IdentityCamp Bremen: Problems with OpenID delegation (technical)

Boris Erdmann

I am posting this little late but better than never (no guarantee for any correctness esp as I am not 100% deep into OpenID):

Boris Erdmann was talking about problems he had with doing OpenID delegation. Their goal at the homepage construction kit Jimdo was not to be an OpenID provider but still be able to make each homepage an OpenID (as this makes sense for the users to have their homepage being one).

While Jimdo didn’t want to be an OpenID provider it still is good to have various other information stored at your homepage (XFN, hCard, FOAF etc.)

The problem is that Delegation is no service, in particular:

  1. No standardized way to do it
  2. No best practices
  3. Update liability

The latter means that how you get the delegation information to stay uptodate when a user changes their OpenID provider.

No standardized way for disovery

There are too many varietities:

  • HTML header (but you cannot do service discovery that way, e.g. PAPE, Sreg, AX etc.)
  • XRDS has many different possibilities: you can host it yourself or use an existing one. Problem here is that not all RPs perform XRDS discovery. Then the fallback is HTML discovery.
  • Problem with broken YADIS libraries like the one from Plaxo which does not set the Accept-Header correct (accepts all)

What you can eventually do is to discover it and republish it as XRDS.

Identifier Lifecycle

What if you upgrade from e.g. to ?

Do you then have one or two identifiers?

In the first case you have to redirect (HTTP) from to The disadvantage is that sites only know you under the latter OpenID. The goal is not reached.

In the second case you have to update all the sites and change it their.

Dick Hardt had an idea which you can read about here.

Overloading and bad signalling

To stay high in search engines you have to redirect to so that you are not doing Content Spam.

But: HTML discovery then is broken beyond repair (you lose as identifier)

YADIS discovery would help but you need working RP libraries for that.

Another question: What happens if I release again and somebody else registers it? Sort of unsolved for delegation.

What do other people about it?

It seems, that services like Yahoo are very consequent and not providing stuff which is still in discussion. They also use fragment identifieres for distinguishing OpenIDs even if they have the same name.

As an example you can use to login to various services. In reality the complete URL is and the latter is what is transmitted from the OpenID provider to the Relying Party.

At one point in time there only is one person with e.g. a name=“boris“. But if he then chooses a different name another person can use „boris“ then. He then gets a different hash than the former „boris“ and RPs then know it’s somebody else.

Now the problem with delegation in this case is the following: I have my nice vanity URL names „“. I delegate this to my OpenID provider. Now somebody else buys this domain and all my accounts using this are compromised. This is also a problem with fragment identifiers.

All in all this problem seems to be unsolved it seems. The main intentent was to start thinking about it might get solved.
Technorati Tags: , , ,

Teile diesen Beitrag