[OpenID] A Case for OpenEmailID

Peter Williams pwilliams at rapattoni.com
Mon May 4 21:24:53 UTC 2009 

Feature parity all comes down to politics. And politics is hard, at the outset. If we can stay pragmatic, the openid politics can be like SSL - and accommodate many different provisioning/assurance/ciphersuite models all operating within a common space.

if openid is _only_ UCI, one HAS to have portability for users in all supported id syntaxes - so users stay in charge of their identities (which are provisioned by themselves, rather than by an OP which controls the identity's lifecycle, copyrights, reliance limits, etc).

if openid can _also_ be an more conventional B2B framework operated by TTPs (taking up the space that SAML seems to be vacating ), then perhaps those of us with UCI tendencies may have to give something to those OPs who just cannot accommodate UCI: a variant of openid in which users are just typical subscribers of a TTP (with all the usual restrictive, canned rights set - including lack of portability).

Id happily settle for an openid vision that embraces both a world of UCI that is placed on a equal place with the more traditional world of TTPs. This would be just like SSL, where is a world of self-signed certs, the world of public CAs, the world of full-power Microsoft enterprise CAs, and the world of govt-issued smartcards running suite-B algorithms used to civil servants. Everyone gets along in the SSL family...despite their differences. The political space there is alive, vibrant, positive in outlook and still going strong 15 years later...
________________________________________
From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of Martin Atkins [mart at degeneration.co.uk]
Sent: Monday, May 04, 2009 2:13 PM
To: general at openid.net
Subject: Re: [OpenID] A Case for OpenEmailID

David Recordon wrote:
> Right, but my argument was that you could delegate all of
> degeneration.co.uk to a Provider but not delegate
> mart at degeneration.co.uk to Provider A and bob at degeneration.co.uk to
> Provider B.
>

Perhaps, but delegation in the URL model is delegation to an OP-local
identifier, not to a provider.

So I would have to associate the whole of my domain with a single
OP-local identifier, not just with a provider.

What makes supporting separate settings for each user so difficult? My
old DNS-based email discovery prototype had no trouble doing this, but
I'm not familiar enough with this new proposal to understand why/whether
discovery on the whole email address is difficult.

I think it's preferable to retain feature-parity between email-based and
URL-based identifiers, including doing the discovery based on the entire
address rather than just the authority part.

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list