[OpenID] Delegation leading to new accounts on websites
Peter Williams
pwilliams at rapattoni.com
Mon Jun 22 01:51:25 UTC 2009
"Google doesn't support delegation at all. Some concern about asserting an Identifier it has no control over..., "
Then Google is blacklisted. And its a silly rationale, if that is there excuse. But there we are. What some enterprising folk can do is now run a gateway, and impersonates downstream RP to RP. Hardly difficult. This whole notion of trying to prevent RP proxying in a web environment is not going to fly! If didn't fly for certs and proxied (CONNECT) https assertions, and it wont fly for openid assertions.
The whole notion of delegation in openid precludes an OP knowing anything about the id used at an RP site. Furthermore, as we know well here, the OP only asserts in the "delegation flow" what it always asserted.
The difference of course is politics. One scheme provides for UCI - user portability (from Google). The other ties the RP to an OP-centric trust model - the antithesis of UCI.
Oh well. Lets see if the EU can shake things up, as it did with HailStorm. Lets get things so the user is put back in control.
More information about the general
mailing list