Yet Another Delegation Thread
Drummond Reed
drummond.reed at cordance.net
Wed Oct 25 19:13:29 UTC 2006
>> Josh Hoyt wrote:
>> If the user uses different IdP-specific identifiers for each portable
>> identifier, I don't see how they can be correlated.
>
>Pete Rowley wrote:
>Unless I mis-understand the the OpenID discovery mechanism - at the
>point of discovery, which can be done out of band in a spider like web
>harvesting fashion. Any one discovery point contains your identity map.
What Josh is describing here is actually an implementation of your
suggestion, Pete, that the IdP could support the non-correlation of portable
OpenID identifiers. Here's how it works:
* For each portable-identifier, you (or your identifier registrar) publishes
a *separate* XRDS document with a separate IdP-specific identifier. None of
these XRDS documents references any of the others.
* Now there is no way for a bot to discover a correlation between these
portable identifiers (or their paired IdP-specific identifiers), other than
they are all authenticated by the same IdP (the non-correlatability of which
depends on the number of customers/identifier served by that IdP).
=Drummond
More information about the specs
mailing list