On 13-Oct-06, at 12:59 PM, Drummond Reed wrote:

> Yesterday we established consensus that with OpenID, identifier  
> portability
> is sacred.
> Today I'd like to establish consensus on the following "postulate":
> "To achieve identifier portability in OpenID, it MUST be possible  
> for the RP
> and the IdP to identify the user using two different identifiers: an
> identifier by which the RP knows the user (the portable  
> identifier), and an
> identifier by which the IdP knows the user (the IdP-specific  
> identifier)."
> I would submit that if this postulate is true, then OpenID  
> Authentication
> 2.0 requires two identifier parameters because if the protocol only  
> allows
> sending one, then:
> 1) If the RP sends the IdP-specific identifier, the RP must keep  
> state to
> maintain mapping to the portable identifier (bad), and

I agree with that.

> 2) If the RP sends the portable identifier, an IdP is forced to do a
> resolution a second time after the RP has already done resolution  
> (bad).

No, the IdP is not forced to do a resolution. The IdP already knows  

> OTOH, if the postulate is false, then a case can be made for OpenID
> Authentication 2.0 having just one identifier parameter.
> CASE 1: the protocol supports only IdP-specific identifiers and no  
> portable
> identifiers.
> RESULT: IdPs can achieve identifier lockin. Not acceptable. End of  
> Case 1.


> CASE 2: the protocol supports only portable identifiers and no IdP- 
> specific
> identifiers.
> RESULT: IdP is forced to know and store all portable identifiers  
> for a user,
> including identifiers for which the IdP is not authoritative, and  
> users

Why would the IdP need to know identifiers over which it is not  

> would be forced to register all their portable identifiers with  
> their IdP,
> and to update these registrations every time the user adds or  
> deletes a
> portable identifier. Highly undesirable if not impossible.

I don't see this as undesirable but as necessary. If I have a  
portable identifier and I configure it to point to some IdP for  
authentication it only makes sense for the IdP to know about the  
identifier as well.


specs mailing list

Reply via email to