
Discovery (against DNS) confirms the "host" resource record type (what LDAP(S) would call an objectclass for registered attribute )
OP is consulted for assertion, which vectors its __validation of__ the DNSSEC signatures back to the consumer as a custom PAPE authentication level, attesting to "this (host) openid is good for machine-authentication, and I have the evidence in my audit file" - 802.1x style.
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Martin Atkins
Sent: Wednesday, October 29, 2008 8:49 AM
To: David Recordon
Cc: OpenID List
Subject: [LIKELY_SPAM]Re: [OpenID] OpenID based on email addresses... Just Works!
David Recordon wrote:
> Yeah, I think this general approach with the addition of knowing it is
> an email, doing directed identity, and passing the email as
> OpenID.identity is a good one. I really prefer to find a simple solution
> that doesn't involve running a mapping service or mucking with DNS.
>
FWIW, I have an experimental implementation that does what you describe:
http://www.apparently.me.uk/18285.html
It can also optionally involve "mucking with DNS", but I fall back on
the "do Yadis discovery on the domain" method if the DNS records it's
looking for aren't there. One difference is that I invented a new XRDS
service type so that we don't start sending email addresses to existing
providers that aren't ready to support them yet. I think it's better for
this to fail during discovery at the RP than give a (probably confusing
an unhelpful) error message at the OP.
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list