<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
I believe it's possible to prevent impersonation for the use case where
the user instructs their IdP (OP) to inform the RP of the identifier
change. However, this will only work
if the RP remembers the IdP that last authenticated that OpenID
identifier and only allows this message from that IdP. <br>
<br>
Thanks,<br>
George<br>
<br>
P.S. Functionally, this seems similar to the SAML ManageNameIDRequest
message.<br>
<br>
Hallam-Baker, Phillip wrote:
<blockquote cite="mid198A730C2044DE4A96749D13E167AD37E7DF20@MOU1WNEXMB04.vcorp.ad.vrsn.com" type="cite">
<pre wrap="">Don't forget that the a more important constraint here is to prevent impersonation.
I don't see how one can switch between genuinely autonamous IdPs in the way suggested without allowing a rogue IdP to impersonate anyone they chose.
At what point do the synchronization mechanisms you build in exceed the complexity of PKI?
</pre>
<blockquote type="cite">
<pre wrap="">-----Original Message-----
From: John Kemp [<a class="moz-txt-link-freetext" href="mailto:frumioj@mac.com">mailto:frumioj@mac.com</a>]
Sent: Wednesday, November 01, 2006 11:33 AM
To: Hallam-Baker, Phillip
Cc: Stefan Görling; Shutra Zhou; <a class="moz-txt-link-abbreviated" href="mailto:specs@openid.net">specs@openid.net</a>
Subject: Re: Making identities persistent?
Hello,
I think you need the ability for a user to change his
identifier at the RP (as George notes below) and also at the
IdP. In addition, it should be possible for the IdP to
providing OpenID "forwarding" if the user leaves for another
IdP (perhaps the user will even pay for a forwarding
service?)
We're not talking about persistence as such (a particular
users OpenID can surely change over time?), but more the
ability for the user to update her OpenID when she switches
from one IdP to another. At the IdP, this would I guess be
kind of like leaving a forwarding address, as the user is
"leaving" one IdP and moving to another. At the RP, the user
is telling the RP that he is using a new IdP.
So, I think George's (1) is a necessity, and agree that (2)
is a business decision, but certainly offers the ability for
an IdP to be "community-friendly" if it so wishes, and may
even be a good business decision.
Isn't this all about the likely /lack/ of persistence in a
particular OpenID though?
Regards,
- John
Hallam-Baker, Phillip wrote:
</pre>
<blockquote type="cite">
<pre wrap="">If we want identities to be persistent then we are going to need to
introduce a layer of indirection.
This normally gets me worried about patents and such. Fortunately
Multics did this, so did UNIX and VMS. Plenty of prior art.
If we are serious about decentralization then map the user
</pre>
</blockquote>
<pre wrap="">identifier
</pre>
<blockquote type="cite">
<pre wrap="">onto a randomly assigned machine readable GUID.
</pre>
<blockquote type="cite">
<pre wrap="">-----Original Message----- From: <a class="moz-txt-link-abbreviated" href="mailto:specs-bounces@openid.net">specs-bounces@openid.net</a>
[<a class="moz-txt-link-freetext" href="mailto:specs-bounces@openid.net">mailto:specs-bounces@openid.net</a>] On Behalf Of Stefan Görling Sent:
Wednesday, November 01, 2006 10:52 AM To: Shutra Zhou Cc:
<a class="moz-txt-link-abbreviated" href="mailto:specs@openid.net">specs@openid.net</a> Subject: Re: Making identities persistent?
The reasons for raising this question was partly that I've
</pre>
</blockquote>
</blockquote>
<pre wrap="">been doing
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">some research on how people use e-mail addresses and sad
</pre>
</blockquote>
</blockquote>
<pre wrap="">to say, you
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">can not expect the user to make wise choices. And even so,
</pre>
</blockquote>
</blockquote>
<pre wrap="">companies
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">go broke even the best ones. Services comes and disappear. In my
research over half of the population use non-portable e-mail
addresses tied to an employer, university, etc.
and is likely to only live a few years.
E-mail is not a stable address/identity identifier. We
</pre>
</blockquote>
</blockquote>
<pre wrap="">must not rely
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">on it as such.
If we want an identity to be persistent, it must contain a
</pre>
</blockquote>
</blockquote>
<pre wrap="">migration
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">feature, so that I can move all their trust relations from
</pre>
</blockquote>
</blockquote>
<pre wrap="">one place
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">to another. This of course creates a number of other
</pre>
</blockquote>
</blockquote>
<pre wrap="">issues such as
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">security and complexibility, but it is my sincere belief that the
issue should be addressed by the system and not only
</pre>
</blockquote>
</blockquote>
<pre wrap="">delegated to be
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">dependent on wise user decisions.
Therefore, my +1 is on (1) below. I will try to read back
</pre>
</blockquote>
</blockquote>
<pre wrap="">on what has
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">been said in the past on a 'change identifier' extension
</pre>
</blockquote>
</blockquote>
<pre wrap="">and see if
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">there is anything I can do to help.
/Stefan
</pre>
<blockquote type="cite">
<pre wrap="">Yes, this is important thing I thought. We should privide a
</pre>
</blockquote>
<pre wrap="">spec for
</pre>
<blockquote type="cite">
<pre wrap="">the consumer to change their end user's OpenID URL,
</pre>
</blockquote>
<pre wrap="">optionally the end
</pre>
<blockquote type="cite">
<pre wrap="">user can use multiple OpenIDs in this consuemr. And this
</pre>
</blockquote>
<pre wrap="">case can be
</pre>
<blockquote type="cite">
<pre wrap="">expended as this, the IdP(OpenID Server) is closed down.
2006/10/31, George Fletcher <<a class="moz-txt-link-abbreviated" href="mailto:gffletch@aol.com">gffletch@aol.com</a>
</pre>
</blockquote>
<pre wrap=""><a class="moz-txt-link-rfc2396E" href="mailto:gffletch@aol.com"><mailto:gffletch@aol.com></a>>:
</pre>
<blockquote type="cite">
<pre wrap="">This is a good use case and I think important for both users and
IdPs (now OPs [OpenID Provider] per the latest "editor's
conference") to consider.
I see a number of options...
1. There has been some discussion regarding a "change
</pre>
</blockquote>
<pre wrap="">identifier"
</pre>
<blockquote type="cite">
<pre wrap="">extension that would allow you to change your identifier at the
relying party. This would solve the use case and is necessary
regardless of the other options.
2. The OP (in this case AOL.com) could continue to provide an
"identifier management" page that would allow the user
</pre>
</blockquote>
<pre wrap="">to specify
</pre>
<blockquote type="cite">
<pre wrap="">the OP of choice. This requires the OP to continue to serve the
XRDS doc or at least the indirection to a XRDS doc with
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">the new OP.
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">This is not that much extra overhead for the OP,
</pre>
</blockquote>
<pre wrap="">but it will
</pre>
<blockquote type="cite">
<pre wrap="">likely be a business decision as to whether to support
</pre>
</blockquote>
<pre wrap="">such a feature.
</pre>
<blockquote type="cite">
<pre wrap="">3. The user gets to choose their OP so they can ensure that they
don't get "locked in". This is the ideal behind user-centric.
However, in practice, it will take good education and
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">time for users
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">to understand the ramifications of their decisions.
Thanks, George
Stefan Görling wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi everybody,
I'm trying to get a grip around your great work and have
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">one issue
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">that I'm not quite clear on, relevant to the discussion of using
<a class="moz-txt-link-abbreviated" href="mailto:user@example.com-style">user@example.com-style</a> <a class="moz-txt-link-rfc2396E" href="mailto:user@example.com-style"><mailto:user@example.com-style></a>
</pre>
</blockquote>
</blockquote>
<pre wrap="">identifiers, but also in a more general context.
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Please let me know if I've simply missunderstood my own question.
<a class="moz-txt-link-freetext" href="http://openid.net/specs/openid-authentication-2_0-09.html#an">http://openid.net/specs/openid-authentication-2_0-09.html#an</a>
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">chor48 says:
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">"OpenID is decentralized. No central authority must approve or
register Relying Parties or Identity Providers. An End User
</pre>
</blockquote>
</blockquote>
<pre wrap="">can freely
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">choose
which Identity Provider to use. They can preserve their
</pre>
</blockquote>
</blockquote>
<pre wrap="">Identifier if
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">they switch Identity Providers."
Let us consider the case that I'm an AOL.com customer, and
</pre>
</blockquote>
</blockquote>
<pre wrap="">they act as
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">an IdP providing we with an identifier. I use this
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">identifier for 3
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">years for identity management on most of the services I
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">use, due to
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">the huge success of the standard... However, I'm starting
</pre>
</blockquote>
</blockquote>
<pre wrap="">to get fed
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">up with AOL and terminates my agreement with them. Is there any
procedure for me
to switch to another IdP? How is this done?
Best Regards,
Stefan Görling
_______________________________________________ specs
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">mailing list
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap=""><a class="moz-txt-link-abbreviated" href="mailto:specs@openid.net">specs@openid.net</a> <a class="moz-txt-link-rfc2396E" href="mailto:specs@openid.net"><mailto:specs@openid.net></a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/specs">http://openid.net/mailman/listinfo/specs</a>
</pre>
</blockquote>
<pre wrap="">_______________________________________________ specs
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">mailing list
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap=""><a class="moz-txt-link-abbreviated" href="mailto:specs@openid.net">specs@openid.net</a> <a class="moz-txt-link-rfc2396E" href="mailto:specs@openid.net"><mailto:specs@openid.net></a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/specs">http://openid.net/mailman/listinfo/specs</a>
</pre>
</blockquote>
<pre wrap="">_______________________________________________ specs mailing list
<a class="moz-txt-link-abbreviated" href="mailto:specs@openid.net">specs@openid.net</a> <a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/specs">http://openid.net/mailman/listinfo/specs</a>
</pre>
</blockquote>
<pre wrap="">_______________________________________________ specs mailing list
<a class="moz-txt-link-abbreviated" href="mailto:specs@openid.net">specs@openid.net</a> <a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/specs">http://openid.net/mailman/listinfo/specs</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<pre wrap=""><!---->_______________________________________________
specs mailing list
<a class="moz-txt-link-abbreviated" href="mailto:specs@openid.net">specs@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/specs">http://openid.net/mailman/listinfo/specs</a>
</pre>
</blockquote>
</body>
</html>