[OpenID] On the portability of identifiers

SitG Admin sysadmin at shadowsinthegarden.com
Fri Oct 31 16:21:18 UTC 2008 

>If anyone is interested in discussing this further, please let me know.

YES!!!
http://openid.net/pipermail/general/2008-July/005115.html
Indeed, this is where my "follow-up" post (the one I've put on hold 
until after the elections, when I'll be free to work on it) was 
(almost) at, and I've been meaning to finish that for a while now :(

>One way of solving this is to have more then one identifier -- 
>essentially an identifier set -- so that if you lose control of one 
>identifier, you have not lost control of the identifier set.

The same applies for your provider of that identity going out of business.

>If the set has three identifiers, then you only need to present two 
>of them to show it is you, and then you can substitute a new 
>identifier so that you again have a redundant set.

RP's should also let the user, at signup or any point thereafter 
(when authenticated with a majority of their set), increase the 
minimum number of identifiers that are required for making changes - 
so that, if a user who once had only 3 identifiers gradually acquires 
2 more, they can say "Okay, now we need THREE identifiers to make 
changes.", and still enjoy fault-tolerance if suddenly TWO of them 
were to go down or become hostile.

RP's could also allow settings for customized access based on 
specific identifiers. For instance, if I log in with my work ID, 
don't show me the personal E-mail's! Anyone who steals the work ID 
would find damage control measures already in place - but it's more 
than that. Think invisible filtering to help you focus on just the 
important stuff (using *your* webmail account for everything, even 
though you run several "identities" through it and actually use POP3 
for your personal stuff), with a sanitized data set for anyone 
peeking over your shoulder (no more worrying about whether some 
private aspect of your personal life is visible on the screen at any 
one moment, capturable by spyware (that may be installed/run by the 
company!), provided your RP coded its privacy protections correctly).

Getting your workplace to support you+work at company.com seems easy 
enough (it's practically an employee perk! "With us, you don't need 
to keep track of one more E-mail address, you can use your old one." 
- with the appropriate alliances to have OpenID webmail providers 
readily available to the user that hasn't seen any before), but I've 
read that not all mail clients can *send* to this kind of address, 
and for a business with large numbers of users it may be a 
deal-breaker to have addresses that actual (as well as potential) 
customers wouldn't be able to use.

>An implementation of this would be to have two URLs and one 
>public/private key pair. The URLs each contain a document that 
>references the other URLs as well as contains the public key.

There's also the strict "vanilla" implementation where an XRDS file 
(location found at each URI) specifies other URI's. Reduced effect on 
privacy (though you can still list your work URI in the home XRDS 
file, and omit the home URI from the work XRDS file, knowing that 
you'll never need another point of authentication while you're using 
the work URI), but doesn't require the RP to integrate/support this 
kind of crypto.

>In a world of opaque identifiers and smart clients, this all can be 
>transparent to the user. They just saw they want to log in with a 
>particular identifier set.

For now, the problem is (only!) with presenting the user that list of 
identifiers. But the problems here are privacy (try one identifier, 
see them all, or at least another), not implementation, which we can 
already handle transparently:

If we know which identifiers the user wants to authenticate with, we 
can send them off to the first, and, the moment they return, 
immediately dispatch them to the second. If the second gracefully 
fails (automatically (via checkid_immediate) or by the user's choices 
there), the user was sent back with information on that refusal and 
we move on to the third. We can remember the list of identifiers from 
their last login (and they need to provide a majority authentication 
before adding more identifiers, anyway), and either present them with 
a list of identifiers they've used before ("Click the checkmark boxes 
by identifiers you want to use *this* time." would let users specify 
identifiers they wish to *avoid* using, either because it's down or 
if they don't wish to have that OP know about their login this time), 
or silently keep track ourselves.

-Shade

More information about the general mailing list