[OpenID] Delegation leading to new accounts on websites
John Bradley
john.bradley at wingaa.com
Mon Jul 13 14:55:22 UTC 2009
You are free to choose URI from google or anyplace else to use as your
OP Local identifier and hence the openid.identity.
The only constraint is that they be http, https or XRI.
The confusing thing for new people is that it's the openid.identity
that gets validated by the OP, but that is only within the context of
that OP and not globally.
The only globally validated identifier is the openid.claimed_id and
that is validated through discovery, but only if the local validation
of "OP Local Identifier" is successful.
The bottom line is that in openid 2.0 the RP cannot use the
openid.identity as an identity for the user.
I see people get this wrong too often.
John B.
On 13-Jul-09, at 9:10 AM, general-request at openid.net wrote:
> Date: Sun, 12 Jul 2009 21:08:32 -0700
> From: SitG Admin <sysadmin at shadowsinthegarden.com>
> Subject: Re: [OpenID] Delegation leading to new accounts on websites
> To: Johnny Bufu <johnny.bufu at gmail.com>
> Cc: general at openid.net
> Message-ID: <f06110400c68062c3cb4f@[192.168.0.2]>
> Content-Type: text/plain; charset="us-ascii" ; format="flowed"
>
>> The encoding scheme can be a OP internal deployment detail, since no
>> other party actively processes the local_id's; the URLs do not need
>> to be dereferenceable either.
>
> So, to actively confuse any 3rd party that *tries* to process my
> local_id's, I can scramble the external_id:local_id mapping until
> each external_id is known to my OP as a string exactly identical to
> *another* external_id?
>
> -Shade
More information about the general
mailing list