Consolidated Delegate Proposal
Dick Hardt
dick at sxip.com
Tue Oct 10 19:01:38 UTC 2006
On 10-Oct-06, at 11:58 AM, Josh Hoyt wrote:
> On 10/10/06, Dick Hardt <dick at sxip.com> wrote:
>> My proposal was pretty much your proposal with a couple tweaks
>> (sorry, I should have listed these to make it clearer)
>
>> - the IdP can return a different identity then the one the RP sent
>> over
>
> I question whether this is something we want to encourage. I think
> it's a separate issue from the delegation mechanism. If the user wants
> to choose an identifier, he'll use IdP-driven selection instead of
> entering an identifier. I don't feel strongly about this, but I do
> feel strongly that this should be decoupled from the delegation
> discussion.
I think this greatly simplifies the protocol and how it works
>
>> - since the delegate is only used by the IdP, the spec can be
>> simplified (in fact, this can be out of band of the spec since it is
>> a protocol between the user and the IdP, the RP is not involved)
>
> This was exactly my original proposal:
> "A request for a delegated identifier and a request for a non-
> delegated
> identifier would be the same for the relying party, and the final,
> verified identifier would always be included in the request/response."
yes, that was in your proposal
What I am saying is that we can remove significant discussion about
delegate from the spec, and potentially remove it entirely
More information about the specs
mailing list