RE: XRI confusion
Dick, you are right that there are usability challenges with i-numbers and XDI.org and the i-broker community is working to address them. Although persistent identifiers are used everywhere in local systems (directories, databases, object stores, etc.), and the concept has been around at the Internet level since the late '90s in the form of URNs (http://en.wikipedia.org/wiki/Uniform_Resource_Name), the need to integrate them into a digital identity layer is only just emerging. As with each new Internet layer, there's some stuff that just has to get figured out ;-) =Drummond -Original Message- From: Dick Hardt [mailto:[EMAIL PROTECTED] Sent: Thursday, October 19, 2006 9:26 AM To: Drummond Reed Cc: 'Recordon, David'; 'Martin Atkins'; specs@openid.net Subject: Re: XRI confusion That provides clarity on the process, thanks. If the user knows that their i-name has been changed, then when you write here: http://www.lifewiki.net/openid/ConsolidatedDelegationProposal Summary of Motivations: ... 4. Enable RPs to take advantage of XRI CanonicalDs to protect End-Users from ever having their Portable Identifier reassigned (and thus their identity taken over). ... his is just in case they don't get alerted to their i-name being changed? btw: I have no idea what my i-numbers are, and it was not clear to me that I had them when I got them. I think there are some real usability issues here, but this is likely not the place to address those. :-) -- Dick On 19-Oct-06, at 8:12 AM, Drummond Reed wrote: > Exactly. An i-name being reassigned is very similar to a domain > name being > reassigned -- the previous owner is going to know they no longer > own it. > > For example, if you register blame.ca, you're going to receive > multiple > notices from your DNS registrar that you need to renew it, and if > you don't, > you know it is almost certain to be reassigned. The same is true > for i-name > registrants. > > With regard to i-numbers, every registrant is notified of their i- > number, > and their i-broker retains a record of the i-number. Because an i- > number is > NEVER reassigned, if a registrant chooses not to renew an i-name, they > ALWAYS have their i-number. > > Note that since the i-name and i-number are directly synonymous, > i.e., the > i-number resolves the same XRDS as the i-name, if a registrant know > their > i-number, they can always use it to login at any OpenID RP at which > they had > previously used any i-name synonym for that i-number. > > =Drummond > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf > Of Recordon, David > Sent: Thursday, October 19, 2006 4:09 AM > To: Dick Hardt; Martin Atkins > Cc: specs@openid.net > Subject: RE: XRI confusion > > How would Alice buy =foo when Bob already owns it? > > --David > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Dick Hardt > Sent: Thursday, October 19, 2006 3:58 AM > To: Martin Atkins > Cc: specs@openid.net > Subject: Re: XRI confusion > > > On 19-Oct-06, at 12:44 AM, Martin Atkins wrote: > >> Dick Hardt wrote: >>> >>> How would a user ever learn what their CanonicalID is? >> >> The user doesn't need to know his i-number. The system discovers that >> for him. >> >>> If there Portable Identifier (i-name) is reassigned, then they will >>> be sent to an IdP for the new Canonical ID is, expecting credentials >>> from the new owner. The user will never make it back to the RP, and >>> they will have no easy way of proving they are the owner of the >>> CanonicalID. >> >> I don't really understand this paragraph, but when the i-name is >> reassigned it'll cease to point at the same XRDS and will thus not >> point at the IdP anymore - unless the new owner also has an account >> with that IdP, of course. But they have a different i-number, so the >> IdP can distinguish them. > > Bob has the i-name =foo. Alice has =foo reassigned to her. Bob does > not > know this. Bob goes to an RP, enters =foo and gets sent somewhere he > cannot authenticate since =foo resolves somewhere else. > > Bob does not know what to do. =foo does not resolve to his i-number > any > more. How does he find out what it is so that he can get a his i- name > to point to it? > >> >>> Additionally, in the proposal, the i-name is not sent from the RP to >>> the IdP, so how does the IdP know which i-name to address the user >>> as? >> >> I would hop
Re: XRI confusion
Dick Hardt wrote: > > Bob has the i-name =foo. Alice has =foo reassigned to her. Bob does > not know this. Bob goes to an RP, enters =foo and gets sent somewhere > he cannot authenticate since =foo resolves somewhere else. > > Bob does not know what to do. =foo does not resolve to his i-number > any more. How does he find out what it is so that he can get a his i- > name to point to it? > This is up to the registrar (i-broker, I think?). Presumably they'll let Bob know that he's let his registration lapse and that it can now be registered by someone else. Bob will be unable to reclaim the i-name unless Alice is willing to release it to him. Bob's i-broker presumably knows what Bob's i-number is and so if he does re-obtain it they will point it on his behalf. This is just general administration stuff, out of scope of the protocols. It's not much different in principle to a hosting provider that sells you a domain name and a bundled website. You don't need to know the IP address of their web server because they set up that mapping for you. If you let your registration of the domain lapse, they'll presumably let you know. ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: XRI confusion
That provides clarity on the process, thanks. If the user knows that their i-name has been changed, then when you write here: http://www.lifewiki.net/openid/ConsolidatedDelegationProposal Summary of Motivations: ... 4. Enable RPs to take advantage of XRI CanonicalDs to protect End-Users from ever having their Portable Identifier reassigned (and thus their identity taken over). ... his is just in case they don't get alerted to their i-name being changed? btw: I have no idea what my i-numbers are, and it was not clear to me that I had them when I got them. I think there are some real usability issues here, but this is likely not the place to address those. :-) -- Dick On 19-Oct-06, at 8:12 AM, Drummond Reed wrote: > Exactly. An i-name being reassigned is very similar to a domain > name being > reassigned -- the previous owner is going to know they no longer > own it. > > For example, if you register blame.ca, you're going to receive > multiple > notices from your DNS registrar that you need to renew it, and if > you don't, > you know it is almost certain to be reassigned. The same is true > for i-name > registrants. > > With regard to i-numbers, every registrant is notified of their i- > number, > and their i-broker retains a record of the i-number. Because an i- > number is > NEVER reassigned, if a registrant chooses not to renew an i-name, they > ALWAYS have their i-number. > > Note that since the i-name and i-number are directly synonymous, > i.e., the > i-number resolves the same XRDS as the i-name, if a registrant know > their > i-number, they can always use it to login at any OpenID RP at which > they had > previously used any i-name synonym for that i-number. > > =Drummond > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf > Of Recordon, David > Sent: Thursday, October 19, 2006 4:09 AM > To: Dick Hardt; Martin Atkins > Cc: specs@openid.net > Subject: RE: XRI confusion > > How would Alice buy =foo when Bob already owns it? > > --David > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Dick Hardt > Sent: Thursday, October 19, 2006 3:58 AM > To: Martin Atkins > Cc: specs@openid.net > Subject: Re: XRI confusion > > > On 19-Oct-06, at 12:44 AM, Martin Atkins wrote: > >> Dick Hardt wrote: >>> >>> How would a user ever learn what their CanonicalID is? >> >> The user doesn't need to know his i-number. The system discovers that >> for him. >> >>> If there Portable Identifier (i-name) is reassigned, then they will >>> be sent to an IdP for the new Canonical ID is, expecting credentials >>> from the new owner. The user will never make it back to the RP, and >>> they will have no easy way of proving they are the owner of the >>> CanonicalID. >> >> I don't really understand this paragraph, but when the i-name is >> reassigned it'll cease to point at the same XRDS and will thus not >> point at the IdP anymore - unless the new owner also has an account >> with that IdP, of course. But they have a different i-number, so the >> IdP can distinguish them. > > Bob has the i-name =foo. Alice has =foo reassigned to her. Bob does > not > know this. Bob goes to an RP, enters =foo and gets sent somewhere he > cannot authenticate since =foo resolves somewhere else. > > Bob does not know what to do. =foo does not resolve to his i-number > any > more. How does he find out what it is so that he can get a his i- name > to point to it? > >> >>> Additionally, in the proposal, the i-name is not sent from the RP to >>> the IdP, so how does the IdP know which i-name to address the user >>> as? >> >> I would hope that an IdP, given that I've already established a >> relationship with it, can find something better to address me with >> than a URI. It should be calling me "Martin". > > Perhaps, although I would like my IdP to let me know which > Identifier I > am going to present to the RP. > > -- Dick > ___ > specs mailing list > specs@openid.net > http://openid.net/mailman/listinfo/specs > > ___ > specs mailing list > specs@openid.net > http://openid.net/mailman/listinfo/specs > > ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: XRI confusion
Exactly. An i-name being reassigned is very similar to a domain name being reassigned -- the previous owner is going to know they no longer own it. For example, if you register blame.ca, you're going to receive multiple notices from your DNS registrar that you need to renew it, and if you don't, you know it is almost certain to be reassigned. The same is true for i-name registrants. With regard to i-numbers, every registrant is notified of their i-number, and their i-broker retains a record of the i-number. Because an i-number is NEVER reassigned, if a registrant chooses not to renew an i-name, they ALWAYS have their i-number. Note that since the i-name and i-number are directly synonymous, i.e., the i-number resolves the same XRDS as the i-name, if a registrant know their i-number, they can always use it to login at any OpenID RP at which they had previously used any i-name synonym for that i-number. =Drummond -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Recordon, David Sent: Thursday, October 19, 2006 4:09 AM To: Dick Hardt; Martin Atkins Cc: specs@openid.net Subject: RE: XRI confusion How would Alice buy =foo when Bob already owns it? --David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dick Hardt Sent: Thursday, October 19, 2006 3:58 AM To: Martin Atkins Cc: specs@openid.net Subject: Re: XRI confusion On 19-Oct-06, at 12:44 AM, Martin Atkins wrote: > Dick Hardt wrote: >> >> How would a user ever learn what their CanonicalID is? > > The user doesn't need to know his i-number. The system discovers that > for him. > >> If there Portable Identifier (i-name) is reassigned, then they will >> be sent to an IdP for the new Canonical ID is, expecting credentials >> from the new owner. The user will never make it back to the RP, and >> they will have no easy way of proving they are the owner of the >> CanonicalID. > > I don't really understand this paragraph, but when the i-name is > reassigned it'll cease to point at the same XRDS and will thus not > point at the IdP anymore - unless the new owner also has an account > with that IdP, of course. But they have a different i-number, so the > IdP can distinguish them. Bob has the i-name =foo. Alice has =foo reassigned to her. Bob does not know this. Bob goes to an RP, enters =foo and gets sent somewhere he cannot authenticate since =foo resolves somewhere else. Bob does not know what to do. =foo does not resolve to his i-number any more. How does he find out what it is so that he can get a his i- name to point to it? > >> Additionally, in the proposal, the i-name is not sent from the RP to >> the IdP, so how does the IdP know which i-name to address the user >> as? > > I would hope that an IdP, given that I've already established a > relationship with it, can find something better to address me with > than a URI. It should be calling me "Martin". Perhaps, although I would like my IdP to let me know which Identifier I am going to present to the RP. -- Dick ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: XRI confusion
How would Alice buy =foo when Bob already owns it? --David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dick Hardt Sent: Thursday, October 19, 2006 3:58 AM To: Martin Atkins Cc: specs@openid.net Subject: Re: XRI confusion On 19-Oct-06, at 12:44 AM, Martin Atkins wrote: > Dick Hardt wrote: >> >> How would a user ever learn what their CanonicalID is? > > The user doesn't need to know his i-number. The system discovers that > for him. > >> If there Portable Identifier (i-name) is reassigned, then they will >> be sent to an IdP for the new Canonical ID is, expecting credentials >> from the new owner. The user will never make it back to the RP, and >> they will have no easy way of proving they are the owner of the >> CanonicalID. > > I don't really understand this paragraph, but when the i-name is > reassigned it'll cease to point at the same XRDS and will thus not > point at the IdP anymore - unless the new owner also has an account > with that IdP, of course. But they have a different i-number, so the > IdP can distinguish them. Bob has the i-name =foo. Alice has =foo reassigned to her. Bob does not know this. Bob goes to an RP, enters =foo and gets sent somewhere he cannot authenticate since =foo resolves somewhere else. Bob does not know what to do. =foo does not resolve to his i-number any more. How does he find out what it is so that he can get a his i- name to point to it? > >> Additionally, in the proposal, the i-name is not sent from the RP to >> the IdP, so how does the IdP know which i-name to address the user >> as? > > I would hope that an IdP, given that I've already established a > relationship with it, can find something better to address me with > than a URI. It should be calling me "Martin". Perhaps, although I would like my IdP to let me know which Identifier I am going to present to the RP. -- Dick ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: XRI confusion
On 19-Oct-06, at 12:44 AM, Martin Atkins wrote: > Dick Hardt wrote: >> >> How would a user ever learn what their CanonicalID is? > > The user doesn't need to know his i-number. The system discovers that > for him. > >> If there Portable Identifier (i-name) is reassigned, then they will >> be sent to an IdP for the new Canonical ID is, expecting credentials >> from the new owner. The user will never make it back to the RP, and >> they will have no easy way of proving they are the owner of the >> CanonicalID. > > I don't really understand this paragraph, but when the i-name is > reassigned it'll cease to point at the same XRDS and will thus not > point > at the IdP anymore — unless the new owner also has an account with > that > IdP, of course. But they have a different i-number, so the IdP can > distinguish them. Bob has the i-name =foo. Alice has =foo reassigned to her. Bob does not know this. Bob goes to an RP, enters =foo and gets sent somewhere he cannot authenticate since =foo resolves somewhere else. Bob does not know what to do. =foo does not resolve to his i-number any more. How does he find out what it is so that he can get a his i- name to point to it? > >> Additionally, in the proposal, the i-name is not sent from the RP to >> the IdP, so how does the IdP know which i-name to address the user >> as? > > I would hope that an IdP, given that I've already established a > relationship with it, can find something better to address me with > than > a URI. It should be calling me "Martin". Perhaps, although I would like my IdP to let me know which Identifier I am going to present to the RP. -- Dick ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: XRI confusion
Dick Hardt wrote: > > How would a user ever learn what their CanonicalID is? The user doesn't need to know his i-number. The system discovers that for him. > If there Portable Identifier (i-name) is reassigned, then they will > be sent to an IdP for the new Canonical ID is, expecting credentials > from the new owner. The user will never make it back to the RP, and > they will have no easy way of proving they are the owner of the > CanonicalID. I don't really understand this paragraph, but when the i-name is reassigned it'll cease to point at the same XRDS and will thus not point at the IdP anymore — unless the new owner also has an account with that IdP, of course. But they have a different i-number, so the IdP can distinguish them. > Additionally, in the proposal, the i-name is not sent from the RP to > the IdP, so how does the IdP know which i-name to address the user > as? I would hope that an IdP, given that I've already established a relationship with it, can find something better to address me with than a URI. It should be calling me "Martin". ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
