What is delegation for? (was Re: Wrapping Up Proposals)

Johannes Ernst jernst+openid.net at netmesh.us
Tue Oct 3 02:24:57 UTC 2006 

It appears to me that OpenID should be able to do the same thing that  
we've been doing in LID: "one-way" nonces.

Basically, the IdP adds a field (the nonce) that contains a current  
timestamp. That field must be in the list of signed fields. There is  
no need for the RP to create that field (that's why we call it "one- 
way")

The RP has a 2-hour (or something like that) time window for which it  
stores nonces. It performs the following algorithm:
  - if the nonce is outside of the 2-hour window, access denied
  - if the nonce is in the nonce store, access denied
  - if the nonce is not in the nonce store, insert it, and access  
allowed.

The 2 hours is the maximum assumed clock drift. It can be larger or  
smaller.

On Oct 2, 2006, at 18:58, Recordon, David wrote:

> Good digging, teaches me my OpenID history. :)
>
> So then I still agree that request nonce can be achieved with the
> return_to URL and then my argument for not making the delegation  
> change
> goes away.
>
> Brad, thoughts on the delegation proposal?
> http://openid.net/pipermail/specs/2006-September/000002.html
>
> --David
>
> -----Original Message-----
> From: joshhoyt at gmail.com [mailto:joshhoyt at gmail.com] On Behalf Of Josh
> Hoyt
> Sent: Monday, October 02, 2006 6:44 PM
> To: Recordon, David
> Cc: specs at openid.net
> Subject: What is delegation for? (was Re: Wrapping Up Proposals)
>
> On 10/2/06, Recordon, David <drecordon at verisign.com> wrote:
>> * IdP-supported Delegation
>>         While it reduces complexity, it means that each IdP now  
>> has to
>
>> handle delegated identifiers as well.  As the point of delegation is
>> to use an identifier your IdP doesn't assert, for whatever reason, I
>> have a hard time having the IdP know what identifier you're using as
>> it may decide it doesn't like that.
>
> The way that I understand it, the primary benefits of delegation is to
> provide a standard way to use an arbitrary indentifier with any OpenID
> IdP. I think that using an identifier "your IdP doesn't assert" is
> really an accident. I haven't looked back through the whole  
> discussion,
> but Brad proposed in June 2005[1] that the delegate be sent in the
> request, so I can't buy the argument that keeping the identifier  
> secret
> was a motivator in the design of delegation.
>
> My delegation proposal is not very different from the one in Brad's
> message. That mechanism I'd also be in favor of, because it is still
> explicit about what is going on (easier to understand and debug, less
> state for RP to track).
>
> Josh
>
> P.S. we should get a copy of the old list archives on openid.net for
> reference purposes, or at least link to them from somewhere
>
> P.P.S Brad also proposed at around the same time[2] adding a (request)
> nonce, which was rejected because you could just add it to the  
> return_to
> URL
>
> 1. http://lists.danga.com/pipermail/yadis/2005-June/000676.html
> 2. http://lists.danga.com/pipermail/yadis/2005-May/000180.html
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs

Johannes Ernst
NetMesh Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20061002/73fcb8a6/attachment-0002.gif>
-------------- next part --------------
  http://netmesh.info/jernst

More information about the specs mailing list