Identifier portability: the fundamental issue
Granqvist, Hans
hgranqvist at verisign.com
Fri Oct 13 20:26:12 UTC 2006
> "To achieve identifier portability in OpenID, it MUST be
> possible for the RP and the IdP to identify the user using
> two different identifiers: an identifier by which the RP
> knows the user (the portable identifier), and an identifier
> by which the IdP knows the user (the IdP-specific identifier)."
There is no reason why the idp MUST require to know both
identifiers for identifier portability to be possible in
the system.
> I would submit that if this postulate is true, then OpenID
> Authentication 2.0 requires two identifier parameters because
> if the protocol only allows sending one, then:
>
> 1) If the RP sends the IdP-specific identifier, the RP must
> keep state to maintain mapping to the portable identifier (bad), and
Why is it so bad for an RP to be required to maintain such state?
(Besides, an RP could advertise whether it is willing to keep that
state, and the user would decide what to do.)
Keeping such state seems a very slight inconvenience for a much
greater goal: true portability of my identifiers.
What the idp doesn't know, it cannot take away.
> ...
More information about the specs
mailing list