Terminology open issue #1: IdP vs OP

John Kemp frumioj at mac.com
Tue Nov 21 12:47:20 UTC 2006 

Dick Hardt wrote:
> Drummond, you have sold out! ;-)
> 
> Your bias at http://openid.net/wiki/index.php/Terminology is showing at:
> 
> IdP vs. OP
> It has been suggested that the specs use the term '''OpenID Provider  
> (OP)''' instead of '''Identity Provider (IdP)'''. However this would  
> diverge from the widely-accepted use of IdP in the SAML, Liberty, and  
> CardSpace communities.
> 
> Actually, CardSpace also uses Identity Selector and STS.

Kim's "Microsoft Vision of an Identity Metasystem" [1] uses not only
those terms, but also says:

"Identity Providers, which issue digital identities. For example, credit
card providers might issue identities enabling payment, businesses might
issue identities to their customers, governments might issue identities
to citizens, and individuals might use self-issued identities in
contexts like signing on to Web sites."

Note the last case - that a user may issue his own identity. As far as I
understand Infocards, the STS is a token service, provided by an IdP. In
other words a specialization of an IdP.

> 
> IdP is a term in federation deployments.

At least some at MSFT don't seem to think that.

> Given the user-centric  
> architecture of OpenID, I think a different name is good, and *your*  
> argument that the server is not providing any *identity* I think is  
> still a great argument!

I believe that the IdP is telling the RP that the claimed identifier has
been authenticated - and that /is/ one (albeit a special one) attribute
of an identity.

Regards,

- John

[1] http://www.identityblog.com/stories/2005/07/05/IdentityMetasystem.htm

> 
> -- Dick
> 
> 
> On 20-Nov-06, at 12:01 PM, Drummond Reed wrote:
> 
>> To tear into the meat of the terminology open issues at http:// 
>> openid.net/wiki/index.php/Terminology, the first issue has already  
>> received quite a bit of discussion: switching from Identity  
>> Provider (IdP) to OpenID Provider (OP).
>>
>>
>>
>> I was originally a supporter of this change, because I had always  
>> felt Identity Provider was somewhat of a misnomer, particularly  
>> when it came to a system like OpenID where the IdP was generally  
>> NOT the source of your identifier.
>>
>>
>>
>> However Eve Maler (co-chair of the OASIS SSTC that did SAML and co- 
>> editor of the SAML Glossary) made this point in an earlier post:
>>
>>
>>
>> <quote>
>>
>>
>>
>> Just to be clear, "identity provider" in SAML isn't intended to  
>> mean that this system entity is providing an identity to a digital  
>> subject -- it means that this system entity is providing identity  
>> information (specifically verification/authentication info) to a  
>> relying party/service provider.
>>
>>
>>
>>  From the SAML glossary (now in HTML...):
>>
>>
>>
>> http://www.oasis-open.org/committees/download.php/21053/saml- 
>> glossary-2.0-os.html#IdentityProvider
>>
>>
>>
>> http://www.oasis-open.org/committees/download.php/21053/saml- 
>> glossary-2.0-os.html#RelyingParty
>>
>>
>>
>> Often, but not always, a SAML authentication authority also serves  
>> as an attribute authority:
>>
>>
>>
>> http://www.oasis-open.org/committees/download.php/21053/saml- 
>> glossary-2.0-os.html#AttributeAuthority
>>
>>
>>
>> <endquote>
>>
>>
>>
>> For this reason, I have reversed my position and now feel that it  
>> would not benefit the OpenID community to use a different term than  
>> that already well-established by SAML.
>>
>>
>>
>> -1 to making this change.
>>
>>
>>
>> =Drummond
>>
>>
>>
>>
>>
>> _______________________________________________
>> specs mailing list
>> specs at openid.net
>> http://openid.net/mailman/listinfo/specs
> 
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs

More information about the specs mailing list