[OpenID] A Re-look at delegation
SitG Admin
sysadmin at shadowsinthegarden.com
Sat Sep 5 23:33:08 UTC 2009
>The better RP allows the user to have multiple bindings of openids
>onto the RP account -- so when Google dumps Peter, Peter simply uses
>live, or the local IDP built into the RP.
So, then, MultiAuth would be required for OpenID to function; if a
user only linked their account to a single URI, the RP would have no
backup method of recognizing the user later on if they lost (control
of) that URI.
>Openid traditionally solved the liability FUD by placing control in
>the hands of the user - who should then decide, all such matters.
>Of course, giving users such control and choices makes for UI
>difficulties, which leads to adoption issues... which...leads to
>different implementations dropping this vs that bit of the standard
>(some drop XRI, some drop delegation, some are dropping directed id,
>...).
Also playing into this are the discussions on these lists about which
features pose a security risk, etcetera; if we don't have good
explanations easily available so new adopters can readily see how
everything works, they'll be either avoiding OpenID entirely or
trying to disable those features which each deems risky (killing
interop).
-Shade
More information about the general
mailing list