openid.delegate explained.
Martin Atkins
mart at degeneration.co.uk
Wed Oct 4 17:52:24 UTC 2006
>> And all you've achieved here is to hand your identifier over to Brad.
>
> Not at all! My IdP will only accept my credentials. If Brad pointed
> his identifier to my IdP, he'd have handed it over to me, but there is
> no way that he can use MY IdP even though it would make an assertion
> about /his/ URL.
>
Okay. I misunderstood your scenario.
Now that I understand what you mean, this makes me think all the more
that the current "delegate" identifier should just be "token I log into
my IdP with" and have no other meaning. I'm not really bothered about
whether it remains a URI or just becomes some opaque string.
The nice thing about separating these two issues is that, even if we
retain the requirement that this be a URI, it doesn't need to be a
resolvable URI. I could give "mailto:me at mydomain.com" to a hypothetical
IdP that identifies users by email addresses, for example.
Now that I've collected my thoughts a bit more I'll post this as a
top-level proposal and stop clogging up this thread with my rambling. :)
Cheers,
Martin
More information about the specs
mailing list