Comments on Auth 2.0 - Pre-Draft 11
Josh Hoyt
josh at janrain.com
Sat Dec 16 00:27:09 UTC 2006
On 12/11/06, Johannes Ernst <jernst+openid.net at netmesh.us> wrote:
> >> 10 Responding to Authentication Requests
> >>
> >> First sentence:
> >>> When an authentication request comes from the User-Agent via
> >>> indirect communication (Indirect Communication), the OP SHOULD
> >>> identify the User-Agent, and determine whether the end user
> >>> wishes to complete the authentication.
> >>
> >> I have no idea what the term "identify" means here. Do you mean:
> >>> When an authentication request comes from the User-Agent via
> >>> indirect communication (Indirect Communication), the OP SHOULD
> >>> determine the validity of the current session of the User-Agent
> >>> with the OP, and -- with or without direct interaction with the
> >>> user, this is left to implementors -- determine whether the end
> >>> user wishes to complete the authentication with this particular RP.
Re-worded in http://openid.net/svn/listing.php?repname=specifications&path=%2F&rev=235&sc=1
New text:
When an authentication request comes from the User-Agent via
indirect communication
(Indirect Communication), the OP SHOULD determine that an authorized end user
wishes to complete the authentication. If an authorized end user
wishes to complete the
authentication, the OP SHOULD send a positive assertion (Positive
Assertions) to the
Relying Party.
Methods of identifying authorized end users and obtaining approval
to return an OpenID
Authentication assertion are beyond the scope of this specification.
I think that's all the issues that were in my court. Did I miss anything?
Josh
More information about the specs
mailing list