Making identities persistent?

Wed Nov 1 17:06:16 UTC 2006

Don't forget that the a more important constraint here is to prevent impersonation.

I don't see how one can switch between genuinely autonamous IdPs in the way suggested without allowing a rogue IdP to impersonate anyone they chose.

At what point do the synchronization mechanisms you build in exceed the complexity of PKI?

> -----Original Message-----
> From: John Kemp [mailto:frumioj at mac.com] 
> Sent: Wednesday, November 01, 2006 11:33 AM
> To: Hallam-Baker, Phillip
> Cc: Stefan Görling; Shutra Zhou; specs at openid.net
> Subject: Re: Making identities persistent?
> 
> Hello,
> 
> I think you need the ability for a user to change his 
> identifier at the RP (as George notes below) and also at the 
> IdP. In addition, it should be possible for the IdP to 
> providing OpenID "forwarding" if the user leaves for another 
> IdP (perhaps the user will even pay for a forwarding
> service?)
> 
> We're not talking about persistence as such (a particular 
> users OpenID can surely change over time?), but more the 
> ability for the user to update her OpenID when she switches 
> from one IdP to another. At the IdP, this would I guess be 
> kind of like leaving a forwarding address, as the user is 
> "leaving" one IdP and moving to another. At the RP, the user 
> is telling the RP that he is using a new IdP.
> 
> So, I think George's (1) is a necessity, and agree that (2) 
> is a business decision, but certainly offers the ability for 
> an IdP to be "community-friendly" if it so wishes, and may 
> even be a good business decision.
> 
> Isn't this all about the likely /lack/ of persistence in a 
> particular OpenID though?
> 
> Regards,
> 
> - John
> 
> Hallam-Baker, Phillip wrote:
> > If we want identities to be persistent then we are going to need to 
> > introduce a layer of indirection.
> > 
> > This normally gets me worried about patents and such. Fortunately 
> > Multics did this, so did UNIX and VMS. Plenty of prior art.
> > 
> > If we are serious about decentralization then map the user 
> identifier 
> > onto a randomly assigned machine readable GUID.
> > 
> >> -----Original Message----- From: specs-bounces at openid.net 
> >> [mailto:specs-bounces at openid.net] On Behalf Of Stefan Görling Sent:
> >> Wednesday, November 01, 2006 10:52 AM To: Shutra Zhou Cc:
> >> specs at openid.net Subject: Re: Making identities persistent?
> >> 
> >> 
> >> The reasons for raising this question was partly that I've 
> been doing 
> >> some research on how people use e-mail addresses and sad 
> to say, you 
> >> can not expect the user to make wise choices. And even so, 
> companies 
> >> go broke even the best ones. Services comes and disappear. In my 
> >> research over half of the population use non-portable e-mail 
> >> addresses tied to an employer, university, etc.
> >> and is likely to only live a few years.
> >> 
> >> E-mail is not a stable address/identity identifier. We 
> must not rely 
> >> on it as such.
> >> 
> >> If we want an identity to be persistent, it must contain a 
> migration 
> >> feature, so that I can move all their trust relations from 
> one place 
> >> to another. This of course creates a number of other 
> issues such as 
> >> security and complexibility, but it is my sincere belief that the 
> >> issue should be addressed by the system and not only 
> delegated to be 
> >> dependent on wise user decisions.
> >> 
> >> Therefore, my +1 is on (1) below. I will try to read back 
> on what has 
> >> been said in the past on a 'change identifier' extension 
> and see if 
> >> there is anything I can do to help.
> >> 
> >> /Stefan
> >> 
> >>> Yes, this is important thing I thought. We should privide a
> >> spec for
> >>> the consumer to change their end user's OpenID URL,
> >> optionally the end
> >>> user can use multiple OpenIDs in this consuemr. And this
> >> case can be
> >>> expended as this, the IdP（OpenID Server） is closed down.
> >>> 
> >>> 2006/10/31, George Fletcher <gffletch at aol.com
> >> <mailto:gffletch at aol.com>>:
> >>> This is a good use case and I think important for both users and 
> >>> IdPs (now OPs [OpenID Provider] per the latest "editor's
> >>> conference") to consider.
> >>> 
> >>> I see a number of options...
> >>> 
> >>> 1. There has been some discussion regarding a "change
> >> identifier"
> >>> extension that would allow you to change your identifier at the 
> >>> relying party.  This would solve the use case and is necessary 
> >>> regardless of the other options.
> >>> 
> >>> 2. The OP (in this case AOL.com) could continue to provide an 
> >>> "identifier management" page that would allow the user
> >> to specify
> >>> the OP of choice.  This requires the OP to continue to serve the 
> >>> XRDS doc or at least the indirection to a XRDS doc with 
> the new OP.  
> >>> This is not that much extra overhead for the OP,
> >> but it will
> >>> likely be a business decision as to whether to support
> >> such a feature.
> >>> 3. The user gets to choose their OP so they can ensure that they 
> >>> don't get "locked in".  This is the ideal behind user-centric.
> >>> However, in practice, it will take good education and 
> time for users 
> >>> to understand the ramifications of their decisions.
> >>> 
> >>> Thanks, George
> >>> 
> >>> Stefan Görling wrote:
> >>> 
> >>>> Hi everybody,
> >>>> 
> >>>> I'm trying to get a grip around your great work and have 
> one issue 
> >>>> that I'm not quite clear on, relevant to the discussion of using
> >>>> 
> >>>> user at example.com-style <mailto:user at example.com-style>
> >> identifiers, but also in a more general context.
> >>>> Please let me know if I've simply missunderstood my own question.
> >>>> 
> >>>> 
> >>>> http://openid.net/specs/openid-authentication-2_0-09.html#an
> > chor48 says:
> >>>> "OpenID is decentralized. No central authority must approve or  
> >>>> register Relying Parties or Identity Providers. An End User
> >> can freely
> >>>> choose
> >>>> 
> >>>> which Identity Provider to use. They can preserve their
> >> Identifier if
> >>>> they switch Identity Providers."
> >>>> 
> >>>> Let us consider the case that I'm an AOL.com customer, and
> >> they act as
> >>>> an IdP providing we with an identifier. I use this 
> identifier for 3
> >>>> 
> >>>> years for identity management on most of the services I 
> use, due to 
> >>>> the huge success of the standard... However, I'm starting
> >> to get fed
> >>>> up with AOL and terminates my agreement with them. Is there any  
> >>>> procedure for me
> >>>> 
> >>>> to switch to another IdP? How is this done?
> >>>> 
> >>>> Best Regards,
> >>>> 
> >>>> Stefan Görling
> >>>> 
> >>>> 
> >>>> 
> >>>> _______________________________________________ specs 
> mailing list
> >>>> 
> >>>> specs at openid.net <mailto:specs at openid.net> 
> >>>> http://openid.net/mailman/listinfo/specs
> >>>> 
> >>>> 
> >>>> 
> >>> _______________________________________________ specs 
> mailing list 
> >>> specs at openid.net <mailto:specs at openid.net> 
> >>> http://openid.net/mailman/listinfo/specs
> >>> 
> >>> 
> >>> 
> >> _______________________________________________ specs mailing list 
> >> specs at openid.net http://openid.net/mailman/listinfo/specs
> >> 
> > _______________________________________________ specs mailing list 
> > specs at openid.net http://openid.net/mailman/listinfo/specs
> 
> 
> 