On 12-Oct-06, at 10:29 AM, Josh Hoyt wrote:

> Both portable and IdP-specific identifiers
> ------------------------------------------
> Include both the portable identifier and the IdP-specific identifier
> in the request and response ([4]_ and
> [5]_)::
>   openid.identity = http://my.idp.specific.url/
>   openid.portable = http://my.portable.url/
> The relying party is still responsible for checking to make sure that
> the IdP-specific identifier that is returned matches what is
> discovered from the portable identifier, but since it is included in
> the authentication response, it is not necessary for the relying party
> to maintain this state, and an authentication response is meaningful
> without the context of the request.
> The messages in this proposal are very explicit about what is going
> on. The only way in which this differs from OpenID 1 is that the
> portable identifier is also included in the response. The meaning of
> the "openid.identity" parameter is identical to its meaning in the
> OpenID 1 protocol (the IdP-specific identifier).

Not sure why are both identifiers needed? The RP cares only about the  
portable one, right?

Is backwards compatibility the only reason?

> Portable identifier only
> ------------------------

This option makes sense to me.

The protocol does not need to touch on IdP-specific identifiers (aka  
delegated identifiers) at all IMO. This is really an IdP  
implementation detail. The only important point seems to be the fact  
that identifiers are portable and IdPs should allow users to move  
them around.


specs mailing list

Reply via email to