Proposal: IdP-supported delegation

Johannes Ernst jernst+openid.net at netmesh.us
Tue Sep 5 19:00:39 UTC 2006


On Sep 5, 2006, at 11:35, Josh Hoyt wrote:

> With my proposal, delegation *becomes* the standard way of registering
> an identifier with an IdP.

Interesting. Could a hostile site somehow trick the user into  
accepting more identifiers as aliases than the user wanted?

> Having a standard way of doing it keeps the
> control in the hands of the user, as well as being
> backwards-compatible with OpenID 1.X.
>
> With the proposed delegation mechanism, an IdP could, for example,
> allow a user to add identifiers at any time, including in the middle
> of an authentication request, and it could use standard OpenID
> discovery to do so.
>
> An alternate solution is to change the specification so that the
> authentication response can contain either the delegate *or* the
> user's identifier. I think my original proposal is less confusing to
> understand and implement, although it's a bigger change.

So do we even need the delegate parameter, then? (for anything other  
than bootstrapping?)



Johannes Ernst
NetMesh Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20060905/a6456b3d/attachment-0002.gif>
-------------- next part --------------
  http://netmesh.info/jernst






More information about the specs mailing list