Identifier portability: the fundamental issue

Marius Scurtescu marius at sxip.com
Fri Oct 13 21:26:58 UTC 2006 

On 13-Oct-06, at 12:59 PM, Drummond Reed wrote:

> Yesterday we established consensus that with OpenID, identifier  
> portability
> is sacred.
>
> Today I'd like to establish consensus on the following "postulate":
>
> "To achieve identifier portability in OpenID, it MUST be possible  
> for the RP
> and the IdP to identify the user using two different identifiers: an
> identifier by which the RP knows the user (the portable  
> identifier), and an
> identifier by which the IdP knows the user (the IdP-specific  
> identifier)."
>
> I would submit that if this postulate is true, then OpenID  
> Authentication
> 2.0 requires two identifier parameters because if the protocol only  
> allows
> sending one, then:
>
> 1) If the RP sends the IdP-specific identifier, the RP must keep  
> state to
> maintain mapping to the portable identifier (bad), and

I agree with that.

>
> 2) If the RP sends the portable identifier, an IdP is forced to do a
> resolution a second time after the RP has already done resolution  
> (bad).

No, the IdP is not forced to do a resolution. The IdP already knows  
that.

>
> OTOH, if the postulate is false, then a case can be made for OpenID
> Authentication 2.0 having just one identifier parameter.
>
> PROOF
>
> CASE 1: the protocol supports only IdP-specific identifiers and no  
> portable
> identifiers.
>
> RESULT: IdPs can achieve identifier lockin. Not acceptable. End of  
> Case 1.

Agreed.

>
> CASE 2: the protocol supports only portable identifiers and no IdP- 
> specific
> identifiers.
>
> RESULT: IdP is forced to know and store all portable identifiers  
> for a user,
> including identifiers for which the IdP is not authoritative, and  
> users

Why would the IdP need to know identifiers over which it is not  
authoritative?


> would be forced to register all their portable identifiers with  
> their IdP,
> and to update these registrations every time the user adds or  
> deletes a
> portable identifier. Highly undesirable if not impossible.

I don't see this as undesirable but as necessary. If I have a  
portable identifier and I configure it to point to some IdP for  
authentication it only makes sense for the IdP to know about the  
identifier as well.

Marius

More information about the specs mailing list