Shade, > >Merely allowing Google to > >advertise to the world who my OP is does not give them an opportunity > to > >pose as me. > > But that's exactly what delegation *is*; https://you.google.com/ > returns an HTML page from the server containing OpenID headers that > either specify the OP directly,
Ah... ok, I get your point -- right. > >Perhaps what you're driving at is that you do not want one "point of > >failure" (a single human) in one organization to be the cause for a > security > >breach and what you want is to have authentication go through a multi- > OP > >authentication procedure in order to validate a user? If so, I can > think of > >a way to do that without changing OpenID, > > I don't think anyone has suggested changing OpenID (apart from the > very public efforts to create new working groups, etcetera), and > certainly there *have* been proposals for leveraging OpenID as it > currently exists for a multi-OP authentication procedure; see > http://wiki.openid.net/f/openid-provider-multiauth-extension-1_0-2.html I think the reasoning given is valid. It's not necessarily a rogue OP or employee, but even a negligent employee who hands out a password. I just took a very quick scan over the draft, but it does not seem to address the problem. Whoever serves the XRDS document could include two or more OPs that are not trustworthy and/or point to compromised URLs. > >> It's the OpenID identifier this site would *provide* that I'm > >> thinking about, > > > >Why would a blog *provide* an OpenID identifier? > > For this you have to delve back into OpenID's history, to before the > concept of "E-mails are the One True Universal Identifier that > everyone already understands!" took over (Facebook still kind of > clings to that idea, I guess, since they recently went for the whole > "vanity URL" practice), when geeks thought that everyone would > readily take to using their personal website (brad.livejournal.com, > or whatever) as their Identity on the web; where people go to find > out more about you, your online "presence". I am actually in the camp of thinking e-mail type IDs are better, yet I am a geek ;-) I do use a URL in my own domain as my for OpenID identifier. I just think an email format is far better for the average users out there. Anyway, now I understand your point of blogs providing IDs. I just misinterpreted your intent. > >So, if my understanding above is right, I think I understand where > you're > >going. If not, then I guess I'm still lost :) > > The blind leading the . . . well, I'm lost too, anyway. I don't quite > understand what was being proposed in the thread, but it sounded like > it might have potential, so I'm trying to figure out where it might > go that seemed interesting. No, I don't think you're blind.. you do seem to have some good points here. It's just taking me a bit of time to get on the same page :-) What I had asked that got this read started was whether people were still discussing the use of email IDs. I proposed a way to do it using DNS (mapping email addresses to URIs using NAPTR records). I got a reply back pointing me to "web finger" (which I had not seen before). Given that this is a "webby" kind of thing, I do appreciate the idea of "web finger" a lot more, plus it has a heck of a lot more flexibility. That said, I'm not sure whether it's really "web finger" or whether it might just be "host-meta". They both serve up XRD documents, with the former providing user-specific information and the latter providing domain-specific information. OpenID references could appear either place. I liked the idea -- and I'd be happy with either. There are trust issues, as you rightfully point out, but I don't think using XRD makes them less secure. One might not trust Google (sorry I have to pick one somebody), but an email format does not mean it is an email address. One might get an OpenID ID from openid.net, for example, and perhaps the "email format" is [email protected]. I think it is reasonable to not assume these are email addresses -- just use the format. In my case, I would use the same value for both email and OpenID. People who use Google or Yahoo for email may very well do the same. It just should not be a requirement that the OpenID "email style" ID and email address be the same. Paul _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
