yadis Digest, Vol 13, Issue 14
drummond.reed at cordance.net
Thu Jun 1 06:12:21 UTC 2006
This is the same solution that the folks working on the SAML ISSO spec at
XDI.org came up with. The principle is the same whether it's SAML or OpenID;
it's the same idea as cloaking your real email by using an email forwarding
It's not rocket science, but the devil is in the details.
From: Recordon, David [mailto:drecordon at verisign.com]
Sent: Wednesday, May 31, 2006 10:32 PM
To: Dick Hardt; Drummond Reed
Cc: Chris Drake; yadis at lists.danga.com
Subject: RE: yadis Digest, Vol 13, Issue 14
Yes, but it is very easy to extend OpenID to allow this sort of behavior
as well. Today the solution is having multiple URLs in order to create
Tomorrow the solution is the end user entering the URL of their IdP and
the check_* request returning their actual Identity URL. It is then up
to the IdP's implementation in terms of how they surface multiple
personas to their users.
So if the PiP wants to support this, we'd put a Yadis document not only
for each username.pip.verisignlabs.com, but top-level
pip.verisignlabs.com as well.
1) End user types pip.verisignlabs.com into the consumer
2) Consumer does Yadis discovery on pip.verisignlabs.com and finds the
3) Consumer does checkid_setup request passing the identity as
4) PiP allows the End User to choose the persona URL to return, maybe
their real username or maybe a random string as the sub-domain
5) PiP returns the selected persona URL in the checkid_setup response
6) Consumer knows pip.verisignlabs.com was the IdP, and not actual
identity, since the returned identity URL has changed
If I wanted to prove I actually owned pip.verisignlabs.com, then steps
4-5 wouldn't exist, and step 6 would return the same identity URL that
was sent in the request.
From: yadis-bounces at lists.danga.com
[mailto:yadis-bounces at lists.danga.com] On Behalf Of Dick Hardt
Sent: Wednesday, May 31, 2006 9:25 PM
To: Drummond Reed
Cc: Chris Drake; yadis at lists.danga.com
Subject: Re: yadis Digest, Vol 13, Issue 14
Being able to manage many identifiers as well as provide 1:1 identifiers
is why we think the user should be entering their identity service
rather then their identity at the website.
That is the primary difference between SXIP/DIX and OpenID.
On 25-May-06, at 10:33 AM, Drummond Reed wrote:
> Josh is right -- this use case is popping up everywhere now. A few
> weeks ago at the Internet Identity Workshop session on the SAML
> version of ISSO (the i-name single sign-on protocol being specified at
> XDI.org), "anonymous single sign-on" ended out being the main subject
> of discussion.
> The basic principle is the same whether the identifiers used are URLs
> XRIs/i-names: if you want to login anonymously on a site, rather than
> logging in with your own URL or XRI/i-name, you login with the URL or
> XRI/i-name of an anonymizing authentication service offered by your
> identity provider/i-broker.
> That anonymizing identity service then generates a site-specific URL
> or XRI that will identify you to that site. The end-user does not have
> to remember or keep track of this site-specific URL or XRI because all
> the end- user needs to remember is the URL or XRI/i-name of the
> anonymizing authentication service.
> I'm cc'ing Peter Davis at NeuStar who is authoring the SAML version of
> the ISSO protocol (he should have it posted at XDI.org shortly --
> we'll post a link when it is) as he's looking at adding this anonymous
> single sign-on option explicitly to the spec (although it may not be
> until v1.1).
> =Drummond (http://xri.net/=drummond.reed)
> -----Original Message-----
> From: yadis-bounces at lists.danga.com [mailto:yadis-
> bounces at lists.danga.com] On Behalf Of Josh Hoyt
> Sent: Thursday, May 25, 2006 8:08 AM
> To: Chris Drake
> Cc: yadis at lists.danga.com
> Subject: Re: yadis Digest, Vol 13, Issue 14
> On 5/25/06, Chris Drake <christopher at pobox.com> wrote:
>> How is my privacy being protected if I have to give my ID to a
>> relying party? For example - I don't want the folks at
>> to know my ID in case they later see me at work in my sourceforge
>> account - or do I have to create a collection of new Yadis IDs, one
>> for each new web site I go to ? Am I missing something here?
> Use different identifiers in places where you do not want to be
> identified as the same person. Identity providers can (and will) make
> this easy, without requiring you to have more than one account.
> It is possible for your IdP to issue one identifier per site that you
> visit to get the convenience of single-sign-on without giving up any
> privacy. A case that I expect to be even more common is to use
> different identifiers in different communities, such as work and
> I hope that helps.
More information about the yadis