OpenID, YADIS and Directed Identity

Michael Graves mgraves at verisign.com
Sun Feb 12 19:48:53 UTC 2006


Martin Atkins <mart <at> degeneration.co.uk> writes:

> 
> Michael Graves wrote:
> > 
> > What would be need to support this? The only change that I can think of 
would 
> > be that the relying party would not require the "input" login URL to be the 
> > same as the "output" login URL. If I can start by entering "idsrus.com", 
then 
> > choose one of a number of personae that I control, including a one-time 
persona 
> > that I made up on the fly just for this login, as long as the OpenID (or 
insert 
> > your favorite protocol here) consumer evaluates the *output* URL I think it 
all 
> > works out. As it is, OpenID is expecting (cryptographically) a match on the 
> > input URL.
> > 
> 
> So I enter my identity URL as mart.whatever.com and my identity server
> tells the relying party "The remote user is 8769387639.whatever.com".
> What have I gained here? They know I originally entered
> mart.whatever.com, so they can tell that the two correlate.
> 
> I'm obviously missing something.
> 
> 

Martin,

Josh answered this in his reply, and I sort of did in my reply to him (mixed in 
with running on about a bunch of other things), but just so we're clear, in my 
scenario, you wouldn't enter "mart.whatever.com" at the initial login, screen. 
Instead you would only enter "whatever.com". At this point, then, the replying 
part only knows you are somehow attached to "whatever.com".  You are then 
redirected (302) to whatever.com's login page.  Unlike the current scenario, 
the identity server (whatever.com) has at this point no idea who you are, so 
instead of asking just for your password and presenting the "user" field 
already filled out, you would need to specify your user name at whatever.com's 
login screen as well.

Once you've established who you are to whatever.com, the identity server can do 
whatever you want, given your preferences. If so instructed, whatever.com can 
create a new (nearly) random user ID for you to use an (directed identity) 
alias, or if you want it could choose any of your available existing personae - 
your blog URL, or some other.

In the case of directed identity, then, you enter "whatever.com", get directed 
there, login as "mart", indicate you want a new "on the fly" alias created for 
this trust relationship, and submit the form. The whatever.com server returns 
to the calling relying party with your ID specified 
as "S83SJ5049.whatever.com" - an ID that was created specifically and only for 
your relationship with this relying party.

Hope that makes the difference clear. It's just a small twist from the way 
OpenID works right now, but it would be a useful facility to have available, I 
think.

-Mike






More information about the yadis mailing list