[OpenID] Community Opinion on OID 2.1 Discovery and Identifiers...
SitG Admin
sysadmin at shadowsinthegarden.com
Sun Jun 7 21:51:48 UTC 2009
>However, with XRD it might be enabled by simply having Google
>forward any XRD requests for my google-id over to Facebook, so
>anybody requesting my "<http://david.google.com>david.google.com"
>XRD get it, and notice that the canonical id is now
>"<http://david.facebook.com>david.facebook.com".
That would return us to the "crowded namespace" problem, and intrude
on policy decisions by requiring Google to keep the "david" username
reserved as long as you were around; Facebook, even once you moved on
from *there*, would have to do the same; as OpenID currently stands,
different domains *multiply* the available namespace, so you can be
David Google (David of the Google family) and thus distinguished from
David Facebook (the David at Facebook).
>First of all, there's one arguement to be made that OP's and RP's
>should have this authority (to display whatever they want for you).
>However, there's a couter-arguement that says the user should
>determine what should be displayed.
Within reasonable limits, of course (just as the '@' symbol is banned
in usernames on many systems today). RP's don't want users displaying
names for themselves that could be confused for the OpenID's of other
users - and if you expand identifiers to include more than just
URL's, security designers will be looking at a *lot* of rules about
what names can't be used for displaying user identity.
-Shade
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090607/dea6f57f/attachment.htm>
More information about the general
mailing list