subject:"Making identities persistent\?"

Re: Making identities persistent?

2006-11-02 Thread George Fletcher





I believe it's possible to prevent impersonation for the use case where
the user instructs their IdP (OP) to inform the RP of the identifier
change.  However, this will only work
if the RP remembers the IdP that last authenticated that OpenID
identifier and only allows this message from that IdP.  

Thanks,
George

P.S. Functionally, this seems similar to the SAML ManageNameIDRequest
message.

Hallam-Baker, Phillip wrote:

  Don't forget that the a more important constraint here is to prevent impersonation.

I don't see how one can switch between genuinely autonamous IdPs in the way suggested without allowing a rogue IdP to impersonate anyone they chose.

At what point do the synchronization mechanisms you build in exceed the complexity of PKI?

  
  
-Original Message-
From: John Kemp [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, November 01, 2006 11:33 AM
To: Hallam-Baker, Phillip
Cc: Stefan Görling; Shutra Zhou; specs@openid.net
Subject: Re: Making identities persistent?

Hello,

I think you need the ability for a user to change his 
identifier at the RP (as George notes below) and also at the 
IdP. In addition, it should be possible for the IdP to 
providing OpenID "forwarding" if the user leaves for another 
IdP (perhaps the user will even pay for a forwarding
service?)

We're not talking about persistence as such (a particular 
users OpenID can surely change over time?), but more the 
ability for the user to update her OpenID when she switches 
from one IdP to another. At the IdP, this would I guess be 
kind of like leaving a forwarding address, as the user is 
"leaving" one IdP and moving to another. At the RP, the user 
is telling the RP that he is using a new IdP.

So, I think George's (1) is a necessity, and agree that (2) 
is a business decision, but certainly offers the ability for 
an IdP to be "community-friendly" if it so wishes, and may 
even be a good business decision.

Isn't this all about the likely /lack/ of persistence in a 
particular OpenID though?

Regards,

- John

Hallam-Baker, Phillip wrote:


  If we want identities to be persistent then we are going to need to 
introduce a layer of indirection.

This normally gets me worried about patents and such. Fortunately 
Multics did this, so did UNIX and VMS. Plenty of prior art.

If we are serious about decentralization then map the user 
  

identifier 


  onto a randomly assigned machine readable GUID.

  
  
-Original Message- From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Stefan Görling Sent:
Wednesday, November 01, 2006 10:52 AM To: Shutra Zhou Cc:
specs@openid.net Subject: Re: Making identities persistent?


The reasons for raising this question was partly that I've 

  

been doing 


  
some research on how people use e-mail addresses and sad 

  

to say, you 


  
can not expect the user to make wise choices. And even so, 

  

companies 


  
go broke even the best ones. Services comes and disappear. In my 
research over half of the population use non-portable e-mail 
addresses tied to an employer, university, etc.
and is likely to only live a few years.

E-mail is not a stable address/identity identifier. We 

  

must not rely 


  
on it as such.

If we want an identity to be persistent, it must contain a 

  

migration 


  
feature, so that I can move all their trust relations from 

  

one place 


  
to another. This of course creates a number of other 

  

issues such as 


  
security and complexibility, but it is my sincere belief that the 
issue should be addressed by the system and not only 

  

delegated to be 


  
dependent on wise user decisions.

Therefore, my +1 is on (1) below. I will try to read back 

  

on what has 


  
been said in the past on a 'change identifier' extension 

  

and see if 


  
there is anything I can do to help.

/Stefan



  Yes, this is important thing I thought. We should privide a
  

spec for


  the consumer to change their end user's OpenID URL,
  

optionally the end


  user can use multiple OpenIDs in this consuemr. And this
  

case can be


  expended as this, the IdP（OpenID Server） is closed down.

2006/10/31, George Fletcher <[EMAIL PROTECTED]
  

>:


  This is a good use case an

RE: Making identities persistent?

2006-11-01 Thread Recordon, David

Pete,
While the transaction with the IdP is about the derived identifier (sort
of like that term actually), the RP uses the delegated identifier when
referencing the user.

--David 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Pete Rowley
Sent: Wednesday, November 01, 2006 10:53 AM
To: Rowan Kerr
Cc: specs@openid.net
Subject: Re: Making identities persistent?

Rowan Kerr wrote:
> On Wed, 2006-11-01 at 11:33 -0500, John Kemp wrote:
>   
>> I think you need the ability for a user to change his identifier at 
>> the RP (as George notes below) and also at the IdP.
>> 
>
> Isn't this was already covered in the spec? You accomplish this by 
> creating an HTML page on some website you control with a http-equiv 
> meta tag in it that points to your IdP. Then you use your own url as 
> your Identity, even though ultimately the data is pulled from the IdP.
>
> So if you ever want to change IdP's you simply update your html page 
> with the new server. And your Identifier never needs to change.
>
>
>   
Except that the spec specifies that it is the derived identifier of the
IdP that is used at the RP - which means a delegated identifier actually
isn't used as an identifier. That is not quite the same thing.

--
Pete

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

RE: Making identities persistent?

2006-11-01 Thread Hallam-Baker, Phillip

I'm afraid I still don't get it.

As far as I am concerned the authenticated identifier is the tuple:

   (Identity-provider-Id,  Identifier)

If we want to have a single identifier there has to be a mechanism for 
establishing the scope of authority for each IdP over a specific subset of 
identifiers.

There are only two potential mechanisms I can see for achieving this:

  1) A lexigraphical convention
  2) A signalling registry


> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Pete Rowley
> Sent: Wednesday, November 01, 2006 1:53 PM
> To: Rowan Kerr
> Cc: specs@openid.net
> Subject: Re: Making identities persistent?
> 
> Rowan Kerr wrote:
> > On Wed, 2006-11-01 at 11:33 -0500, John Kemp wrote:
> >   
> >> I think you need the ability for a user to change his 
> identifier at 
> >> the RP (as George notes below) and also at the IdP.
> >> 
> >
> > Isn't this was already covered in the spec? You accomplish this by 
> > creating an HTML page on some website you control with a http-equiv 
> > meta tag in it that points to your IdP. Then you use your 
> own url as 
> > your Identity, even though ultimately the data is pulled 
> from the IdP.
> >
> > So if you ever want to change IdP's you simply update your 
> html page 
> > with the new server. And your Identifier never needs to change.
> >
> >
> >   
> Except that the spec specifies that it is the derived 
> identifier of the IdP that is used at the RP - which means a 
> delegated identifier actually isn't used as an identifier. 
> That is not quite the same thing.
> 
> --
> Pete
> 
> 
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Making identities persistent?

2006-11-01 Thread Pete Rowley


Rowan Kerr wrote:

On Wed, 2006-11-01 at 11:33 -0500, John Kemp wrote:
  

I think you need the ability for a user to change his identifier at the
RP (as George notes below) and also at the IdP. 



Isn't this was already covered in the spec? You accomplish this by
creating an HTML page on some website you control with a http-equiv meta
tag in it that points to your IdP. Then you use your own url as your
Identity, even though ultimately the data is pulled from the IdP.

So if you ever want to change IdP's you simply update your html page
with the new server. And your Identifier never needs to change.


  
Except that the spec specifies that it is the derived identifier of the 
IdP that is used at the RP - which means a delegated identifier actually 
isn't used as an identifier. That is not quite the same thing.


--
Pete



smime.p7s
Description: S/MIME Cryptographic Signature
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

RE: Making identities persistent?

2006-11-01 Thread Hallam-Baker, Phillip

Don't forget that the a more important constraint here is to prevent 
impersonation.

I don't see how one can switch between genuinely autonamous IdPs in the way 
suggested without allowing a rogue IdP to impersonate anyone they chose.

At what point do the synchronization mechanisms you build in exceed the 
complexity of PKI?

> -Original Message-
> From: John Kemp [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, November 01, 2006 11:33 AM
> To: Hallam-Baker, Phillip
> Cc: Stefan Görling; Shutra Zhou; specs@openid.net
> Subject: Re: Making identities persistent?
> 
> Hello,
> 
> I think you need the ability for a user to change his 
> identifier at the RP (as George notes below) and also at the 
> IdP. In addition, it should be possible for the IdP to 
> providing OpenID "forwarding" if the user leaves for another 
> IdP (perhaps the user will even pay for a forwarding
> service?)
> 
> We're not talking about persistence as such (a particular 
> users OpenID can surely change over time?), but more the 
> ability for the user to update her OpenID when she switches 
> from one IdP to another. At the IdP, this would I guess be 
> kind of like leaving a forwarding address, as the user is 
> "leaving" one IdP and moving to another. At the RP, the user 
> is telling the RP that he is using a new IdP.
> 
> So, I think George's (1) is a necessity, and agree that (2) 
> is a business decision, but certainly offers the ability for 
> an IdP to be "community-friendly" if it so wishes, and may 
> even be a good business decision.
> 
> Isn't this all about the likely /lack/ of persistence in a 
> particular OpenID though?
> 
> Regards,
> 
> - John
> 
> Hallam-Baker, Phillip wrote:
> > If we want identities to be persistent then we are going to need to 
> > introduce a layer of indirection.
> > 
> > This normally gets me worried about patents and such. Fortunately 
> > Multics did this, so did UNIX and VMS. Plenty of prior art.
> > 
> > If we are serious about decentralization then map the user 
> identifier 
> > onto a randomly assigned machine readable GUID.
> > 
> >> -Original Message- From: [EMAIL PROTECTED] 
> >> [mailto:[EMAIL PROTECTED] On Behalf Of Stefan Görling Sent:
> >> Wednesday, November 01, 2006 10:52 AM To: Shutra Zhou Cc:
> >> specs@openid.net Subject: Re: Making identities persistent?
> >> 
> >> 
> >> The reasons for raising this question was partly that I've 
> been doing 
> >> some research on how people use e-mail addresses and sad 
> to say, you 
> >> can not expect the user to make wise choices. And even so, 
> companies 
> >> go broke even the best ones. Services comes and disappear. In my 
> >> research over half of the population use non-portable e-mail 
> >> addresses tied to an employer, university, etc.
> >> and is likely to only live a few years.
> >> 
> >> E-mail is not a stable address/identity identifier. We 
> must not rely 
> >> on it as such.
> >> 
> >> If we want an identity to be persistent, it must contain a 
> migration 
> >> feature, so that I can move all their trust relations from 
> one place 
> >> to another. This of course creates a number of other 
> issues such as 
> >> security and complexibility, but it is my sincere belief that the 
> >> issue should be addressed by the system and not only 
> delegated to be 
> >> dependent on wise user decisions.
> >> 
> >> Therefore, my +1 is on (1) below. I will try to read back 
> on what has 
> >> been said in the past on a 'change identifier' extension 
> and see if 
> >> there is anything I can do to help.
> >> 
> >> /Stefan
> >> 
> >>> Yes, this is important thing I thought. We should privide a
> >> spec for
> >>> the consumer to change their end user's OpenID URL,
> >> optionally the end
> >>> user can use multiple OpenIDs in this consuemr. And this
> >> case can be
> >>> expended as this, the IdP（OpenID Server） is closed down.
> >>> 
> >>> 2006/10/31, George Fletcher <[EMAIL PROTECTED]
> >> <mailto:[EMAIL PROTECTED]>>:
> >>> This is a good use case and I think important for both users and 
> >>> IdPs (now OPs [OpenID Provider] per the latest "editor's
> >>> conference") to consider.
> >>> 
> >>> I see a number of options...
> >>> 
> >>> 1. There has been

Re: Making identities persistent?

2006-11-01 Thread Rowan Kerr

On Wed, 2006-11-01 at 11:33 -0500, John Kemp wrote:
> I think you need the ability for a user to change his identifier at the
> RP (as George notes below) and also at the IdP. 

Isn't this was already covered in the spec? You accomplish this by
creating an HTML page on some website you control with a http-equiv meta
tag in it that points to your IdP. Then you use your own url as your
Identity, even though ultimately the data is pulled from the IdP.

So if you ever want to change IdP's you simply update your html page
with the new server. And your Identifier never needs to change.

> In addition, it should
> be possible for the IdP to providing OpenID "forwarding" if the user
> leaves for another IdP (perhaps the user will even pay for a forwarding
> service?)

Is there anything against an IdP implementing the "delegate" feature to
forward to a different server?

-Rowan

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Making identities persistent?

2006-11-01 Thread John Kemp

Hello,

I think you need the ability for a user to change his identifier at the
RP (as George notes below) and also at the IdP. In addition, it should
be possible for the IdP to providing OpenID "forwarding" if the user
leaves for another IdP (perhaps the user will even pay for a forwarding
service?)

We're not talking about persistence as such (a particular users OpenID
can surely change over time?), but more the ability for the user to
update her OpenID when she switches from one IdP to another. At the IdP,
this would I guess be kind of like leaving a forwarding address, as the
user is "leaving" one IdP and moving to another. At the RP, the user is
telling the RP that he is using a new IdP.

So, I think George's (1) is a necessity, and agree that (2) is a
business decision, but certainly offers the ability for an IdP to be
"community-friendly" if it so wishes, and may even be a good business
decision.

Isn't this all about the likely /lack/ of persistence in a particular
OpenID though?

Regards,

- John

Hallam-Baker, Phillip wrote:
> If we want identities to be persistent then we are going to need to
> introduce a layer of indirection.
> 
> This normally gets me worried about patents and such. Fortunately
> Multics did this, so did UNIX and VMS. Plenty of prior art.
> 
> If we are serious about decentralization then map the user identifier
> onto a randomly assigned machine readable GUID.
> 
>> -Original Message- From: [EMAIL PROTECTED] 
>> [mailto:[EMAIL PROTECTED] On Behalf Of Stefan Görling Sent:
>> Wednesday, November 01, 2006 10:52 AM To: Shutra Zhou Cc:
>> specs@openid.net Subject: Re: Making identities persistent?
>> 
>> 
>> The reasons for raising this question was partly that I've been
>> doing some research on how people use e-mail addresses and sad to
>> say, you can not expect the user to make wise choices. And even so,
>> companies go broke even the best ones. Services comes and
>> disappear. In my research over half of the population use
>> non-portable e-mail addresses tied to an employer, university, etc.
>> and is likely to only live a few years.
>> 
>> E-mail is not a stable address/identity identifier. We must not
>> rely on it as such.
>> 
>> If we want an identity to be persistent, it must contain a 
>> migration feature, so that I can move all their trust relations
>> from one place to another. This of course creates a number of other
>> issues such as security and complexibility, but it is my sincere
>> belief that the issue should be addressed by the system and not
>> only delegated to be dependent on wise user decisions.
>> 
>> Therefore, my +1 is on (1) below. I will try to read back on what
>> has been said in the past on a 'change identifier' extension and
>> see if there is anything I can do to help.
>> 
>> /Stefan
>> 
>>> Yes, this is important thing I thought. We should privide a
>> spec for
>>> the consumer to change their end user's OpenID URL,
>> optionally the end
>>> user can use multiple OpenIDs in this consuemr. And this
>> case can be
>>> expended as this, the IdP（OpenID Server） is closed down.
>>> 
>>> 2006/10/31, George Fletcher <[EMAIL PROTECTED]
>> <mailto:[EMAIL PROTECTED]>>:
>>> This is a good use case and I think important for both users and 
>>> IdPs (now OPs [OpenID Provider] per the latest "editor's 
>>> conference") to consider.
>>> 
>>> I see a number of options...
>>> 
>>> 1. There has been some discussion regarding a "change
>> identifier"
>>> extension that would allow you to change your identifier at the 
>>> relying party.  This would solve the use case and is necessary 
>>> regardless of the other options.
>>> 
>>> 2. The OP (in this case AOL.com) could continue to provide an 
>>> "identifier management" page that would allow the user
>> to specify
>>> the OP of choice.  This requires the OP to continue to serve the 
>>> XRDS doc or at least the indirection to a XRDS doc with the new 
>>> OP.  This is not that much extra overhead for the OP,
>> but it will
>>> likely be a business decision as to whether to support
>> such a feature.
>>> 3. The user gets to choose their OP so they can ensure that they 
>>> don't get "locked in".  This is the ideal behind user-centric. 
>>> However, in practice, it will take good education and time for 
>>> users to understand the ramifications of their decisions.
>>> 
>>&g

RE: Making identities persistent?

2006-11-01 Thread Hallam-Baker, Phillip

If we want identities to be persistent then we are going to need to introduce a 
layer of indirection. 

This normally gets me worried about patents and such. Fortunately Multics did 
this, so did UNIX and VMS. Plenty of prior art. 

If we are serious about decentralization then map the user identifier onto a 
randomly assigned machine readable GUID.

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Stefan Görling
> Sent: Wednesday, November 01, 2006 10:52 AM
> To: Shutra Zhou
> Cc: specs@openid.net
> Subject: Re: Making identities persistent?
> 
> 
> The reasons for raising this question was partly that I've 
> been doing some research on how people use e-mail addresses 
> and sad to say, you can not expect the user to make wise 
> choices. And even so, companies go broke even the best ones. 
> Services comes and disappear. In my research over half of the 
> population use non-portable e-mail addresses tied to an 
> employer, university, etc. and is likely to only live a few years.
> 
> E-mail is not a stable address/identity identifier. We must 
> not rely on it as such.
> 
> If we want an identity to be persistent, it must contain a 
> migration feature, so that I can move all their trust 
> relations from one place to another. This of course creates a 
> number of other issues such as security and complexibility, 
> but it is my sincere belief that the issue should be 
> addressed by the system and not only delegated to be 
> dependent on wise user decisions.
> 
> Therefore, my +1 is on (1) below. I will try to read back on 
> what has been said in the past on a 'change identifier' 
> extension and see if there is anything I can do to help.
> 
> /Stefan
> 
> > Yes, this is important thing I thought. We should privide a 
> spec for 
> > the consumer to change their end user's OpenID URL, 
> optionally the end 
> > user can use multiple OpenIDs in this consuemr. And this 
> case can be 
> > expended as this, the IdP（OpenID Server） is closed down.
> >
> > 2006/10/31, George Fletcher <[EMAIL PROTECTED] 
> <mailto:[EMAIL PROTECTED]>>:
> >
> > This is a good use case and I think important for both users and
> > IdPs (now OPs [OpenID Provider] per the latest "editor's
> > conference") to consider.
> >
> > I see a number of options...
> >
> > 1. There has been some discussion regarding a "change 
> identifier"
> > extension that would allow you to change your identifier at the
> > relying party.  This would solve the use case and is necessary
> > regardless of the other options.
> >
> > 2. The OP (in this case AOL.com) could continue to provide an
> > "identifier management" page that would allow the user 
> to specify
> > the OP of choice.  This requires the OP to continue to serve the
> > XRDS doc or at least the indirection to a XRDS doc with the new
> > OP.  This is not that much extra overhead for the OP, 
> but it will
> > likely be a business decision as to whether to support 
> such a feature.
> >
> > 3. The user gets to choose their OP so they can ensure that they
> > don't get "locked in".  This is the ideal behind user-centric. 
> > However, in practice, it will take good education and time for
> > users to understand the ramifications of their decisions.
> >
> > Thanks,
> > George
> >
> > Stefan Görling wrote:
> >
> >>Hi everybody,
> >>
> >>I'm trying to get a grip around your great work and have one issue 
> >>that I'm not quite clear on, relevant to the discussion of using
> >>
> >>[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 
> identifiers, but also in a more general context. 
> >>Please let me know if I've simply missunderstood my own question.
> >>
> >>
> >>http://openid.net/specs/openid-authentication-2_0-09.html#an
chor48 says:
> >>"OpenID is decentralized. No central authority must approve or 
> >>register Relying Parties or Identity Providers. An End User 
> can freely 
> >>choose
> >>
> >>which Identity Provider to use. They can preserve their 
> Identifier if 
> >>they switch Identity Providers."
> >>
> >>Let us consider the case that I'm an AOL.com customer, and 
> they act as 
> >>an IdP providing we with an identifier. I use this identifier for 3
> >>
> >>years for identity management on most of the services I u

Re: Making identities persistent?

2006-11-01 Thread Stefan Görling


The reasons for raising this question was partly that I've been doing 
some research on how people use e-mail addresses and sad to say, you can 
not expect the user to make wise choices. And even so, companies go 
broke even the best ones. Services comes and disappear. In my research 
over half of the population use non-portable e-mail addresses tied to an 
employer, university, etc. and is likely to only live a few years.

E-mail is not a stable address/identity identifier. We must not rely on 
it as such.

If we want an identity to be persistent, it must contain a migration 
feature, so that I can move all their trust relations from one place to 
another. This of course creates a number of other issues such as 
security and complexibility, but it is my sincere belief that the issue 
should be addressed by the system and not only delegated to be dependent 
on wise user decisions.

Therefore, my +1 is on (1) below. I will try to read back on what has 
been said in the past on a 'change identifier' extension and see if 
there is anything I can do to help.

/Stefan

> Yes, this is important thing I thought. We should privide a spec for 
> the consumer to change their end user's OpenID URL, optionally the end 
> user can use multiple OpenIDs in this consuemr. And this case can be 
> expended as this, the IdP（OpenID Server） is closed down.
>
> 2006/10/31, George Fletcher <[EMAIL PROTECTED] >:
>
> This is a good use case and I think important for both users and
> IdPs (now OPs [OpenID Provider] per the latest "editor's
> conference") to consider.
>
> I see a number of options...
>
> 1. There has been some discussion regarding a "change identifier"
> extension that would allow you to change your identifier at the
> relying party.  This would solve the use case and is necessary
> regardless of the other options.
>
> 2. The OP (in this case AOL.com) could continue to provide an
> "identifier management" page that would allow the user to specify
> the OP of choice.  This requires the OP to continue to serve the
> XRDS doc or at least the indirection to a XRDS doc with the new
> OP.  This is not that much extra overhead for the OP, but it will
> likely be a business decision as to whether to support such a feature.
>
> 3. The user gets to choose their OP so they can ensure that they
> don't get "locked in".  This is the ideal behind user-centric. 
> However, in practice, it will take good education and time for
> users to understand the ramifications of their decisions.
>
> Thanks,
> George
>
> Stefan Görling wrote:
>
>>Hi everybody,
>>
>>I'm trying to get a grip around your great work and have one issue that 
>>I'm not quite clear on, relevant to the discussion of using 
>>
>>[EMAIL PROTECTED]  identifiers, but also in a more 
>>general context. 
>>Please let me know if I've simply missunderstood my own question.
>>
>>
>>http://openid.net/specs/openid-authentication-2_0-09.html#anchor48 says:
>>"OpenID is decentralized. No central authority must approve or register 
>>Relying Parties or Identity Providers. An End User can freely choose 
>>
>>which Identity Provider to use. They can preserve their Identifier if 
>>they switch Identity Providers."
>>
>>Let us consider the case that I'm an AOL.com customer, and they act as 
>>an IdP providing we with an identifier. I use this identifier for 3 
>>
>>years for identity management on most of the services I use, due to the 
>>huge success of the standard... However, I'm starting to get fed up with 
>>AOL and terminates my agreement with them. Is there any procedure for me 
>>
>>to switch to another IdP? How is this done?
>>
>>Best Regards,
>>
>>Stefan Görling
>>
>>
>>
>>___
>>specs mailing list
>>
>>specs@openid.net 
>>http://openid.net/mailman/listinfo/specs
>>
>>  
>>
>
> ___
> specs mailing list
> specs@openid.net 
> http://openid.net/mailman/listinfo/specs
>
>
>

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

RE: Making identities persistent?

2006-11-01 Thread Hallam-Baker, Phillip




Bad statement of the principle. Centralized direction is 
inevitable if there are to be unique, mnemonic 
identifiers.
 
The questions are whether the centralized control is 
accountable, whether the system has checks and balances and the confidence that 
users can place in the registry continuing to be supported after the startup 
money has run out.
 
 


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Drummond 
  ReedSent: Tuesday, October 31, 2006 10:31 PMTo: 'George 
  Fletcher'; 'Stefan Görling'Cc: specs@openid.netSubject: 
  RE: Making identities persistent?
  
  
  Good answer, George. 
  The question applies mainly to delegated identifiers (e.g., email addresses 
  delegated under a specific DNS domain like [EMAIL PROTECTED], third-or-lower level 
  domain names like user.aol.com, or community i-names such as @aol*user), since 
  they are by definition assigned within the context of (and thus under the 
  ultimate control of) as specific identifier community (such as aol.com). 
  
   
  For identifiers 
  registered directly with a global registry (e.g., joesmith.com in DNS or 
  =joe.smith in XRI), the identifiers themselves are portable across registrars 
  and the registrant has direct control of the identifier and what it resolves 
  to (e.g., the XRDS document).This portability is established by ICANN for DNS 
  registries and XDI.org for XRI global registries.
   
  So the section of the 
  spec you cite should probably be clarified with regard to these points, i.e., 
  something like: 
   "OpenID is decentralized. No central authority must approve or register Relying Parties or OpenID Providers. An End User can freely choose which OpenID Provider to use. OpenID design also enables an End User to continue to use an OpenID Identifier if they switch OpenID Providers. Note that the portability and persistence of an OpenID identifier itself (URL or XRI) is a capability of the identifier and the registry authority and is out of scope for OpenID. End Users who wish to maintain persistent control of an OpenID Identifier SHOULD select an identifier and registry authority that offers these capabilities.
   
  Thoughts?
   
  =Drummond 
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George FletcherSent: Tuesday, October 31, 2006 7:36 
  AMTo: Stefan 
  GörlingCc: 
  specs@openid.netSubject: Re: 
  Making identities persistent?
   
  This is a good use case and I 
  think important for both users and IdPs (now OPs [OpenID Provider] per the 
  latest "editor's conference") to consider.I see a number of 
  options...1. There has been some discussion regarding a "change 
  identifier" extension that would allow you to change your identifier at the 
  relying party.  This would solve the use case and is necessary regardless 
  of the other options.2. The OP (in this case AOL.com) could continue 
  to provide an "identifier management" page that would allow the user to 
  specify the OP of choice.  This requires the OP to continue to serve the 
  XRDS doc or at least the indirection to a XRDS doc with the new OP.  This 
  is not that much extra overhead for the OP, but it will likely be a business 
  decision as to whether to support such a feature.3. The user gets to 
  choose their OP so they can ensure that they don't get "locked in".  This 
  is the ideal behind user-centric.  However, in practice, it will take 
  good education and time for users to understand the ramifications of their 
  decisions.Thanks,GeorgeStefan Görling wrote: 
  Hi everybody, I'm trying to get a grip around your great work and have one issue that I'm not quite clear on, relevant to the discussion of using [EMAIL PROTECTED] identifiers, but also in a more general context. Please let me know if I've simply missunderstood my own question. http://openid.net/specs/openid-authentication-2_0-09.html#anchor48 says:"OpenID is decentralized. No central authority must approve or register Relying Parties or Identity Providers. An End User can freely choose which Identity Provider to use. They can preserve their Identifier if they switch Identity Providers." Let us consider the case that I'm an AOL.com customer, and they act as an IdP providing we with an identifier. I use this identifier for 3 years for identity management on most of the services I use, due to the huge success of the standard... However, I'm starting to get fed up with AOL and terminates my agreement with them. Is there any procedure for me to switch to another IdP? How is this done? Best Regards, Stefan Görling   ___specs mailing listspecs@openid.nethttp://openid.net/mailman/listinfo/specs   
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

RE: Making identities persistent?

2006-10-31 Thread Drummond Reed









Good answer, George. The question applies
mainly to delegated identifiers (e.g., email addresses delegated under a
specific DNS domain like [EMAIL PROTECTED], third-or-lower level domain names like
user.aol.com, or community i-names such as @aol*user), since they are by
definition assigned within the context of (and thus under the ultimate control
of) as specific identifier community (such as aol.com). 

 

For identifiers registered directly with a
global registry (e.g., joesmith.com in DNS or =joe.smith in XRI), the identifiers
themselves are portable across registrars and the registrant has direct control
of the identifier and what it resolves to (e.g., the XRDS document).This portability
is established by ICANN for DNS registries and XDI.org for XRI global
registries.

 

So the section of the spec you cite should
probably be clarified with regard to these points, i.e., something like: 

 

"OpenID is decentralized. No central authority must approve or register Relying Parties or OpenID Providers. An End User can freely choose which OpenID Provider to use. OpenID design also enables an End User to continue to use an OpenID Identifier if they switch OpenID Providers. Note that the portability and persistence of an OpenID identifier itself (URL or XRI) is a capability of the identifier and the registry authority and is out of scope for OpenID. End Users who wish to maintain persistent control of an OpenID Identifier SHOULD select an identifier and registry authority that offers these capabilities.”

 

Thoughts?

 

=Drummond 









From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George Fletcher
Sent: Tuesday, October 31, 2006
7:36 AM
To: Stefan Görling
Cc: specs@openid.net
Subject: Re: Making identities
persistent?



 

This is a good use case and I
think important for both users and IdPs (now OPs [OpenID Provider] per the
latest "editor's conference") to consider.

I see a number of options...

1. There has been some discussion regarding a "change identifier"
extension that would allow you to change your identifier at the relying
party.  This would solve the use case and is necessary regardless of the
other options.

2. The OP (in this case AOL.com) could continue to provide an "identifier
management" page that would allow the user to specify the OP of
choice.  This requires the OP to continue to serve the XRDS doc or at
least the indirection to a XRDS doc with the new OP.  This is not that
much extra overhead for the OP, but it will likely be a business decision as to
whether to support such a feature.

3. The user gets to choose their OP so they can ensure that they don't get
"locked in".  This is the ideal behind user-centric. 
However, in practice, it will take good education and time for users to
understand the ramifications of their decisions.

Thanks,
George

Stefan Görling wrote: 

Hi everybody, I'm trying to get a grip around your great work and have one issue that I'm not quite clear on, relevant to the discussion of using [EMAIL PROTECTED] identifiers, but also in a more general context. Please let me know if I've simply missunderstood my own question. http://openid.net/specs/openid-authentication-2_0-09.html#anchor48 says:"OpenID is decentralized. No central authority must approve or register Relying Parties or Identity Providers. An End User can freely choose which Identity Provider to use. They can preserve their Identifier if they switch Identity Providers." Let us consider the case that I'm an AOL.com customer, and they act as an IdP providing we with an identifier. I use this identifier for 3 years for identity management on most of the services I use, due to the huge success of the standard... However, I'm starting to get fed up with AOL and terminates my agreement with them. Is there any procedure for me to switch to another IdP? How is this done? Best Regards, Stefan Görling   ___specs mailing listspecs@openid.nethttp://openid.net/mailman/listinfo/specs   




___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Making identities persistent?

2006-10-31 Thread Shutra Zhou

Yes, this is important thing I thought. We should privide a spec for the
consumer to change their end user's OpenID URL, optionally the end user can use multiple OpenIDs in this consuemr. And this case can be
expended as this, the IdP（OpenID Server） is closed down.2006/10/31, George Fletcher <[EMAIL PROTECTED]>:



  


This is a good use case and I
think important for both users and IdPs (now OPs [OpenID Provider] per
the latest "editor's conference") to consider.

I see a number of options...

1. There has been some discussion regarding a "change identifier"
extension that would allow you to change your identifier at the relying
party.  This would solve the use case and is necessary regardless of
the other options.

2. The OP (in this case AOL.com) could continue to provide an
"identifier management" page that would allow the user to specify the
OP of choice.  This requires the OP to continue to serve the XRDS doc
or at least the indirection to a XRDS doc with the new OP.  This is not
that much extra overhead for the OP, but it will likely be a business
decision as to whether to support such a feature.

3. The user gets to choose their OP so they can ensure that they don't
get "locked in".  This is the ideal behind user-centric.  However, in
practice, it will take good education and time for users to understand
the ramifications of their decisions.

Thanks,
George

Stefan Görling wrote:

  Hi everybody,I'm trying to get a grip around your great work and have one issue that I'm not quite clear on, relevant to the discussion of using 
[EMAIL PROTECTED] identifiers, but also in a more general context. Please let me know if I've simply missunderstood my own question.
http://openid.net/specs/openid-authentication-2_0-09.html#anchor48 says:"OpenID is decentralized. No central authority must approve or register Relying Parties or Identity Providers. An End User can freely choose 
which Identity Provider to use. They can preserve their Identifier if they switch Identity Providers."Let us consider the case that I'm an AOL.com customer, and they act as an IdP providing we with an identifier. I use this identifier for 3 
years for identity management on most of the services I use, due to the huge success of the standard... However, I'm starting to get fed up with AOL and terminates my agreement with them. Is there any procedure for me 
to switch to another IdP? How is this done?Best Regards,Stefan Görling___specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

  




___specs mailing listspecs@openid.net
http://openid.net/mailman/listinfo/specs
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Making identities persistent?

2006-10-31 Thread George Fletcher





This is a good use case and I
think important for both users and IdPs (now OPs [OpenID Provider] per
the latest "editor's conference") to consider.

I see a number of options...

1. There has been some discussion regarding a "change identifier"
extension that would allow you to change your identifier at the relying
party.  This would solve the use case and is necessary regardless of
the other options.

2. The OP (in this case AOL.com) could continue to provide an
"identifier management" page that would allow the user to specify the
OP of choice.  This requires the OP to continue to serve the XRDS doc
or at least the indirection to a XRDS doc with the new OP.  This is not
that much extra overhead for the OP, but it will likely be a business
decision as to whether to support such a feature.

3. The user gets to choose their OP so they can ensure that they don't
get "locked in".  This is the ideal behind user-centric.  However, in
practice, it will take good education and time for users to understand
the ramifications of their decisions.

Thanks,
George

Stefan Görling wrote:

  Hi everybody,

I'm trying to get a grip around your great work and have one issue that 
I'm not quite clear on, relevant to the discussion of using 
[EMAIL PROTECTED] identifiers, but also in a more general context. 
Please let me know if I've simply missunderstood my own question.

http://openid.net/specs/openid-authentication-2_0-09.html#anchor48 says:
"OpenID is decentralized. No central authority must approve or register 
Relying Parties or Identity Providers. An End User can freely choose 
which Identity Provider to use. They can preserve their Identifier if 
they switch Identity Providers."

Let us consider the case that I'm an AOL.com customer, and they act as 
an IdP providing we with an identifier. I use this identifier for 3 
years for identity management on most of the services I use, due to the 
huge success of the standard... However, I'm starting to get fed up with 
AOL and terminates my agreement with them. Is there any procedure for me 
to switch to another IdP? How is this done?

Best Regards,

Stefan Görling



___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

  



___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Making identities persistent?

2006-10-31 Thread Stefan Görling

Hi everybody,

I'm trying to get a grip around your great work and have one issue that 
I'm not quite clear on, relevant to the discussion of using 
[EMAIL PROTECTED] identifiers, but also in a more general context. 
Please let me know if I've simply missunderstood my own question.

http://openid.net/specs/openid-authentication-2_0-09.html#anchor48 says:
"OpenID is decentralized. No central authority must approve or register 
Relying Parties or Identity Providers. An End User can freely choose 
which Identity Provider to use. They can preserve their Identifier if 
they switch Identity Providers."

Let us consider the case that I'm an AOL.com customer, and they act as 
an IdP providing we with an identifier. I use this identifier for 3 
years for identity management on most of the services I use, due to the 
huge success of the standard... However, I'm starting to get fed up with 
AOL and terminates my agreement with them. Is there any procedure for me 
to switch to another IdP? How is this done?

Best Regards,

Stefan Görling



___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Making identities persistent?

RE: Making identities persistent?

RE: Making identities persistent?

Re: Making identities persistent?

RE: Making identities persistent?

Re: Making identities persistent?

Re: Making identities persistent?

RE: Making identities persistent?

Re: Making identities persistent?

RE: Making identities persistent?

RE: Making identities persistent?

Re: Making identities persistent?

Re: Making identities persistent?

Making identities persistent?

14 matches

Site Navigation

Mail list logo

Footer information