Hi Nate,<br><br>Please see inline..<br><br><div class="gmail_quote">On Sat, May 31, 2008 at 1:57 AM, Nate Klingenstein <<a href="mailto:ndk@internet2.edu">ndk@internet2.edu</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Babu,<div class="Ih2E3d"><br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
When such features get included, may be we should call it as "OpenProfile" ( as it contains more details than just ID :) ).<br>
</blockquote>
<br></div>
I think of identity as including all kinds of things about someone. The term you're probably thinking of is identifier. The "ID" is a bit ambiguous as to which it refers to. :D<div class="Ih2E3d"></div></blockquote>
<div><br>Babu> Okay. Agreed :) <br><br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d"><br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Now assuming OpenID has these too in its roadmap, whats does it mean to end user when he switches from one OP to another (say using the delagation feature) ? He looses all the details that he has been maintaining at the earlier OP. This is undesirable.<br>
</blockquote>
<br></div>
There's a second half: your details maintained at the earlier OP are still controlled by that OP unless you contact the RP to have them removed. I don't think there's any way in the OpenID protocols to do deregistration.<div class="Ih2E3d">
</div></blockquote><div><br>Babu> Migration, De-registration should be the functions that are expected
from an OP. So a user will choose only such OPs which abide by the
standards.<br>As Shade was mentioning, such de-registration is not possible when
OP server is compromised. But this is an issue even other functions (not just
de-registration) and with OP-specific-digital-identities supported by OpenID
today. <br><br>So this issue doesn't hinder us to support global digital
identity, selection of an OP based on some central digital indentity server,
data migration across OPs. <br><br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d"><br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I believe that "digital identity" problem should have been solved in this fashion:<br>
1. Let there be some central digitalID server to issue a digital identity, which is not attached to any URL (say I go this server, register myself & ask for a digital identity "babu_n"). And in this same server, I would also associate my digital identity with "OP details".<br>
2. I would select an OP & register with OP. Provide my digital id here & associate my digital ID with "my details" (like password, personal/profession details, etc etc..). It should be mandated how OPs should store "my details".<br>
3. I go to some OpenID enabled website & provide my id as "babu_n". Here the OpenID enabled website now contacts the "central digitalID server" & gets the OP details of the user (here "babu_n"). After that it allows the user to get authenticated via OP.<br>
</blockquote>
<br></div>
Replace "central digitalID server" with "DNS hierarchy administered by ICANN" and your dream is basically today's reality. There's just no trust fabric, which is something I'd like to see added as an optional layer for applications that care.<div class="Ih2E3d">
<br>
</div></blockquote><div><br>Babu> The problem with today's reality is that my "digital identity" is lost
if the OP shuts down his services or I would like to migrate. But in the case of
DNS, the registered domain name remains forever. So thats what a user expects
from a digital indeitity solution like OpenID.<br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d"><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
It should be mandated that OPs store user details in some standard format. And when user likes to migrate, the OP should let these details be exported. The details exported this way may be used by the user in importing at his new OP.<br>
</blockquote>
<br></div>
Data portability is certainly not part of today's dream. I'd like to see it happen too, but there are all kinds of disincentives that are likely to hinder its rapid or complete adoption. Here are two major fun problems to solve:<br>
<br>
(1) To whom should an OP be willing to export details, and when?</blockquote><div><br>Babu> to whichever place the end user is asking the OP to do (say to his
desktop, to some other place/server in internet, ..). And whenever requested by
end user. The details should be exported in standard format. Using this feature,
a user might take back-up now-and then or may have some automated way of taking
backup to some other place in internet. These details can be worked out anyway,
if we believe that data portability should be one of the goals of OpenID.<br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
(2) If a user is phished and the attacker migrates their OpenID to another OP, how do you get control of linked accounts back?<br>
</blockquote><div><br>Babu> Even with today's OP-specific-digital-identities, we have phishing
issue. What does an user do if he is phished. After this if the attacker changes
the password, does the user not loose all the webiste accounts at which this
OP-specific-digital-identity was used ? <br><br>So, again, I dont see phishing
as a hindrance to "support global digital identity, selection of an OP based on
some central digital identity server, data migration across
OPs".<br><br><br>Thanks,<br>Babu<br> <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
Take care,<br><font color="#888888">
Nate.<br>
</font></blockquote></div><br>