[OpenID] An alternative OpenID UX

Peter Williams pwilliams at rapattoni.com
Wed Apr 15 05:32:34 UTC 2009


I've forgotten whether the service definition in a vanity users XRDS does or does not declare the PAPE level supported by that OP - and thus provide the basis for an RP to decide whether can use it that particular OP to satisfy its requirements.

Several question come to mind if it does: is it "openid" for an RP to make several requests, with only a single, specific act of user input  (e.g. could two 2 or 3 rounds of openid auth protocol, for one typed openid)?

Is it reasonable for an RP to seek out 2 or more assertions, from different OPs (according to their supported PAPE levels), before cross-relying on all those used, before minting a local session?


> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of SitG Admin
> Sent: Tuesday, April 14, 2009 5:53 PM
> To: Rabbit
> Cc: general at openid.net
> Subject: Re: [OpenID] An alternative OpenID UX
>
> >Which also presents a problem when the RP wants to require a policy
> >that the big players don't follow. Seems to me policy requirements
> >should be relaxed upon entry and rely upon out-of-band solutions to
> >pick up where policy compliance left off. In the verified e-mail
> >example, the RP can trust that certain OPs have supplied a verified
> >e-mail while for others the User is shown "You're e-mail must be
> >verified. Click here" but in both cases, the User is still allowed
> >to choose their OP.
>
> This is where it would be useful to specify multiple OP's; the first
> can vouch for my Identity using passwords, the second with
> biometrics, the third with smartcards - and then take it from there:
> the fourth can vouch for my E-mail address (might as well be the
> E-mail Provider, and it could do this out-of-band as you suggest),
> the fifth can vouch for my clearance level (should be the
> government), and so on; RP's then get to send the user to OP's that
> match the credentials they desire.
>
> -Shade
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general



More information about the general mailing list