Uniquely Identifying User

[John Bradley]

Using a UUID would not be possible as the spec stands.

The security binding is between the host part of the endpoint URL and the "domain identifier"  without matching that any IdP could masquerade as any other.

The identifier / EntityID should be resolvable to meta-data to support moving the protocol endpoint.  

Using the protocol endpoint as the abstract identifier for the IdP has proven to be problematic in the past.
openID 2.0 avoids that.

John B.
On 2010-11-03, at 6:38 AM, Nat Sakimura wrote:

> At the OpenID Summit, there were some discussion about how to uniquely identify the user. 
> 
> There were some argument that it should user 'user_id' and 'domain'. 
> Upon some contemplation, I think we should use something like 'server_id' which is a unique identifier (perhaps domain, but maybe UUID etc.) instead of 'domain' as 'domain' may actually change. 
> 
> What do you think? 
> 
> P.S., David, could you just save your html connect proposal to a file and send it to this list? Then it will constitute the contribution and  we can start discussion on that formally. Otherwise, we cannot from the IPR management point of view. 
> 
> -- 
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
> http://twitter.com/_nat_en
> _______________________________________________
> openid-specs-connect mailing list
> openid-specs-connect at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-connect

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-connect/attachments/20101103/b03d4595/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-connect/attachments/20101103/b03d4595/attachment.bin>