Ok. Now I see the heart of the topic :-)

Fundamental difference is that you postulate that one cannot lose one's 
credential including all the information that bears onto establish one's 
identity while I do not postulate so. 

For example, one can loose one's password and reset it. 
You can loose your credit card and replace it. 
Doing so has not nullished your "identity". You still are yourself. 
Your identity itself and the attribute associated with it apart from this 
particular lost credential data (whether it was a password or credit card) 
stays intact. 

This picture changes dramatically when you use public key 
as your main identity address. If you lose your private key, 
that's the end of story. Your relationships with all the RPs are ruined. 

That is why I believe that we should not be using this kind of public key 
as the identification data for RPs. 

Also, mandating OPs to specify a unique opaque string as the 
identification data would be much simpler than requiring parties to 
do public key verification, I think :-)

Having said that, I do agree that we should be completing 2.0 cycle 
quickly and making it SIMPLE!


> -----Original Message-----
> From: Johannes Ernst [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, June 05, 2007 1:45 PM
> To: =nat
> Cc: 'OpenID specs list'
> Subject: Re: Specifying identifier recycling
> I would postulate that if you want to be able to prove your 
> identity, you cannot allow your credential to be lost, 
> interpreting "credential" to be all the information that 
> bears onto establishing your identity. (saying it this way, 
> it is a tautology.)
> This is independent of whether anybody uses public keys, or 
> any other technology. So I very strongly suspect that while 
> it may be more apparent to you guys that the issue exists for 
> public key technology, it also exists for all other 
> approaches, whether we know them at this time or not!
> However, I can readily see that strong voices (that'd be you 
> guys ;-)) are not ready to adopt any kind of public key 
> technology into the OpenID family, never mind whether X or Y 
> wins this particular argument. So we don't need to continue 
> this thread.
> I continue to believe, however, as I have said before, that 
> we don't have enough of an agreement on the solution to be 
> able to standardize any of them at this time. (Personally, I 
> don't think we have agreement on the problems to be solved 
> either.) I'd much rather see our creative juices flowing on 
> the much larger problem of simplifying the OpenID Auth draft 
> in a manner that people say "this is much easier than 1.1" 
> instead of the opposite.
> On Jun 3, 2007, at 23:11, =nat wrote:
> > Dick's concern is very valid, I think.
> >
> > I do not even want to think of the consequence of losing my 
> own main 
> > identity secret :-p
> >
> > =nat
> >
> >> -----Original Message-----
> >> [mailto:[EMAIL PROTECTED] On Behalf Of Dick Hardt
> >> Sent: Sunday, June 03, 2007 8:24 PM
> >> To: Johannes Ernst
> >> Cc: OpenID specs list
> >> Subject: Re: Specifying identifier recycling
> >>
> >> There is a huge difference between the OP/RP shared secret 
> and using 
> >> a shared secret as an identifier.
> >>
> >> The secret between the OP and RP has a mechanism for it to be 
> >> recycled. If it happens to be lost, then the pair can set up a new 
> >> secret.
> >>
> >> If the user's secret is lost, then that identifier and any 
> accounts 
> >> that it was used for are lost.
> >>
> >> -- Dick
> >>
> >
> > _______________________________________________
> > specs mailing list
> > specs@openid.net
> > http://openid.net/mailman/listinfo/specs

specs mailing list

Reply via email to