Proposal: IdP-supported delegation

Josh Hoyt josh at
Tue Sep 5 03:09:24 UTC 2006


On 9/4/06, Johannes Ernst < at> wrote:
> It appears that the OpenID privacy properties might change with this
> proposal? Currently, only the RP knows that a user used a particular
> identifier with that RP; not the IdP.

Indeed, the proposed change does introduce disclosure that previously
did not happen. As my proposal states:

>> * The user-entered identifier is disclosed to the IdP.

I contend that this disclosure is not harmful, since the user must
trust the IdP anyway. Also, the user trusts the relying party with
this information in either case. It seems unlikely that the user will
trust the IdP *less* than the IdP. I think that the benefits here
outweigh this minimal disclosure. I hope that addresses the issue


More information about the specs mailing list