OpenID, YADIS and Directed Identity

Drummond Reed drummond.reed at cordance.net
Mon Feb 13 06:17:06 UTC 2006


Michael,

We in XRI-land got the same feedback about the need for unidirectional
identifiers for single sign-on last fall. And we came up with the same
solution -- see my blog post at:

	http://www.equalsdrummond.name/index.php?p=56

I think it applies to XRIs, URLs, or any other identifier technology. One
caveat I'll point out, though: this technique only works if there are a
sufficiently large enough set of identifiers issued by the identity service
provider (in your example, idsrus.com). Otherwise you can be correlated at
that level.

=Drummond (http://xri.net/=drummond.reed)

-----Original Message-----
From: yadis-bounces at lists.danga.com [mailto:yadis-bounces at lists.danga.com]
On Behalf Of Michael Graves
Sent: Sunday, February 12, 2006 12:40 PM
To: yadis at lists.danga.com
Subject: Re: OpenID, YADIS and Directed Identity

Johannes Ernst <jernst+lists.danga.com <at> netmesh.us> writes:

> 
> > ... in my
> > scenario, you wouldn't enter "mart.whatever.com" at the initial  
> > login, screen.
> > Instead you would only enter "whatever.com". At this point, then,  
> > the replying
> > part only knows you are somehow attached to "whatever.com".  You  
> > are then
> > redirected (302) to whatever.com's login page.  Unlike the current  
> > scenario,
> > the identity server (whatever.com) has at this point no idea who  
> > you are, so
> > instead of asking just for your password and presenting the "user"  
> > field
> > already filled out, you would need to specify your user name at  
> > whatever.com's
> > login screen as well.
> 
> Not necessarily. The identity server can have a cookie, shared only  
> with itself, that identifies who you are. So the sequence would be
> 
> GET relying-party -> HTML form
> POST relying party identity=whatever.com -> Redirect to whatever.com
> GET whatever.com cookie=myid -> Redirect to whatever.com/myid
> GET whatever.com/myid -> Redirect to relying party with signed URL  
> (if active session, otherwise ask for password first)
> 
> P.S. No hunting party  as long as everybody understands that this  
> is about something other than YADIS 1.0.
> 
> Johannes Ernst
> NetMesh Inc.
> 
> 
> 
> 
>   http://netmesh.info/jernst
> 
> 

Hi Johannes!

You're right, of course. My point was to emphasize the fact that the
identity 
server has no idea who you are *from* the relying party, which means that 
subsequent provisioning of a generated ID won't provide a basis for 
correlation. 

If you are currently logged in to your identity server, your cookies can 
trigger "auto-fill" for your user name, when you are redirected 
to "whatever.com". That's a good point!  So, ergonomically, you haven't
given 
up anything important to the relying party yet, but when you arrive at 
whatever.com's site, it may know who you are through its own devices and
thus 
you haven't really lost any momentum in the process.

That's cool. I don't know what the real need/demand is for this
functionality, 
but I do know that I've had to defend/address YADIS/OpenID not having it 
several times in the past few weeks. Again this is really an OpenID issue,
not 
a YADIS one, and one we can take up later. This is an interesting "upgrade"
to 
consider, though.

-Mike








More information about the yadis mailing list