Sure...<div><br></div><div>I've never seen it actually used in the wild, but the OpenID spec allows for the protocol to be used for non-authentication purposes. By leaving out the openid.identity and openid.claimed_id parameters completely from a checkid request, the RP signifies to the OP that it is not requesting an identity assertion, but for some responses to attached request extensions. Some extensions like PAPE seem to only apply to authentication requests. But other extensions like AX or sreg could be answered regarding the user who is logged into the OP, without the OP actually asserting that user's identity to the RP. Effectively, the RP would be asking an OP "I already know who this user is, but I'd like to learn more about them." This would be useful if the user likes to log in with Google, but PayPal is needed to provide some kind of payment processing or attributes.</div>
<div><br></div><div>It would <i>not</i> be useful to obtain credit card information from PayPal, since no OpenID extension that I know of encrypts the data in transit. If both the OP and RP used HTTPS that would help, but it would make me nervous. For sensitive data such as this, OAuth may be the better option since the RP could talk directly to the SP over HTTPS with no user agent go-between.</div>
<div><br></div><div>But again, I've never seen identity-less OpenID in the wild, so I don't know how many OPs/RPs actually support it.</div><div><br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Sun, Apr 26, 2009 at 10:35 AM, <span dir="ltr"><<a href="mailto:leon@kuunders.info">leon@kuunders.info</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div bgcolor="#ffffff" text="#000000">
<font face="Lucida Sans Unicode">Interesting. Could you elaborate on
this?<br>
cheers, --Leon.<br>
</font><br>
Andrew Arnott wrote:<br>
<blockquote type="cite"><div><div></div><div class="h5">In retrospect, I guess an OpenID transaction using AX
could be used for this, omitting the openid.identity and
openid.claimed_id parameters to signify this isn't an authentication
while still leveraging AX, could be used in this scenario with PayPal
as well.
<div><br clear="all">
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the
death your right to say it." - Voltaire<br>
<br>
<br>
<div class="gmail_quote">On Sun, Apr 26, 2009 at 7:10 AM, Andrew
Arnott <span dir="ltr"><<a href="mailto:andrewarnott@gmail.com" target="_blank">andrewarnott@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt 0pt 0.8ex;padding-left:1ex">Remember
(I say this to everyone on the list),
<div><br>
</div>
<div>Just because PayPal would make an excellent source of this
information, that doesn't mean that it should become an OP. In the
interest of the SSO model, since we seem to have enough big OPs out
there, why not have PayPal become an OAuth Service Provider. </div>
<div><br>
</div>
<div>Imagine... you're already logged into eBay using your
preferred OP. You're now ready to purchase. Why make you log in again
using PayPal? Instead, just click the Pay With PayPal button. You see
PayPal pop up, asking you to verify the purchase/bid/whatever. You
click Yes. You see eBay again, and it has received all the info it
needs. If you weren't already signed into PayPal you may need to sign
in there before clicking "Yes", but you're strictly logging into PayPal
and not re-logging into eBay.</div>
<div><br>
</div>
<div>You don't need to be an OP to be able to provide this info.
If authentication isn't strictly necessary, OAuth is usually the right
choice.</div>
<div><br clear="all">
<font color="#888888">--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the
death your right to say it." - Voltaire</font>
<div>
<div><br>
<br>
<br>
<div class="gmail_quote">On Sun, Apr 26, 2009 at 5:54 AM, Santosh
Rajan <span dir="ltr"><<a href="mailto:santrajan@gmail.com" target="_blank">santrajan@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt 0pt 0.8ex;padding-left:1ex">I
think Visa. Mastercard etc will get into the act!
<div>Incidentally Paypal is an excellent position to be an OP for
shopping sites, because not only can it provide a verified email
address, it can also tell the RP if the user is a paypal verified user.
ie. he has a verified credit card.(Of cource they will need to
communicate this info somehow).
<div>
<div><br>
<br>
<div class="gmail_quote">On Sun, Apr 26, 2009 at 5:28 PM, Peter
Williams <span dir="ltr"><<a href="mailto:pwilliams@rapattoni.com" target="_blank">pwilliams@rapattoni.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt 0pt 0.8ex;padding-left:1ex"><br>
so where are poeple planning on storing (partial) credit card data -<br>
<br>
1. at the op (paypal OP model) attribute server<br>
2. in the release module of the OP, udner user control<br>
3. at the discovery agent (users XRDS, somehow protected)<br>
4. one of the RPs<br>
5. a super RP trusted by other RPs?<br>
<br>
<br>
its a good test of the UCI/openid model, as now we have a sensitive
attribute to worry about. Noone can just wave their hands and say :
openid is for things that dont matter much...<br>
________________________________________<br>
From: <a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>
[<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>] On Behalf Of Santosh
Rajan [<a href="mailto:santrajan@gmail.com" target="_blank">santrajan@gmail.com</a>]<br>
Sent: Saturday, April 25, 2009 8:03 PM<br>
To: <a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
Subject: Re: [OpenID] Demo Travel/ retailshop<br>
<br>
I am willing to help.<br>
<br>
<br>
nieuwsgroep wrote:<br>
><br>
> I think Brain Kissel and the others of the retail advisory
committee<br>
> (<a href="http://www.slideshare.net/bkkissel/openid-foundation-retail-advisory-commit" target="_blank">http://www.slideshare.net/bkkissel/openid-foundation-retail-advisory-commit</a><br>
> tee-webinar?type=powerpoint) did a great job summarizing the
benefits of<br>
> OpenID for retailers. It really helps to discuss OpenID with some
of the<br>
> relying party decision makers.<br>
><br>
><br>
><br>
> In addition to the presentation I think it would help a lot if
these<br>
> benefits can be showed in an online demo. Convincing potential
RP's to<br>
> start<br>
> a pilot project.<br>
><br>
><br>
><br>
> Anyone working on a retail demo that shows the benefits by the
following<br>
> scenario:<br>
><br>
><br>
><br>
> 1. Register online on a demo travelshop with an openid
collecting as<br>
> much as profile data to prefill the registration form.<br>
><br>
> 2. Return to the travelsite and easily login with an OpenID<br>
><br>
> 3. Book a demo holiday and post this back to my IDP/ Social
profile<br>
> (Like facebook or myspace) telling my connections I planned a
holiday with<br>
> DemoTravelshop.<br>
><br>
> 4. Additionally easily redirect (Federated login) to a demo<br>
> partnersite to rent a car.<br>
><br>
><br>
><br>
> A good demo like this would complement the story to potential
RP's and<br>
> make<br>
> it more tangible.<br>
><br>
><br>
><br>
> Anyone working on such a demo, plans to, or willing to help on
this?<br>
><br>
><br>
><br>
> Kick<br>
><br>
><br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> general mailing list<br>
> <a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
> <a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
><br>
><br>
<br>
<br>
-----<br>
<br>
Santosh Rajan<br>
<a href="http://santrajan.blogspot.com" target="_blank">http://santrajan.blogspot.com</a> <a href="http://santrajan.blogspot.com" target="_blank">http://santrajan.blogspot.com</a><br>
<font color="#888888">--<br>
View this message in context: <a href="http://www.nabble.com/Demo-Travel--retailshop-tp23236118p23238762.html" target="_blank">http://www.nabble.com/Demo-Travel--retailshop-tp23236118p23238762.html</a><br>
Sent from the OpenID - General mailing list archive at Nabble.com.<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</font></blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div></div><pre><hr size="4" width="90%">
</pre>
</blockquote>
<br>
</div>
</blockquote></div><br></div>