[OpenID] identify RP when it gets OpenID URL

Manger, James H James.H.Manger at team.telstra.com
Thu Oct 18 01:05:04 UTC 2007 

James Henstridge,

> why wouldn't this alternative [doing it all at the OP] be appropriate?

It would be great if OPs offered lots of functionality (such as per-User per-RP policies), while remaining simple to use and understand. The great feature of OpenID is that is allows each user to choose login policies they are happy with without requiring explicit support by the RP. It would be even better if any user can choose login policies without requiring explicit support by a single OP for all the possibilities.

 

> You are trading complexity at the OP end for complexity at the discovery/delegation end.

Being able to trade complexity at one point against another is a GOOD thing. You can pick whichever is less complex to you. Others can pick whichever is less complex to them.

The proposed change is not at all complex: an RP simply adds one more HTTP header with a fixed (for the RP) value. The discovery end does not have to do anything – it is just easier for them if they want to do something a little different.

 

> 1. using an OP that is not publicly accessible for certain operations

> 2. using an RP that will only authenticate people using a particular OP.

These are additional use cases that highlight how useful knowing the RP during discovery (eg via a From field) could be. Now we have 3 use cases for this 1 simple feature.

 

	_____________________________________________
	From: james.henstridge at gmail.com [mailto:james.henstridge at gmail.com] On Behalf Of James Henstridge
	Sent: Wednesday, 17 October 2007 5:26 PM
	To: Manger, James H
	Cc: specs at openid.net

	 

		OPs can offer different authentication mechanisms

	If the primary aim is just to let the user set a policy on how carefully they should be authenticated when talking to particular RPs, why wouldn't this alternative be appropriate?

	 

	You are trading complexity at the OP end for complexity at the discovery/delegation end.

	 

	Or are you trying to address a slightly different problem?  Maybe one of:

	 1. using an OP that is not publicly accessible for certain operations  2. using an RP that will only authenticate people using a particular OP.

	 

	
________________________________


	From: Manger, James H 
	Sent: Wednesday, 17 October 2007 12:59 PM
	To: 'specs at openid.net'
	Subject: [OpenID] identify RP when it gets OpenID URL

	…

	Add the following paragraph at the end of section 7.3 Discovery:

	“The Relying Party MUST include a From HTTP header field in each HTTP request made during discovery. The From field holds an email address for the RP (eg From: openid at example.net) [RFC2616]. This enables the discovered information to vary based on the RP. The From field is not authenticated so it is not appropriate to use for access control.”

	…

	 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20071018/9c4f4a3d/attachment-0002.htm>

More information about the specs mailing list