[OpenID] Delegation leading to new accounts on websites

John Bradley john.bradley at wingaa.com
Tue Jul 7 21:56:36 UTC 2009 

Johnny,

It is true that the OP is validating the openid.identity but in openID  
2.0 the RP can no longer trust using that as a identity.

With delegation the openid.identity is possibly a arbitrary URI that  
the OP will treat as a local identifier and verify but has no  
authority over.

If the openid.claimed_id is different from the openid.identity the RP  
performs discovery on the claimed_id to verify it.

So while the OP may be verifying the openid.identity no RP should  
assume that proves any control over that URI in openID 2.0.

The openid.claimed_id is the only identity that the RP should use.   
The ownership is proved via discovery independent of the OPs authority  
over the URI.

In some higher security applications where the RP is relying on the OP  
being audited against some profile ie attribute verification.
I can see the problem a RP may have accepting a delegated openID as  
conforming to some profile even if the OP conforms to the profile.

I think an OP needs to be cautious about what it asserts for a  
claimed_id it is not authoritative for.
That is not to say that OPs shouldn't support delegation.

They just need to be cautious about there assertions especially where  
PAPE or identity proofing is concerned.

John B.


> From: Johnny Bufu [johnny.bufu at gmail.com]
> Sent: Sunday, July 05, 2009 2:12 AM
> To: Andrew Arnott
> Cc: Peter Williams; general at openid.net
> Subject: Re: [OpenID] Delegation leading to new accounts on websites
>
> On 21/06/09 05:29 PM, Andrew Arnott wrote:
>> Google doesn't support delegation at all.  Some concern about  
>> asserting
>> an Identifier it has no control over...
>
> Perhaps they are just being too cautious.
>
> The OP's assertion is about openid.identity, which is always under  
> their
> control.
>
> The end-users presenting a valid assertion issued by their OP are
> claiming they control the openid.claimed_id. The OP's assertion is the
> tool that makes the claim verifiable.
>
> An OP's (valid) assertion alone cannot be used to prove ownership of
> another claimed identifier without actually having control over that
> claimed identifier (to configure delegation to the OP).
>
>
> Johnny
> _________

More information about the general mailing list