On Mon, Dec 1, 2008 at 10:16 AM, SitG Admin <span dir="ltr"><<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d"><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On the face of it all, this approach would seem to require two different OpenIDs (one for each OP). However, using Yadis/XRDS, one could specify a primary and secondary OP for a particular OpenID.<br>
</blockquote>
<br></div>
I considered this. However, your risk is now that the host for your URI will turn on you or otherwise become compromised (someone breaks into the server hosting your site).</blockquote><div><br>Great point, though the alternative below has problems, too -- see below. <br>
<br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d"><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I suppose there are several ways to make this happen, but I'd appreciate any feedback on this idea...<br>
</blockquote>
<br></div>
Why limit it to just *two* heads? One goes down, or is taken down, or the route to either is blocked . . . and your security system either prevents login, or "gracefully" fails by allowing the user to log in with only one OP anyway (when the user *could* have been just *pretending* to be unable to contact the second OP from where they were). Give it three, or more - and allow the user to specify, on login, *which* OP's they want to use. You can even use something similar to the XRI syntax for this, thus gradually bringing it into the mainstream by familiarizing users with it;<br>
<a href="http://openid.net/pipermail/general/2008-November/006339.html" target="_blank">http://openid.net/pipermail/general/2008-November/006339.html</a><br>
Something like "<a href="http://me.yahoo.com" target="_blank">me.yahoo.com</a>!<a href="http://me.google.com#blind=yes" target="_blank">me.google.com#blind=yes</a>", in a nod to the old bang pathing :)<br>
<br>
-Shade</blockquote><div><br>This is a good idea in principle, but has the problem of letting a rougue OP (instead of a signed discovery document that ideally only I control) become the authority for my OpenID, without my knowledge.<br>
<br>This is a subtle point, but very important. "Who" the OP is for a particular URL should be found via Discovery of some sort so that I can maintain control over that decision. Allowing the choice to happen at registration time (e.g.) allows an OP to manipulate this mapping without my knowledge. <br>
<br>As an example (admittedly weak) I sign up for a bank account at my bank, and the online account portion occurs a few days later. My rogue OP somehow know this, and tries to register before I do (without my knowledge) and gets to specify two OP endpoints that it controls (assuming the bank RP allows the registering user to supply the OP data, instead of honoring the info in Yadis/XRD).<br>
<br>I know it's a weak example, but hopefully you get the point.<br></div></div>