openid.delegate explained.
Dick Hardt
dick at sxip.com
Wed Oct 4 17:59:05 UTC 2006
On 4-Oct-06, at 10:52 AM, Martin Atkins wrote:
>
>>> And all you've achieved here is to hand your identifier over to
>>> Brad.
>>
>> Not at all! My IdP will only accept my credentials. If Brad pointed
>> his identifier to my IdP, he'd have handed it over to me, but
>> there is
>> no way that he can use MY IdP even though it would make an assertion
>> about /his/ URL.
>>
>
> Okay. I misunderstood your scenario.
>
> Now that I understand what you mean, this makes me think all the more
> that the current "delegate" identifier should just be "token I log
> into
> my IdP with" and have no other meaning. I'm not really bothered about
> whether it remains a URI or just becomes some opaque string.
>
> The nice thing about separating these two issues is that, even if we
> retain the requirement that this be a URI, it doesn't need to be a
> resolvable URI. I could give "mailto:me at mydomain.com" to a
> hypothetical
> IdP that identifies users by email addresses, for example.
The RP needs to resolve the identifier to check who is authorative
for it.
If you create a mechanism for how to resolve who owns
"mailto:me at mydomain.com", then it works.
That functionality is needed to prevent any IdP from being
authoritative for an arbitrary URI.
-- Dick
More information about the specs
mailing list