The CanonicalID Approach
Martin Atkins
mart at degeneration.co.uk
Sat Jun 9 10:15:55 UTC 2007
Josh Hoyt wrote:
> On 6/8/07, Martin Atkins <mart at degeneration.co.uk> wrote:
>> I figure that you could potentially use the same mechanism as delegation
>> to avoid the extra discovery iteration.
>>
>> The problem, as with delegation, is that you need to duplicate the
>> endpoint URL in the source identifier's XRDS document. The canonical
>> identifier must also support OpenID, which I believe is something they
>> were trying to avoid.
>
> I'm assuming that by saying it's "like delegation", you mean that the
> canonical identifier is discovered from the entered identifier, and
> sent to the server, but discovery is never done.
>
> Let's say that you use "http://mart-atkins.com/" as your identifier,
> with a canonical id of "http://inconvenient.example.com/0000001"
>
> I can set up a URL "http://impersonation.example.com/mart" that points
> to an OpenID provider that I control, and give it the same canonical
> ID, "http://inconvenient.example.com/0000001".
>
> Unless we make sure that the canonical ID is intended to be used with
> this OpenID server, I can sign in to your account anywhere, since the
> canonical ID is used as the database key.
>
> Were you thinking of a different mechanism?
>
I'm assuming that the RP authenticates
http://inconvenient.example.com/0000001, not
http://impersonation.example.com/mart. Just as with delegation, if I can
successfully authenticate as the persistent identifier and the
non-persistent identifier points at the persistent one, we can assume
that http://impersonation.example.com/mart is "me" as well.
More information about the specs
mailing list