Simplifying OpenId

Dick Hardt dick at sxip.com
Mon Jan 9 21:40:28 UTC 2006 

On 9-Jan-06, at 12:04 PM, S. Alexander Jacobson wrote:

>> if (3), then why not just document <link rel= ...> tags and each  
>> protocol can work on solving all the issues in their own way?
>
> On reflection, I don't get the use of <link rel...> tags and  
> homepage URLs.

It is for protocol discovery, not user identity. I think everyone on  
this list is aligned that URLs are a good way to identify a user that  
does not disclose more info than you would want disclosed.

> Email addresses already the de-facto Internet standard for user  
> identity.  We should be enhancing use of this namespace rather than  
> creating new ones.  Here is the obvious protocol for authenticating  
> email addresses:

A view I have is that URIs are identities. So mailto:dick at sxip.com is  
an identity.

>
>   1. User supplies email address to consumer site.
>
>   2. Consumer site looks up UserId DNS record for email address  
> domain name.
>      (Note: I don't think UserId records need to have priorities  
> like MX
>       records)
>
>   3. If UserId record is absent/broken, send email with a  
> validation URL.
>      If UserID DNS record is present, consumer site posts to  
> UserID_URL:
>
>      POST UserID_URL
>      content-type: application/x-www-form-urlencoded
>
>      email=user at domain&is_email=is_email_url
>
>      201 CREATED
>      Location: redirectURL
>
>   4. Consumer redirects user to redirectURL and grants authentication
>      if it receives a GET is_email_url
>
> Advocacy:
>
> * All internet users have email addresses. Users without email
>   addresses can safely be ignored.

not necessarily true.

Few people have lots of email addresses. 1:1 relying party <-> user  
identity mapping is key to conform with Kim's laws of identity  
(unidirectional) Something that is hard to do with OpenID or LID --  
and really hard to do with email as proposed below

>
> * Email addresses designed to be easy to type (much less
>   punctuation!).  URLs are really verbose for manually entered data.
>   (If you don't require http:// or https:// in URLs then you open up
>    substantial ambiguity!)
>
> * Email addresses imply both identity and authentication.  Homepages
>   imply nothing.  Expecting most users to understand the difference
>   between homepages with appropriate link tags and homepages that
>   don't seems lik a tall order.

The ability to edit a homepage implies ownership and control.

>
> * Most users do NOT currently have homepages.  Users without homepages
>   need to be supported.  Absent URI or email addresses, there is no
>   global namespace.  Per site identity namespace fragmentation limits
>   interoperability.

The Homesite managing a users identity can easily generate a page for  
them.

>
> * DNS is designed for exactly this sort of directory lookup.  Multiple
>   link tags in ill-formed HTML create interesting opportunities for
>   ambiguity.  Moreover, requiring that homepages be HTML is just poor
>   design.  We should not prohibit flash homepages or pages with
>   some other XML content-type styled by XSLT to generate HTML.

I think you are mixing protocol discovery up with identity.

Also, most of us are thinking more of blogs, then homepages ...

More information about the yadis mailing list