Terminology
This page should now be considered defunct and people should read the latest spec for terminology. http://openid.net/specs.bml
The purpose of this page is to help the community achieve consensus on key terms used in OpenID specifications, deployments, and usage. See especially the Open Issues list.
Contents |
Proposed Terms
OpenID-Specific Terms
- Identifier (or "OpenID Identifier")
- An Identifier is either an "http" or "https" URI (commonly referred to as a "URL" within this document) or an XRI. An Identifier may be a Claimed Identifier, OP-Specific Identifier, OP Identifier, or Verified Identifier, depending on context. An Identifier may also serve as a Public Identifier or a Private Identifier depending on context.
- Claimed Identifier
- An Identifier that the End User claims to own which has not yet been verified by the Relying Party. During the initiation phase of the protocol, an End User may enter either a Public Identifier or an OP Identifier as their Claimed Identifier. The latter option support Privacy-Protected Login.
- OP Endpoint URL
- The URL that accepts OpenID authentication requests, discovered by dereferencing the End User's Identifier. The OP Endpoint URL is the value of the <xrd:URI> tag in the OpenID Authentication Service Element of an XRDS document. This MUST be an absolute URL.
- OP Identifier
- An Identifier that identifies an OpenID Provider instead of an End User. OP Identifiers are used for Privacy-Protected Login.
- OpenID Authentication Service Element
- In an XRDS document, the <Service> element containing a child <xrd:Type> element with a URL defining an OpenID Authentication Service as defined in this specification.
- OpenID Provider (OP)
- The party operating an OpenID Authentication server on which a Relying Party relies for cryptographic proof that the End User controls an Identifier.
- OP-Specific Identifier
- An alternate Identifier for an End User that is specific to a particular OP and thus not necessarily under the End User’s control. To ensure portability of Claimed Identifiers, End Users control the mapping between Claimed Identifiers under the End User’s control and OP-Specific Identifiers under the OP’s control.
- Private Identifier
- A Claimed Identifier that is intended to be private information used only the context of the End User’s relationship with one or more specific Relying Parties (typically one or a small number). The use of Private Identifiers reduces or eliminates the ability of multiple Relying Parties to do correlation of an End User.
- Protocol Version
- The OpenID protocol version supported by an OpenID Provider, discovered by dereferencing the End User's Identifier. THe protocol version value is determined by the URL in the <xrd:Type> tag of the OpenID Authentication Service Endpoint in an XRDS document.
- Public Identifier
- A Claimed Identifier that is intended to be public information and not specific to the End User's relationship with one or more Relying Partys, for example a blog URL or a public i-name. Public Identifiers are subject to correlation among multiple Relying Parties.
Terms from Other Specifications
- Canonical ID
- An Identifier used as the value of the <xrd:CanonicalID> element in an XRDS document. A Canonical ID is intended to be a persistent Identifier that is never reassigned to another End User, thus preventing the possibility that a new registrant can "take over" a previous registrant's OpenID identity.
- Diffie-Hellman Key Exchange
- Diffie-Hellman Key Exchange [RFC2631] is a protocol that allows two parties to create a shared a secret, while preventing eavesdroppers from learning the secret.
- Relying Party (RP)
- A Web application that wants proof that the End User controls an Identifier. [SAML]
- User-Agent
- The End User's Web browser which implements HTTP/1.1 [RFC2616].
- XRDS Document
- The XML document format used for discovery of metadata describing the services associated with an OpenID Identifier. The XRDS format is defined by [XRI Resolution].
Analysis of Requirements for OpenID Identifier Terms
| Requirement | Current Proposed Term |
|---|---|
| Term for an OpenID Identifier used by an End User to login with one of their public personas. | Public Identifier |
| Term for an OpenID Identifier used by an End User that does NOT want to login with a public persona. | Private Identifier |
| Term for the feature of being able to login without using a public persona. | Privacy-Protected Login |
| Term for an identifier for an OP, as opposed to an End User. | OP Identifier |
| Term for an identifier for an End User that is controlled by an OP, as opposed to controlled by an End User. | OP-Specific Identifier |
| Term for the identifier claimed by an End User regardless of whether it is Public or Private. | Claimed Identifier |
| Term for the identifier for an End User after it has been proven by the OP. | Verified Identifier |
Open Issues
#1: OP vs. IdP
The latest version of the spec uses the term OpenID Provider (OP) instead of Identity Provider (IdP). Although OP is a "specialization" of IdP, it does diverge somewhat from the widely-accepted use of IdP in the SAML and Liberty communities. Eve Maler of Sun (and an editor of the SAML Glossary) explained the reasons for sticking with IdP at:
- http://openid.net/pipermail/specs/2006-November/000785.html
- http://openid.net/pipermail/specs/2006-November/000805.html
#2: OP Identifier and OP-Specific Identifier
It has been suggested that these two terms, which are distinctly different types of identifiers, are too similar and may cause confusion to readers of the spec. Alternatives?
#3: Public Identifier and Private Identifier
These terms have been suggested to make it easier to describe the ability of OpenID to work with both types of identifiers, and in particular Privacy-Protected Login (below). Is there a better approach?
#4: Privacy-Protected Login
This term with the following definition has been suggested to give a clear, market-understandable name to this new feature in OpenID Authentication 2.0. Is this the best name for the feature?
- Privacy-Protected Login
- The ability for an End User to login to a Relying Party using an OP Identifier instead of a Public Identifier, allowing the End User to select a Private Identifier during the authentication process that reduces or eliminates a Relying Party's ability to do correlation.
#5: User-Supplied Identifier
This term with the following definition has been suggested.
- User-Supplied Identifier
- An Identifier that was presented by the End User to the Relying Party.
DrummondReed: I'm not sure how this differs from Claimed Identifier. Can whomever made the proposal explain? Since we have too many "Identifier" terms already, it would be ideal if we didn't need to add another one.
