Proposal: IdP-supported delegation

Josh Hoyt josh at janrain.com
Tue Sep 5 03:09:24 UTC 2006


Johannes,

On 9/4/06, Johannes Ernst <jernst+openid.net at netmesh.us> wrote:
> It appears that the OpenID privacy properties might change with this
> proposal? Currently, only the RP knows that a user used a particular
> identifier with that RP; not the IdP.

Indeed, the proposed change does introduce disclosure that previously
did not happen. As my proposal states:

>> * The user-entered identifier is disclosed to the IdP.

I contend that this disclosure is not harmful, since the user must
trust the IdP anyway. Also, the user trusts the relying party with
this information in either case. It seems unlikely that the user will
trust the IdP *less* than the IdP. I think that the benefits here
outweigh this minimal disclosure. I hope that addresses the issue
adequately.

Josh



More information about the specs mailing list