[OpenID] XRD signing and a new kind of Claimed Identifier
Andrew Arnott
andrewarnott at gmail.com
Fri Jun 5 17:49:13 UTC 2009
Good point, George. I held back on bringing that up because once we have
what you're suggesting, we've re-invented InfoCard. :) But InfoCard, even
where the cards are hosted in the cloud, already exist so if we retooled
OpenID to do this we wouldn't really have contributed anything to the world.
:)
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
On Fri, Jun 5, 2009 at 10:38 AM, George Fletcher <gffletch at aol.com> wrote:
> Assuming I understood correctly...
>
> The initial privacy question that comes to mind with this is whether the
> public key will become it's own globally correlatable identifier. This
> doesn't really matter for OpenIDs where the user enters a "claimed
> identifier". But for the "directed identity" flow, if the XRD associated
> with the returned "opaque" identifier contains the same public key as the
> user's XRD for their "global/know" "claimed identifier", then the public key
> has enabled correlation across identifiers that weren't supposed to be
> correlatable.
>
> Now, if each opaque "direct identity" identifier has it's own public key,
> we're fine from a privacy perspective, but this is rather ugly to deploy.
>
> Thanks,
> George
>
> Andrew Arnott wrote:
>
>> I haven't read the XRD spec draft, so I don't know how well this would fit
>> in, but I wonder...
>>
>> Could we put a public key in an XRD file, and have the authentication
>> process be that the OP proves it has the private key, and then the public
>> key is the claimed identifier? If we could pull this off we'd totally solve
>> the problem of being able to change the URI or XRI identifier while still
>> maintaining the user account at each RP; and similarly we could abandon a
>> URL without fear of someone else picking it up and stealing the old user's
>> identity.
>>
>> Basically, have many of the same benefits of XRIs today, except without
>> the annual fee of owning a top-level i-name, and without being locked down
>> to one XRI service. For example I have a few i-names, each with their own
>> i-number, but these numbers aren't really portable. AFAIK I can't abandon
>> all my i-names, then acquire all new i-names with different services and
>> different numbers of * characters in them, and then hook up my old i-numbers
>> and expect it all to work.
>>
>> Is this way off base, or a possibility?
>>
>> --
>> Andrew Arnott
>> "I [may] not agree with what you have to say, but I'll defend to the death
>> your right to say it." - S. G. Tallentyre
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090605/c06566b2/attachment.htm>
More information about the general
mailing list