[OpenID] Delegation leading to new accounts on websites

John Bradley john.bradley at wingaa.com
Fri Jul 10 19:05:11 UTC 2009 

We will have to consider it for the next rev of PAPE at-least.

Once there are Profiles like NIST where the OP is asserting some level  
of identity proofing over the claimed_id.

Those profiles should be clear on how or if delegation is supported.

Thanks
John B.
On 10-Jul-09, at 2:50 PM, Johnny Bufu wrote:

> On Tue, Jul 07, 2009 at 07:20:49PM -0400, John Bradley wrote:
>> Yes the delegated openid.identity is issued by the OP but in the  
>> case of
>> delegation the openid.claimed_id is not.
>>
>> If as an example we have a psydonomous id type that a RP can  
>> request via
>> PAPE or some other extension and someone has delegated to that OP say
>> Google, then Google has no control over the claimed_id and the  
>> resulting
>> assertion may violate the non-correlation privacy policy.
>>
>> If for example the OP is assessing some profile that mandates a
>> particular password strength etc.   The OP has no knowledge of how  
>> the
>> XRD doing the delegating is secured.
>>
>> I am saying that with delegation some of the security is outside of  
>> the
>> control of the OP and hence the OP can't be authoritative for it  
>> and may
>> not be able to make the same PAPE or other assertions regarding it.
>
> Ok, I get your point now. The disconnect was that I took 'assertion'  
> in
> the original comment to mean the openid _core_ assertion, in which  
> case
> it's clear what it means and I saw no concerns for OPs.
>
> If PAPE or other extensions expand their scope and include the claimed
> identifiers or other entities into what they assert - it's a totally
> different deal.
>
>> There might be a legitimate reason for an OP not to support  
>> delegation
>> under some limited circumstances.
>> However most of the time it shouldn't be a problem as long as RPs are
>> properly validating the returned assertions and not believing the
>> openid.identity is something it is not.
>
> So bottom line is that OPs should be careful how they handle  
> delegation
> with regard to certain extensions. Maybe PAPE and other extensions
> should note their impact on delegation.
>
>
> Johnny
>

More information about the general mailing list