OpenID, YADIS and Directed Identity

Michael Graves mgraves at verisign.com
Sun Feb 12 20:40:17 UTC 2006 

Johannes Ernst <jernst+lists.danga.com <at> netmesh.us> writes:

> 
> > ... in my
> > scenario, you wouldn't enter "mart.whatever.com" at the initial  
> > login, screen.
> > Instead you would only enter "whatever.com". At this point, then,  
> > the replying
> > part only knows you are somehow attached to "whatever.com".  You  
> > are then
> > redirected (302) to whatever.com's login page.  Unlike the current  
> > scenario,
> > the identity server (whatever.com) has at this point no idea who  
> > you are, so
> > instead of asking just for your password and presenting the "user"  
> > field
> > already filled out, you would need to specify your user name at  
> > whatever.com's
> > login screen as well.
> 
> Not necessarily. The identity server can have a cookie, shared only  
> with itself, that identifies who you are. So the sequence would be
> 
> GET relying-party -> HTML form
> POST relying party identity=whatever.com -> Redirect to whatever.com
> GET whatever.com cookie=myid -> Redirect to whatever.com/myid
> GET whatever.com/myid -> Redirect to relying party with signed URL  
> (if active session, otherwise ask for password first)
> 
> P.S. No hunting party  as long as everybody understands that this  
> is about something other than YADIS 1.0.
> 
> Johannes Ernst
> NetMesh Inc.
> 
> 
> 
> 
>   http://netmesh.info/jernst
> 
> 

Hi Johannes!

You're right, of course. My point was to emphasize the fact that the identity 
server has no idea who you are *from* the relying party, which means that 
subsequent provisioning of a generated ID won't provide a basis for 
correlation. 

If you are currently logged in to your identity server, your cookies can 
trigger "auto-fill" for your user name, when you are redirected 
to "whatever.com". That's a good point!  So, ergonomically, you haven't given 
up anything important to the relying party yet, but when you arrive at 
whatever.com's site, it may know who you are through its own devices and thus 
you haven't really lost any momentum in the process.

That's cool. I don't know what the real need/demand is for this functionality, 
but I do know that I've had to defend/address YADIS/OpenID not having it 
several times in the past few weeks. Again this is really an OpenID issue, not 
a YADIS one, and one we can take up later. This is an interesting "upgrade" to 
consider, though.

-Mike

More information about the yadis mailing list