yadis Digest, Vol 13, Issue 14

Dick Hardt dick at sxip.com
Thu Jun 1 14:59:55 UTC 2006

Well, you pretty much have DIX now except that the Consumer can also  
ask for other profile data in (3) and could only ask for profile data  
in (3).

-- Dick

On 31-May-06, at 10:32 PM, Recordon, David wrote:

> Yes, but it is very easy to extend OpenID to allow this sort of  
> behavior
> as well.  Today the solution is having multiple URLs in order to  
> create
> multiple personas.
> Tomorrow the solution is the end user entering the URL of their IdP  
> and
> the check_* request returning their actual Identity URL.  It is  
> then up
> to the IdP's implementation in terms of how they surface multiple
> personas to their users.
> So if the PiP wants to support this, we'd put a Yadis document not  
> only
> for each username.pip.verisignlabs.com, but top-level
> pip.verisignlabs.com as well.
> 1) End user types pip.verisignlabs.com into the consumer
> 2) Consumer does Yadis discovery on pip.verisignlabs.com and finds the
> OpenID server
> 3) Consumer does checkid_setup request passing the identity as
> pip.verisignlabs.com
> 4) PiP allows the End User to choose the persona URL to return, maybe
> their real username or maybe a random string as the sub-domain
> 5) PiP returns the selected persona URL in the checkid_setup response
> 6) Consumer knows pip.verisignlabs.com was the IdP, and not actual
> identity, since the returned identity URL has changed
> If I wanted to prove I actually owned pip.verisignlabs.com, then steps
> 4-5 wouldn't exist, and step 6 would return the same identity URL that
> was sent in the request.
> --David
> -----Original Message-----
> From: yadis-bounces at lists.danga.com
> [mailto:yadis-bounces at lists.danga.com] On Behalf Of Dick Hardt
> Sent: Wednesday, May 31, 2006 9:25 PM
> To: Drummond Reed
> Cc: Chris Drake; yadis at lists.danga.com
> Subject: Re: yadis Digest, Vol 13, Issue 14
> Being able to manage many identifiers as well as provide 1:1  
> identifiers
> is why we think the user should be entering their identity service
> rather then their identity at the website.
> That is the primary difference between SXIP/DIX and OpenID.
> -- Dick
> On 25-May-06, at 10:33 AM, Drummond Reed wrote:
>> Josh is right -- this use case is popping up everywhere now. A few
>> weeks ago at the Internet Identity Workshop session on the SAML
>> version of ISSO (the i-name single sign-on protocol being  
>> specified at
>> XDI.org), "anonymous single sign-on" ended out being the main subject
>> of discussion.
>> The basic principle is the same whether the identifiers used are URLs
>> or
>> XRIs/i-names: if you want to login anonymously on a site, rather than
>> logging in with your own URL or XRI/i-name, you login with the URL or
>> XRI/i-name of an anonymizing authentication service offered by your
>> identity provider/i-broker.
>> That anonymizing identity service then generates a site-specific URL
>> or XRI that will identify you to that site. The end-user does not  
>> have
>> to remember or keep track of this site-specific URL or XRI because  
>> all
>> the end- user needs to remember is the URL or XRI/i-name of the
>> anonymizing authentication service.
>> I'm cc'ing Peter Davis at NeuStar who is authoring the SAML  
>> version of
>> the ISSO protocol (he should have it posted at XDI.org shortly --
>> we'll post a link when it is) as he's looking at adding this  
>> anonymous
>> single sign-on option explicitly to the spec (although it may not be
>> until v1.1).
>> =Drummond (http://xri.net/=drummond.reed)
>> -----Original Message-----
>> From: yadis-bounces at lists.danga.com [mailto:yadis-
>> bounces at lists.danga.com] On Behalf Of Josh Hoyt
>> Sent: Thursday, May 25, 2006 8:08 AM
>> To: Chris Drake
>> Cc: yadis at lists.danga.com
>> Subject: Re: yadis Digest, Vol 13, Issue 14
>> On 5/25/06, Chris Drake <christopher at pobox.com> wrote:
>>> How is my privacy being protected if I have to give my ID to a
>>> relying party?  For example - I don't want the folks at
>>> "shame-your-boss.com"
>>> to know my ID in case they later see me at work in my sourceforge
>>> account - or do I have to create a collection of new Yadis IDs, one
>>> for each new web site I go to ?   Am I missing something here?
>> Use different identifiers in places where you do not want to be
>> identified as the same person. Identity providers can (and will) make
>> this easy, without requiring you to have more than one account.
>> It is possible for your IdP to issue one identifier per site that you
>> visit to get the convenience of single-sign-on without giving up any
>> privacy. A case that I expect to be even more common is to use
>> different identifiers in different communities, such as work and
>> family.
>> I hope that helps.
>> Josh

More information about the yadis mailing list