Yet Another Delegation Thread

Drummond Reed drummond.reed at cordance.net
Wed Oct 25 15:57:07 UTC 2006 

Sure, Dick, here's the list of reasons that Josh and David and I discussed
for allowing the RP to do the mapping between a Claimed Identifier and
IdP-Specific Identifier:

1) The first is the reason Brad designed this mechanism in the first place
-- it allows the user to control the binding of their Claimed Identifier
(the portable identifier the user controls) to an IdP-Specific Identifier
(which the IdP controls). This means the user doesn't have to register their
Claimed Identifier with the IdP (which may not even be possible -- for
example, LiveJournal may only recognize you by your LiveJournal login name,
but you can get still use them as your IdP by pointing your vanity domain
name at your LiveJournal blog page). This also prevents IdP "lockin" on a
Claimed Identifier.

2) Since the RP has to do discovery on the Claimed Identifier anyway, if it
discovers a mapping between the Claimed Identifier and an IdP-Specific
Identifier, the RP can send the IdP-Specific Identifier to the IdP and save
the IdP from having to repeat discovery.

3) Allowing the user to control Claimed
Identifier-to-IdP-Specific-Identifier mapping gives the user the ability to
establish any number of OpenID "synonyms" that do not require any
involvement on the part of the IdP. In many ways this is the user-facing
compliment of the directed identity value proposition: in directed identity,
the user can have the IdP create any number of pseudonyms for different RPs.
But the user is dependent on the IdP for this functionality. With Claimed
Identifier-to-IdP-Specific-Identifier mapping, the user controls which
Claimed Identifier maps to which IdP-Specific-Identifier, and is NOT
dependent on the IdP for this mapping (which means it is entirely portable).

Hope this helps,

=Drummond 

-----Original Message-----
From: Dick Hardt [mailto:dick at sxip.com] 
Sent: Tuesday, October 24, 2006 11:42 PM
To: Drummond Reed
Cc: 'Recordon, David'; specs at openid.net
Subject: Re: Yet Another Delegation Thread

Hey Drummond,

If could elaborate on the "good reasons" below, I would appreciate it  
unless you think Josh and David have that list.

-- Dick

On 24-Oct-06, at 11:16 PM, Drummond Reed wrote:

> Dick, the questions you raise are exactly the kinds of tradeoffs  
> the editors
> need to discuss on their telecon (I agree this issue could consume  
> an entire
> call). I doubt I can add anything more here, so I'll just wish you all
> godspeed on the call.
>
> =Drummond
>
> -----Original Message-----
> From: Dick Hardt [mailto:dick at sxip.com]
> Sent: Tuesday, October 24, 2006 10:07 PM
> To: Drummond Reed
> Cc: 'Recordon, David'; specs at openid.net
> Subject: Re: Yet Another Delegation Thread
>
> Thanks for the explanation Drummond. I think we need a con call on
> this topic alone ... :-)
>
> On 24-Oct-06, at 6:16 PM, Drummond Reed wrote:
>> * But in our discussion today, Josh and David and I boiled down the
>> fundamental problem with the "single identifier on the wire"
>> solutions: as
>> long as the RP has the ability to do the mapping between the Claimed
>> Identifier and an IdP-specific Identifier (and there are many good
>> reasons
>> to allow the RP to do this mapping, including that this is how
>> OpenID 1.1
>> works),
>
> Would you elaborate on those "good reasons"? I'd like to understand
> them because they are not obvious to me.
>
>> then sending only one of these two identifiers on the wire to the
>> IdP shuts down an option the IdP and/or user should have. To wit:
>>
>>   - If only the Claimed Identifier is sent, the IdP is forced to
>> repeat
>> discovery if it doesn't recognize it (Josh and David and I believe
>> the IdP
>> should not be forced to repeat discovery - it is not required in
>> OpenID 1.1
>> and should not be required in OpenID 2.0).
>
> The IdP does not do discovery in OpenID 1.1 because the IdP is not
> aware of the public identifier. The RP is doing it.
>
> Either the IdP is binding the two identifiers, or the RP is doing it
> *after* getting them back unless it preserves state.
>
> A design goal has been to move complexity to the IdP when given a
> choice.
>
>>
>>   - If only the IdP-specific Identifier is sent, then the IdP does
>> not have
>> the option to assist the user with identifier selection based on
>> the Claimed
>> Identifier (which is required for directed identity anyway, and is
>> one of
>> the motivations behind this whole thread).
>
> I don't think the RP needs to even understand the IdP-specific
> identifier.
>
>>
>> Our conclusion was that the only way to avoid shutting down one or
>> the other
>> of these options is to allow (but not force) the RP to send both
>> identifiers
>> using two parameters, and to have the IdP return both parameters,
>> which the
>> RP must always verify based on its own discovery.
>>
>> That's the "state of the state" as of our discussion this afternoon.
>> Hopefully this will be helpful input into the editor's call(s) this
>> week.
>
> Thanks Drummond.
>
>

More information about the specs mailing list