IdP vs OP (WAS: RE: "Editors" Conference Call)
Pete Rowley
prowley at redhat.com
Tue Nov 7 20:33:56 UTC 2006
John Kemp wrote:
> Drummond Reed wrote:
>
>> And it doesn't stop there. OpenID also supports OPs that
>> ***have zero control over the user's OpenID identifier***. The OP simply
>> provides a service for authenticating that a user has control of the OpenID
>> identifier about which the OP is being queried.
>>
>
> And how does one authenticate that the user has control over an
> identifier? Is it not by having the OpenID IdP having some secret shared
> with the user - maybe a password, say?
>
> A SAML IdP also authenticates that an identifier (issued by the IdP in
> the SAML case) is bound to a particular user.
>
"issued by the IdP in the SAML case" is really the point. While an
identifier /may/ be issued by an OpenID provider (IdP, AA, etc.) that is
really the users choice, the user chooses their identifier and the user
chooses who is authorized to provide authentication for the identifier.
So really the OP, IdP, AA etc. isn't providing an identifier or an
identity. It is providing an identifier ownership assertion service that
may or may not be backed up by some form of authentication, and that
service provider may be changed.
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20061107/52d2eccd/attachment-0002.bin>
More information about the specs
mailing list