What is delegation for? (was Re: Wrapping Up Proposals)

Drummond Reed drummond.reed at cordance.net
Tue Oct 3 05:52:40 UTC 2006 

Josh,

I'm honestly torn over this proposal. I've thought about it quite a bit, and
I can see the case from both sides. Although it's easy to dismiss the
privacy issue, there *can* be use cases under which an end-user may not want
to reveal to their IP the identifier they present to the RP.

OTOH, I agree it could eliminate confusion and make it easier to understand
and debug. In addition, many of the IdPs I deal with (XDI.org-Accredited
I-Brokers) already handle synonym management for their customers, so it fits
well with what they do already.

Net net: I agree that this is an important protocol decision, one that will
significantly influence both end-user and IdP practices.

Might I suggest it is important enough to schedule a telecon for so those of
us who care about it can get on the phone, discuss the tradeoffs, and reach
a decision?

I'd be willing to do that any day this week (except Thurs. 4-6PM PT, which
is the XRI TC telecon).

=Drummond 

-----Original Message-----
From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Josh Hoyt
Sent: Monday, October 02, 2006 6:44 PM
To: Recordon, David
Cc: specs at openid.net
Subject: What is delegation for? (was Re: Wrapping Up Proposals)

On 10/2/06, Recordon, David <drecordon at verisign.com> wrote:
> * IdP-supported Delegation
>         While it reduces complexity, it means that each IdP now has to
> handle delegated identifiers as well.  As the point of delegation is to
> use an identifier your IdP doesn't assert, for whatever reason, I have a
> hard time having the IdP know what identifier you're using as it may
> decide it doesn't like that.

The way that I understand it, the primary benefits of delegation is to
provide a standard way to use an arbitrary indentifier with any OpenID
IdP. I think that using an identifier "your IdP doesn't assert" is
really an accident. I haven't looked back through the whole
discussion, but Brad proposed in June 2005[1] that the delegate be
sent in the request, so I can't buy the argument that keeping the
identifier secret was a motivator in the design of delegation.

My delegation proposal is not very different from the one in Brad's
message. That mechanism I'd also be in favor of, because it is still
explicit about what is going on (easier to understand and debug, less
state for RP to track).

Josh

P.S. we should get a copy of the old list archives on openid.net for
reference purposes, or at least link to them from somewhere

P.P.S Brad also proposed at around the same time[2] adding a (request)
nonce, which was rejected because you could just add it to the
return_to URL

1. http://lists.danga.com/pipermail/yadis/2005-June/000676.html
2. http://lists.danga.com/pipermail/yadis/2005-May/000180.html
_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs

More information about the specs mailing list