[OpenID] Delegation leading to new accounts on websites

[Johnny Bufu]

On Tue, Jul 07, 2009 at 07:20:49PM -0400, John Bradley wrote:
> Yes the delegated openid.identity is issued by the OP but in the case of 
> delegation the openid.claimed_id is not.
>
> If as an example we have a psydonomous id type that a RP can request via 
> PAPE or some other extension and someone has delegated to that OP say 
> Google, then Google has no control over the claimed_id and the resulting 
> assertion may violate the non-correlation privacy policy.
>
> If for example the OP is assessing some profile that mandates a  
> particular password strength etc.   The OP has no knowledge of how the  
> XRD doing the delegating is secured.
>
> I am saying that with delegation some of the security is outside of the 
> control of the OP and hence the OP can't be authoritative for it and may 
> not be able to make the same PAPE or other assertions regarding it.

Ok, I get your point now. The disconnect was that I took 'assertion' in
the original comment to mean the openid _core_ assertion, in which case
it's clear what it means and I saw no concerns for OPs.

If PAPE or other extensions expand their scope and include the claimed
identifiers or other entities into what they assert - it's a totally
different deal.

> There might be a legitimate reason for an OP not to support delegation  
> under some limited circumstances.
> However most of the time it shouldn't be a problem as long as RPs are  
> properly validating the returned assertions and not believing the  
> openid.identity is something it is not.

So bottom line is that OPs should be careful how they handle delegation
with regard to certain extensions. Maybe PAPE and other extensions
should note their impact on delegation.


Johnny