Yet Another Delegation Thread

Drummond Reed drummond.reed at cordance.net
Wed Oct 25 18:35:43 UTC 2006 

>>Drummond Reed wrote:
>> 3) Allowing the user to control Claimed
>> Identifier-to-IdP-Specific-Identifier mapping gives the user the ability
to
>> establish any number of OpenID "synonyms" that do not require any
>> involvement on the part of the IdP. In many ways this is the user-facing
>> compliment of the directed identity value proposition: in directed
identity,
>> the user can have the IdP create any number of pseudonyms for different
RPs.
>> But the user is dependent on the IdP for this functionality. With Claimed
>> Identifier-to-IdP-Specific-Identifier mapping, the user controls which
>> Claimed Identifier maps to which IdP-Specific-Identifier, and is NOT
>> dependent on the IdP for this mapping (which means it is entirely
portable).
>>   
>
>Pete Rowley wrote:
>
>Is it a goal to not allow correlation of identifiers? If so, I do not 
>think this meets that goal.
>
>Looking at the parties involved here, I necessarily have to trust my 
>IdP, but I certainly don't want to trust RPs. So if there is to be 
>leakage of information, it should go to the IdP, who is charged with the 
>protection of my data. This appears to construct what amounts to a map 
>of all my online identifiers nicely formatted so that a bot can harvest 
>it easily. Perhaps non-correlation is a non-goal for this particular 
>feature - but I would hope that it would be a high priority.

You're absolutely right, Pete -- since all of these identifiers would be
public identifiers, a bot could harvest them. So non-correlation is not a
goal of this feature -- the goal is IdP-independent public synonym
management.

Non-correlation of identifiers IS a goal of the 2.0 directed identity
feature. Eve Maler just did a great blog post about this:

	
http://www.xmlgrrl.com/blog/archives/2006/10/23/the-futures-so-bright-i-gott
a-wear-shades/ 

She was confused about exactly how directed identity worked in the 2.0 spec,
so I responded to her with:

	http://www.equalsdrummond.name/?p=84 

And she them wrote an even longer post about "Pseudonym Picking" that
includes an in-depth comparison of OpenID and SAML flows:

	http://www.xmlgrrl.com/blog/archives/2006/10/24/pseudonym-picking/ 

Paul Madsen and others in Liberty have also responded very positively to the
directed identity feature, so I suspect it will be a hit once it rolls out.

=Drummond

More information about the specs mailing list