[OpenID] Demo Travel/ retailshop

Andrew Arnott andrewarnott at gmail.com
Sun Apr 26 23:55:33 UTC 2009


Sharing your association secret from one RP to another site does not bestow
any right other than "now able to forge identity assertions on behalf of the
OP and fool the RP".  It makes no difference to the OP what assoc_handle an
RP uses as far as determining privileges to access certain attributes.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Sun, Apr 26, 2009 at 4:24 PM, Peter Williams <pwilliams at rapattoni.com>wrote:

>
> or. im an rp and I give the association secret to my delegated rp-partner,
> who is now authorizd to ask for non-identity claims (given the restrictions
> in his RP XRDS and the nature of the association id). Lets recall, from
> plaxo, external association managers are now legitimate. no reason why one
> cannot consider oauth to be an "extenrnal" association manager, or a
> "complementary" association manager between RPs to faciliate rights
> delegation for non-identity requests/assertions.
> ________________________________________
> From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of
> SitG Admin [sysadmin at shadowsinthegarden.com]
> Sent: Sunday, April 26, 2009 3:53 PM
> To: Andrew Arnott
> Cc: general at openid.net
> Subject: Re: [OpenID] Demo Travel/ retailshop
>
> >Effectively, the RP would be asking an OP "I already know who this
> >user is, but I'd like to learn more about them."
>
> Could it be used for "I don't care who this user is, I just want to
> learn more about them."?
>
> -Shade
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090426/11be4004/attachment.htm>


More information about the general mailing list