[Openid-specs-ab] Identifiers and discovery.

Breno de Medeiros breno at google.com
Tue Apr 12 23:02:37 UTC 2011 

On Tue, Apr 12, 2011 at 13:48, Mike Jones <Michael.Jones at microsoft.com> wrote:
> Hi Breno,
>
> Sorry you couldn't make the call yesterday.  I think we would have had a good discussion about identifiers!
>
> I took the position during the call that principals need to be globally unique -- not so much for the OpenID login/connect use case -- but for a broader set of use cases that we'd like to enable.  If we succeed, there will be more services for users than just those built into the OpenID specs using those identifiers.  My canonical example is a calendar service, where we'd like to be able discover for a user Joe (the principal) where his calendar service is, as part of the flow to enable Joe to give Mary permission to see his free/busy times.  Joe, Mary, and Joe's calendar service may all be hosted separately, in the general case.
>
> The simple web discovery model assumes that you discover a service location for a principal.  There's no notion of issuer in this discovery model -- just the principal.  Thus, if we use this model (and I think we should), the principal needs to be globally unique.
>
> I think you'll agree that there are many/many services we'd like to be able to do permissioning for, including many that haven't been invented yet.  Our model of principals for users should be designed to support these future use cases -- not just those of OpenID today.
>
> Thus, I feel strongly that having principals be globally unique is the right architecture for the part of the web that we're all trying to create together.  Yes, I know that this means that there will have to be rules for how to syntactically extract the issuer from the principal identifier.  (In my view, they can be pretty simple.)  But needing those simple rules seems like a small price to pay for architecting this core piece of the web in a way that enables a multiplicity of services to easily bloom.

Why not instead define a means to construct a global identifier given
an issuer and a user_id?

>
> I'm also looking forward to an interesting discussion. :-)
>
>                                Cheers,
>                                -- Mike
>
> -----Original Message-----
> From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Breno de Medeiros
> Sent: Tuesday, April 12, 2011 9:18 AM
> To: openid-specs-ab at lists.openid.net
> Subject: [Openid-specs-ab] Identifiers and discovery.
>
> I hope Nat's well.
>
> I was in a meeting at 3:00pm (that I scheduled after JBradley asserted the conference call would take place as usual at 4pm). When I joined, Mike Jones and Nat were dropping off the call.
>
> That left JBradley and I on the call. We had a discussion on identifiers and discovery.
>
> I would like to continue this conversation via email, as it's an important one.
>
>
> Currently, Google's proposal on identifiers is:
>
> - Identifiers are unique to the user and non-reassignable within the scope of the issuer. However, they need not be globally unique.
>
> - Id_tokens attest to the issuer and therefore provide a statement of the globally unique (issuer_id, user_id) pair. If the signature is based on PK, these tokens are also universally verifiable and fully portable.
>
> Looking forward to an interesting discussion,
>
> --
> --Breno
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>



-- 
--Breno

More information about the Openid-specs-ab mailing list