Yet Another Delegation Thread
Josh Hoyt
josh at janrain.com
Wed Oct 25 18:24:49 UTC 2006
On 10/25/06, Pete Rowley <prowley at redhat.com> wrote:
> Is it a goal to not allow correlation of identifiers? If so, I do not
> think this meets that goal.
>
> Looking at the parties involved here, I necessarily have to trust my
> IdP, but I certainly don't want to trust RPs. So if there is to be
> leakage of information, it should go to the IdP, who is charged with the
> protection of my data. This appears to construct what amounts to a map
> of all my online identifiers nicely formatted so that a bot can harvest
> it easily. Perhaps non-correlation is a non-goal for this particular
> feature - but I would hope that it would be a high priority.
The IdP can issue as many identifiers as it wants to the user, and the
user can use a different IdP-specific identifier for each of their
separate portable identifiers.
Every proposal so far has had the IdP-specific identifier discovered
through the standard discovery mechanism, so this criticism would
apply to OpenID portable identifier support in general, not this
specific proposal.
Josh
More information about the specs
mailing list