IdP assisting user to present previous identifier
Drummond Reed
drummond.reed at cordance.net
Thu Oct 19 15:40:42 UTC 2006
I agree the scenarios Dick proposes here make sense. However if the IdP can
change an identifier parameter, it should be openid.portable, since: a)
that's the one the RP is going to store, and b) that's the one the IdP MUST
return with a different value anyway in the directed identity use case (case
1 at http://www.lifewiki.net/openid/ConsolidatedDelegationProposal).
We need to carefully consider the security implications, but I believe they
are covered by a simple rule: if the IdP returns a DIFFERENT openid.portable
parameter value than the one sent by the RP, then the RP MUST verify that
the IdP is authoritative for the new openid.portable identifier by doing
discovery. If the RP finds that a different IdP is authoritiative, it MUST
reinitiate login with that IdP.
(Which essentially amounts to an "OpenID login redirect".)
=Drummond
-----Original Message-----
From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Dick Hardt
Sent: Thursday, October 19, 2006 12:19 AM
To: specs at openid.net
Subject: IdP assisting user to present previous identifier
I expect I will have a number of OpenIDs, as well as lots of directed
identities. I would like my IdP to keep track of which identity I use
at what RP. I may forget which public identifier I used at a site,
and type in the wrong one, and end up creating a new account and be
confused. I may have used a directed identity, and forget and type in
a public one, and then once again be creating a new account and be
confused.
I would like my IdP to be able to suggest which identifier I want to
be in situations where I am using a different one from what I used in
the past. This means that the following from:
http://www.lifewiki.net/openid/ConsolidatedDelegationProposal
IdP Rules for Identifier Parameters
1. IdP MUST ALWAYS return the value of openid.identity sent by RP.
would need to be changed so that the IdP can send a different
identifier then what was sent by the RP.
-- Dick
_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs
More information about the specs
mailing list