Proposal: IdP-supported delegation

Drummond Reed drummond.reed at
Tue Sep 5 21:20:27 UTC 2006


I've looked in vain but in the switchover to this new list I can't find the
proposal you posted that started this thread.

Could you post it again, or a link to it?



-----Original Message-----
From: specs-bounces at [mailto:specs-bounces at] On Behalf
Of Johannes Ernst
Sent: Tuesday, September 05, 2006 12:01 PM
To: Josh Hoyt
Cc: specs at
Subject: Re: Proposal: IdP-supported delegation

On Sep 5, 2006, at 11:35, Josh Hoyt wrote:

> With my proposal, delegation *becomes* the standard way of registering
> an identifier with an IdP.

Interesting. Could a hostile site somehow trick the user into  
accepting more identifiers as aliases than the user wanted?

> Having a standard way of doing it keeps the
> control in the hands of the user, as well as being
> backwards-compatible with OpenID 1.X.
> With the proposed delegation mechanism, an IdP could, for example,
> allow a user to add identifiers at any time, including in the middle
> of an authentication request, and it could use standard OpenID
> discovery to do so.
> An alternate solution is to change the specification so that the
> authentication response can contain either the delegate *or* the
> user's identifier. I think my original proposal is less confusing to
> understand and implement, although it's a bigger change.

So do we even need the delegate parameter, then? (for anything other  
than bootstrapping?)

Johannes Ernst
NetMesh Inc.

More information about the specs mailing list