Yet Another Delegation Thread

Pete Rowley prowley at redhat.com
Wed Oct 25 19:27:06 UTC 2006


Drummond Reed wrote:
>>> Josh Hoyt wrote:
>>> If the user uses different IdP-specific identifiers for each portable
>>> identifier, I don't see how they can be correlated.
>>>       
>> Pete Rowley wrote:
>> Unless I mis-understand the the OpenID discovery mechanism - at the 
>> point of discovery, which can be done out of band in a spider like web 
>> harvesting fashion.  Any one discovery point contains your identity map.
>>     
>
> What Josh is describing here is actually an implementation of your
> suggestion, Pete, that the IdP could support the non-correlation of portable
> OpenID identifiers. Here's how it works:
>
> * For each portable-identifier, you (or your identifier registrar) publishes
> a *separate* XRDS document with a separate IdP-specific identifier. None of
> these XRDS documents references any of the others.
>
> * Now there is no way for a bot to discover a correlation between these
> portable identifiers (or their paired IdP-specific identifiers), other than
> they are all authenticated by the same IdP (the non-correlatability of which
> depends on the number of customers/identifier served by that IdP).
>   
Yep. IdP hosted portable identifiers avoids correlation.

However, I thought that was _not_ the original suggestion. Did we come 
full circle? :)

Drummond Reed wrote:
 > 3) Allowing the user to control Claimed
 > ... <snip>
 > With Claimed
 > Identifier-to-IdP-Specific-Identifier mapping, the user controls which
 > Claimed Identifier maps to which IdP-Specific-Identifier, and *is NOT
 > dependent on the IdP for this mapping* (which means it is entirely 
portable).

-- 
Pete

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20061025/6902c98b/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20061025/6902c98b/attachment-0002.bin>


More information about the specs mailing list