[OpenID] A Re-look at delegation
Peter Williams
pwilliams at rapattoni.com
Sat Sep 5 18:16:53 UTC 2009
I FEEL we could dump XRD-based openid-delegation (yet leave the trivial HTML variant). But I also recognize that that means that the better RP sites have to do the work to provide for the UCI properties that get the user autonomy from the IDP (preparing for the breakdown phase of a user<->IDP relationship, that is).
In summary: rather than pursue the UCI model (where neither IDP nor SP controls the users identity), one could adopt the traditional option of the RP-centric federation model. The better RP allows the user to have multiple bindings of openids onto the RP account -- so when Google dumps Peter, Peter simply uses live, or the local IDP built into the RP. But, plural account linking, and local account authentication become the norm (aping the SAML2 conception of federated-names).
-----
Now fun question THEN arise. When a user signs into Plaxo RP from Google OP say (where Plaxo is an RP that already features plural-account-linking) and wants to SSO further on (from a Plaxo page to FaceBook), does Plaxo INDUCE the current IDP to talk to Facebook, or does Plaxo itself act as a chaining-IDP and assert to FaceBook (speaking as itself, or citing for Google when speaking for the current authentication channel)?
Using some technology ideas SAML and others from Nate and co, we played with both models last year. Call them the third-party initiation model and idp-chaining models, for want of better names. We are finding that folks in governance forums (in realty) are not highly receptive to the third-party initiation model; and are tending to prefer the chaining-IDP model. The issue is coming back to Google's own apparent hangup over openid-delegation "pseudo-liabilities" as an OP: where now in the converse case of an RP the act as a third party of formally choosing the party that then asserts (correctly or otherwise) to another vendor (out of contract) introduces "fears" of liabilities.
Openid traditionally solved the liability FUD by placing control in the hands of the user - who should then decide, all such matters. Of course, giving users such control and choices makes for UI difficulties, which leads to adoption issues... which...leads to different implementations dropping this vs that bit of the standard (some drop XRI, some drop delegation, some are dropping directed id, ...).
-----Original Message-----
From: openid-general-bounces at lists.openid.net [mailto:openid-general-bounces at lists.openid.net] On Behalf Of Santosh Rajan
Sent: Saturday, September 05, 2009 10:42 AM
To: general at openid.net
Subject: [OpenID] A Re-look at delegation
I know most poeple are not going to like what I am going to say.
Let us be practical and pragmatic.
Let us dump "delegation" the way we have seen it, Every body has seen the
problems with delegation. Most importanly joe,com. joe.com has delegated his
OpenID to whatever.com via his html page. He types in his OpenID (joe.com)
and the web site he logged into shows
http://AXGFJHHGFTYTYUIIIMNBGFFFGF
Right.
Now let us cut all this nonsense for security reasons at least.
If Joe wants joe.com as his OpenID. And whatever.com wants to be his OP.
Then whatever.com bloody well better know that joe.com is a valid claimed_id
at whatever.com.
In other words OpenId providers can't pop up any more "LocalId's". If you
Provider want to support delegation then bloody well verify the claimed_id.
Do it whichever way you want. But just do it.
Now that we have got that out of the way. Can you all please let us average
human beings allow us to have our own OpenId's?
I am santrajan at gmail.com, or facebook.com/santosh.rajan, or
santosh.rajan at ymail.com, Now can you Friggin providers verify what I am
claiming? If you can the lets talk OpenID!
-----
Santosh Rajan
http://santrajan.blogspot.com http://santrajan.blogspot.com
--
View this message in context: http://www.nabble.com/A-Re-look-at-delegation-tp25310796p25310796.html
Sent from the OpenID - General mailing list archive at Nabble.com.
_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
More information about the general
mailing list