openid.delegate explained.

Drummond Reed drummond.reed at cordance.net
Wed Oct 4 07:22:45 UTC 2006 

>> Josh Hoyt wrote:
>> 
>> An example to illustrate how delegation can make it hard to understand
>> what's going on:
>> 
>> 1. Set up an IdP that will let me verify, say "bradfitz.com." This
>> does not mean that I have any control of bradfitz.com, just that if I
>> did, I could use this IdP.
>> 
>> 2. Set up an identifier, say "j3h.us" to use "bradfitz.com" as a
>> delegate, and to use my weirdo IdP.
>> 
>> 3. Do authentication of "j3h.us" to a RP, and the messages that go
>> back and forth will be about "bradfitz.com" and the authentication
>> will succeed. The confusing part is that this is the correct
>> behaviour.
>> 
>
>Martin Atkins wrote:
>
>And all you've achieved here is to hand your identifier over to Brad.

I can't tell if you're joking or not, but Josh isn't handing over control of
"bradfitz.com" to Brad. It just means that Josh's weirdo IdP has allowed
Josh to register the identifer "bradfitz.com" in the IdP's namespace. So in
THAT namespace only, that's Josh's identifier. Yes that would be a highly
unadvised IdP policy, but that's the weirdo IdP Josh chose ;-)

>But I agree with you that the delegate identifier might as well just be 
>an opaque string per the current spec. This is not inconsistent with my 
>post yesterday saying that delegation should be the only case, not a 
>special case. There's no disadvantage to this, since the identifier you 
>present to your IdP *can* be the same as the one you present to RPs, but 
>if delegate is the only mode of operation then it makes the spec simpler 
>and thus easier to understand.
>
>(and it no longer needs to be called "delegate", because it doesn't need 
>to be called anything other than "the only way to do it".)

Very interesting observation, Martin. I've spent the last six hours writing
up a fairly exhaustive analysis of this whole issue (both to help close the
issue here, and to help close a closely related issue in XRI Resolution 2.0
Working Draft 11, into which we're incorporating the Yadis spec).

I believe the final analysis may support your conclusion. But it's past
midnight now and since I want to finish it with a clear mind, it will have
to wait until tomorrow morning.

=Drummond

More information about the specs mailing list