IdP assisting user to present previous identifier

Dick Hardt dick at sxip.com
Thu Oct 19 17:21:20 UTC 2006


Does anyone NOT want to support these scenarios?

On 19-Oct-06, at 8:40 AM, Drummond Reed wrote:

> I agree the scenarios Dick proposes here make sense. However if the  
> IdP can
> change an identifier parameter, it should be openid.portable,  
> since: a)
> that's the one the RP is going to store, and b) that's the one the  
> IdP MUST
> return with a different value anyway in the directed identity use  
> case (case
> 1 at http://www.lifewiki.net/openid/ConsolidatedDelegationProposal).
>
> We need to carefully consider the security implications, but I  
> believe they
> are covered by a simple rule: if the IdP returns a DIFFERENT  
> openid.portable
> parameter value than the one sent by the RP, then the RP MUST  
> verify that
> the IdP is authoritative for the new openid.portable identifier by  
> doing
> discovery. If the RP finds that a different IdP is authoritiative,  
> it MUST
> reinitiate login with that IdP.
>
> (Which essentially amounts to an "OpenID login redirect".)
>
> =Drummond
>
> -----Original Message-----
> From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On  
> Behalf
> Of Dick Hardt
> Sent: Thursday, October 19, 2006 12:19 AM
> To: specs at openid.net
> Subject: IdP assisting user to present previous identifier
>
> I expect I will have a number of OpenIDs, as well as lots of directed
> identities. I would like my IdP to keep track of which identity I use
> at what RP. I may forget which public identifier I used at a site,
> and type in the wrong one, and end up creating a new account and be
> confused. I may have used a directed identity, and forget and type in
> a public one, and then once again be creating a new account and be
> confused.
>
> I would like my IdP to be able to suggest which identifier I want to
> be in situations where I am using a different one from what I used in
> the past. This means that the following from:
>
> 	http://www.lifewiki.net/openid/ConsolidatedDelegationProposal
>
> IdP Rules for Identifier Parameters
>
> 1. IdP MUST ALWAYS return the value of openid.identity sent by RP.
>
>
> would need to be changed so that the IdP can send a different
> identifier then what was sent by the RP.
>
> -- Dick
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>




More information about the specs mailing list