Proposal: IdP-supported delegation

Johannes Ernst jernst+openid.net at netmesh.us
Tue Sep 5 17:52:37 UTC 2006


On Sep 4, 2006, at 20:09, Josh Hoyt wrote:

>>> * The user-entered identifier is disclosed to the IdP.
>
> I contend that this disclosure is not harmful, since the user must
> trust the IdP anyway.

It appears the same way to me. I'm just raising it on the list  
according to the theory of "many eyeballs" ... and for privacy that's  
important.


There's something else I don't understand though, and chances are  
that I simply don't understand it so your help is appreciated:

Your motivation for the proposal says it is "IdP-driven identifier  
selection". Which I understand as entering "mylid.net" or  
"myopenid.com" as the identifier at the RP instead of  
"someone.myopenid.com" or even "myvanitydomain.com". But that isn't  
the protocol flow that you outline because the delegate URL isn't  
even known in that case. I'm confused ... how does this relate to  
"IdP-driven identifier selection"?

Also: would there be an alternate way of solving the problem, without  
protocol changes, by requiring the user to register  
"myvanitydomain.com" with the IdP, from where the user could select  
it if she so chose?




Johannes Ernst
NetMesh Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20060905/556e02ab/attachment-0002.gif>
-------------- next part --------------
  http://netmesh.info/jernst






More information about the specs mailing list