Identifier portability: the fundamental issue
Marius Scurtescu
marius at sxip.com
Fri Oct 13 21:26:58 UTC 2006
On 13-Oct-06, at 12:59 PM, Drummond Reed wrote:
> Yesterday we established consensus that with OpenID, identifier
> portability
> is sacred.
>
> Today I'd like to establish consensus on the following "postulate":
>
> "To achieve identifier portability in OpenID, it MUST be possible
> for the RP
> and the IdP to identify the user using two different identifiers: an
> identifier by which the RP knows the user (the portable
> identifier), and an
> identifier by which the IdP knows the user (the IdP-specific
> identifier)."
>
> I would submit that if this postulate is true, then OpenID
> Authentication
> 2.0 requires two identifier parameters because if the protocol only
> allows
> sending one, then:
>
> 1) If the RP sends the IdP-specific identifier, the RP must keep
> state to
> maintain mapping to the portable identifier (bad), and
I agree with that.
>
> 2) If the RP sends the portable identifier, an IdP is forced to do a
> resolution a second time after the RP has already done resolution
> (bad).
No, the IdP is not forced to do a resolution. The IdP already knows
that.
>
> OTOH, if the postulate is false, then a case can be made for OpenID
> Authentication 2.0 having just one identifier parameter.
>
> PROOF
>
> CASE 1: the protocol supports only IdP-specific identifiers and no
> portable
> identifiers.
>
> RESULT: IdPs can achieve identifier lockin. Not acceptable. End of
> Case 1.
Agreed.
>
> CASE 2: the protocol supports only portable identifiers and no IdP-
> specific
> identifiers.
>
> RESULT: IdP is forced to know and store all portable identifiers
> for a user,
> including identifiers for which the IdP is not authoritative, and
> users
Why would the IdP need to know identifiers over which it is not
authoritative?
> would be forced to register all their portable identifiers with
> their IdP,
> and to update these registrations every time the user adds or
> deletes a
> portable identifier. Highly undesirable if not impossible.
I don't see this as undesirable but as necessary. If I have a
portable identifier and I configure it to point to some IdP for
authentication it only makes sense for the IdP to know about the
identifier as well.
Marius
More information about the specs
mailing list