[OpenID] user centric delegation vs portability: LRDD : competing threats: the consumer's fear hypothesis

John Bradley ve7jtb at ve7jtb.com
Tue Oct 27 00:31:59 UTC 2009 

Host-meta doesn't provide the OP.

It provides a mapping from some identifier to a XRD for that identifier.

It is the target XRD for the user that specifies the OP.

Link link-headders can also provide the location of the XRD if you are  
using HTTP or another protocol that supports them.

host-meta is an additional way to map identifiers to XRD for things  
like email, or in cases where the site cant or just doesn't want to  
use link-headders.

Link-headder is the replacement for the X-XRDS-Location custom header  
we were using in Yadis.

John B.
On 2009-10-26, at 8:28 PM, Manger, James H wrote:

> Dirk,
>
> I don’t think your IBM example is a very convincing argument for  
> host-meta to take precedence over an actual OpenID URI. Listing an  
> OP in host-meta may be a bit easier for an IBM IT admin than  
> preventing links to OPs from other URIs — but the latter is quite  
> feasible (rules in the page editing tool; filter in web server;  
> validator on page changes; background script to look in the file  
> system for this specific situation…). Even a non-technical corporate  
> policy saying staff must not specify another OP goes some way to  
> meeting the objective.
>
> It is probably more convenient for host-meta to be able to provide a  
> default OP, which can be overwritten for some special URIs. Most  
> OpenID URIs on a host don’t specify an OP so they fallback to host- 
> meta, but a few can use a different OP (for non-humans, for  
> contractors, for testing, for migrating to a new OP implementation,  
> for staff with a different hardware login token…).
>
>
> James Manger
> James.H.Manger at team.telstra.com
> Identity and security team — Chief Technology Office — Telstra
>
> From: openid-general-bounces at lists.openid.net [mailto:openid-general- 
> bounces at lists.openid.net] On Behalf Of Dirk Balfanz
> Sent: Tuesday, 27 October 2009 7:51 AM
> To: Peter Williams
> Cc: general at openid.net
> Subject: Re: [OpenID] user centric delegation vs portability: LRDD :  
> competing threats: the consumer's fear hypothesis
>
> …If you have your own domain, you can pick (and change) your  
> identity provider. But if you're one of 300,000 IBM employees, there  
> are certain things you can't pick about your work account - you  
> can't pick your email provider, you can't pick your calendaring  
> software, and you can't presumably pick your identity provider -  
> professionals at IBM who get paid to worry about this stuff will  
> pick one for you that they are reasonably sure will not, say, put  
> into jeopardy the 401k accounts of the combined IBM workforce  
> (because, hypothetically speaking, IBM uses OpenID to log their  
> employees into fidelity.com).
>
> We need a single sign-on solution for the Web that works both for  
> Blogger/Facebook/consumer use case as well as the IBM use case.
>
> Dirk.
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091026/cd8f2397/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2468 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091026/cd8f2397/attachment.bin>

More information about the general mailing list