Proposal: IdP-supported delegation
josh at janrain.com
Tue Sep 5 03:09:24 UTC 2006
On 9/4/06, Johannes Ernst <jernst+openid.net at netmesh.us> wrote:
> It appears that the OpenID privacy properties might change with this
> proposal? Currently, only the RP knows that a user used a particular
> identifier with that RP; not the IdP.
Indeed, the proposed change does introduce disclosure that previously
did not happen. As my proposal states:
>> * The user-entered identifier is disclosed to the IdP.
I contend that this disclosure is not harmful, since the user must
trust the IdP anyway. Also, the user trusts the relying party with
this information in either case. It seems unlikely that the user will
trust the IdP *less* than the IdP. I think that the benefits here
outweigh this minimal disclosure. I hope that addresses the issue
More information about the specs