openid.delegate explained.

Drummond Reed drummond.reed at cordance.net
Tue Oct 3 20:13:45 UTC 2006


Brad, thanks much for posting this. Having spent a ton of time on identifier
abstraction -- largely for the benefit of identifier portability -- I have
enormous respect for this feature.

So I am committed to being super-careful we don't break it just by renaming
it.

My proposal was limited to just that: renaming to solve the semantics
problem. (Ironically, I even understand how it first got the name
"delegation". I doubt you or anyone else anticipated the context into which
that term would be thrust as OpenID grew, and thus the semantic clash that
would arise.)

Josh's proposal does affect how the feature actually works, and he's posted
separately about that. I agree we should be very careful to make sure any
substantive changes don't accidentally break the feature.

=Drummond 


-----Original Message-----
From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Brad Fitzpatrick
Sent: Tuesday, October 03, 2006 11:59 AM
To: specs at openid.net
Subject: openid.delegate explained.

I don't care what openid.delegate is renamed to.  But I feel strongly
it has to survive ... I think it's one of the most important things to
OpenID, just not well understood.

Let me walk through how it works....

  * User Brad currently uses livejournal.com as his IdP

  * Brad doesn't want his LJ to be his canonical identifier because

      a) he has a better one, under his control ("bradfitz.com"),
         he's just too lazy or incapable of running an IdP there.

      b) he doesn't trust that LJ will stay around forever, or it
         might become evil, stop supporting OpenID, or maybe
         he might want to switch to a better IdP in the future.

  * So Brad gives RPs his "bradfitz.com" identifier.

  * RPs discover that bradfitz.com's IdP is LiveJournal.com, but
    LiveJournal.com knows jack shit about bradfitz.com ... and
    perhaps Brad doesn't trust LJ to know about bradfitz.com ...
    or fears LJ might charge more to use that feature.  etc.

In summary, the most important thing is I can change my $4/year
identifier's IdP every day without informing anybody or making deals with
IdPs, AND IT DOESN'T BREAK MY IDENTITY EVERYWHERE.  All those sites that
thought I was "bradfitz.com" still think I'm bradfitz.com ... it's just a
different IdP asserting that.

Not to mention I can still avoid running my own IdP, adding to the
bootstrappability of all this ... because I imagine a lot of people will
want vanity-plate identifiers (well, never as cool as =BradFitz !) and
getting those early dorks in is important too, but not as important as
disconnecting an IdP from an identifier.  If a given identifier can only
be asserted by one IdP, we have lock-in, and people either don't change
IdPs, or change and break their identifiers.

So openid.delegate is like cellphone number portability.

I urge everybody not to accidentally break this while renaming it.

- Brad



_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs




More information about the specs mailing list