Making identities persistent?
Hallam-Baker, Phillip
pbaker at verisign.com
Wed Nov 1 19:09:57 UTC 2006
I'm afraid I still don't get it.
As far as I am concerned the authenticated identifier is the tuple:
(Identity-provider-Id, Identifier)
If we want to have a single identifier there has to be a mechanism for establishing the scope of authority for each IdP over a specific subset of identifiers.
There are only two potential mechanisms I can see for achieving this:
1) A lexigraphical convention
2) A signalling registry
> -----Original Message-----
> From: specs-bounces at openid.net
> [mailto:specs-bounces at openid.net] On Behalf Of Pete Rowley
> Sent: Wednesday, November 01, 2006 1:53 PM
> To: Rowan Kerr
> Cc: specs at openid.net
> Subject: Re: Making identities persistent?
>
> Rowan Kerr wrote:
> > On Wed, 2006-11-01 at 11:33 -0500, John Kemp wrote:
> >
> >> I think you need the ability for a user to change his
> identifier at
> >> the RP (as George notes below) and also at the IdP.
> >>
> >
> > Isn't this was already covered in the spec? You accomplish this by
> > creating an HTML page on some website you control with a http-equiv
> > meta tag in it that points to your IdP. Then you use your
> own url as
> > your Identity, even though ultimately the data is pulled
> from the IdP.
> >
> > So if you ever want to change IdP's you simply update your
> html page
> > with the new server. And your Identifier never needs to change.
> >
> >
> >
> Except that the spec specifies that it is the derived
> identifier of the IdP that is used at the RP - which means a
> delegated identifier actually isn't used as an identifier.
> That is not quite the same thing.
>
> --
> Pete
>
>
More information about the specs
mailing list