<HTML dir=ltr><HEAD></HEAD>
<BODY style="WORD-WRAP: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space">
<DIV id=idOWAReplyText93892 dir=ltr>
<DIV dir=ltr><FONT face=Arial size=2>If the user has established in his/her metadata that several OPs can speak for just 1 delegated OpenID, the RP has to account for this "feature" of the model in its programming. On any 2 runs of the protocol, an RP cannot assume the users metadata has the same OPs or the same binding of delegate to OP. It must discover these facts and account for the current user requirements.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>The usability of this regime is generally address in the consumer-grade RP by allow the N OpenIDs (delegate or otherwise) of a single Person to account link to the RP signin-account. Once signed-in, non-normative processes are generally used by the user, allowing the user (as principal) to remove/cleanup account-linking bindings records.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>I don't believe an RP is conforming if its allows its cache (or non-normative account linking records) to over-ride user managed metadata. It would disarm the mandatory discovery security controls.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>Lets remember that while its common for user's metadata to be managed by the users OP (particularly in the OpenID2 case applying YADIS), the security model does not assume this deployment practice. I was nicely able to use a third party XRI server to control both OP selection and delegation handling to RPs, in trials conducted a few months ago.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV></DIV>
<DIV id=idSignature6619>
<DIV><FONT face=Arial color=#000000 size=2><SPAN style="FONT-SIZE: 7.5pt">_________________________<BR></SPAN><B>Peter Williams<BR></B></FONT><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Nate Klingenstein<BR><B>Sent:</B> Fri 5/30/2008 8:02 AM<BR><B>To:</B> Babu.N<BR><B>Cc:</B> general@openid.net<BR><B>Subject:</B> Re: [OpenID] query regarding OP migration<BR></FONT><BR></DIV></DIV>
<DIV>Babu,
<DIV><BR></DIV>
<DIV>The short answer: "yes, but." It is possible to address this use case with delegation. It's a good feature but may be too advanced for some users. It's certainly not standard practice. This Wiki article might help:</DIV>
<DIV><BR></DIV>
<DIV><A href="http://wiki.openid.net/Delegation" target=_blank>http://wiki.openid.net/Delegation</A></DIV>
<DIV><BR></DIV>
<DIV>Remember that this needs to be part of the initial setup. This is because once the RP has cached an identifier associated with an account, it's difficult to reconfigure that link. That OpenID is your login. How do you prove that a different OpenID is the correct new identifier? Unless your old, unloved provider is willing to help, manual reconciliation is the only way, in many cases, and that's a really expensive and difficult process.</DIV>
<DIV><BR></DIV>
<DIV>Take care,</DIV>
<DIV>Nate.</DIV>
<DIV><BR>
<DIV>
<DIV>On 30 May 2008, at 13:52, Babu.N wrote:</DIV><BR class=Apple-interchange-newline>
<BLOCKQUOTE type="cite">
<P style="MARGIN: 0px"><FONT style="FONT: 12px Helvetica" face=Helvetica size=3>Hi,</FONT></P>
<P style="MIN-HEIGHT: 14px; MARGIN: 0px; FONT: 12px Helvetica"><BR></P>
<P style="MARGIN: 0px"><FONT style="FONT: 12px Helvetica" face=Helvetica size=3>As I understand, OpenID allows a digital identity to be created at an<SPAN class=Apple-converted-space> </SPAN></FONT></P>
<P style="MARGIN: 0px"><FONT style="FONT: 12px Helvetica" face=Helvetica size=3>OP & let this be used at multiple sites. After creating the digital<SPAN class=Apple-converted-space> </SPAN></FONT></P>
<P style="MARGIN: 0px"><FONT style="FONT: 12px Helvetica" face=Helvetica size=3>identify & using it some websites, suppose the doesn't like the OP<SPAN class=Apple-converted-space> </SPAN></FONT></P>
<P style="MARGIN: 0px"><FONT style="FONT: 12px Helvetica" face=Helvetica size=3>for service reasons (say frequent downtime, prone to compromises<SPAN class=Apple-converted-space> </SPAN></FONT></P>
<P style="MARGIN: 0px"><FONT style="FONT: 12px Helvetica" face=Helvetica size=3>etc). Does OpenID technology allow the user to migrate from this OP<SPAN class=Apple-converted-space> </SPAN></FONT></P>
<P style="MARGIN: 0px"><FONT style="FONT: 12px Helvetica" face=Helvetica size=3>to another, yet retaining the same identity (remember this is already<SPAN class=Apple-converted-space> </SPAN></FONT></P>
<P style="MARGIN: 0px"><FONT style="FONT: 12px Helvetica" face=Helvetica size=3>used by him in registering at some websites..) ? If not, should this<SPAN class=Apple-converted-space> </SPAN></FONT></P>
<P style="MARGIN: 0px"><FONT style="FONT: 12px Helvetica" face=Helvetica size=3>not be supported going forward ?</FONT></P>
<P style="MIN-HEIGHT: 14px; MARGIN: 0px; FONT: 12px Helvetica"><BR></P>
<P style="MIN-HEIGHT: 14px; MARGIN: 0px; FONT: 12px Helvetica"><BR></P>
<P style="MARGIN: 0px"><FONT style="FONT: 12px Helvetica" face=Helvetica size=3>Thanks,</FONT></P>
<P style="MARGIN: 0px"><FONT style="FONT: 12px Helvetica" face=Helvetica size=3>Babu</FONT></P></BLOCKQUOTE></DIV><BR></DIV></DIV></BODY></HTML>