[OpenID] Delegation leading to new accounts on websites
Peter Williams
pwilliams at rapattoni.com
Mon Jun 22 10:22:02 UTC 2009
Perhaps I should be more fair. Good civilian uses of crypto are white vs black issues: they are always a shade of grey.
If the Google folks make signed XRD happen, then they can make delegation contingent on their being able to verify the signature.
I think that's a fair trade. Ill give up some of UCI, if they give signed discovery documents to the world.
________________________________________
From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of Peter Williams [pwilliams at rapattoni.com]
Sent: Sunday, June 21, 2009 6:51 PM
To: Andrew Arnott
Cc: general at openid.net
Subject: Re: [OpenID] Delegation leading to new accounts on websites
"Google doesn't support delegation at all. Some concern about asserting an Identifier it has no control over..., "
Then Google is blacklisted. And its a silly rationale, if that is there excuse. But there we are. What some enterprising folk can do is now run a gateway, and impersonates downstream RP to RP. Hardly difficult. This whole notion of trying to prevent RP proxying in a web environment is not going to fly! If didn't fly for certs and proxied (CONNECT) https assertions, and it wont fly for openid assertions.
The whole notion of delegation in openid precludes an OP knowing anything about the id used at an RP site. Furthermore, as we know well here, the OP only asserts in the "delegation flow" what it always asserted.
The difference of course is politics. One scheme provides for UCI - user portability (from Google). The other ties the RP to an OP-centric trust model - the antithesis of UCI.
Oh well. Lets see if the EU can shake things up, as it did with HailStorm. Lets get things so the user is put back in control.
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list