Comments on Auth 2.0 - Pre-Draft 11
Johannes Ernst
jernst+openid.net at netmesh.us
Sat Dec 16 05:21:24 UTC 2006
I think this is better, but it just occurs to me that we don't
necessarily want to limit this to "authorized end users" -- it could
also be "authorized software agents" or what have you.
On Dec 15, 2006, at 16:27, Josh Hoyt wrote:
> On 12/11/06, Johannes Ernst <jernst+openid.net at netmesh.us> wrote:
>> >> 10 Responding to Authentication Requests
>> >>
>> >> First sentence:
>> >>> When an authentication request comes from the User-Agent via
>> >>> indirect communication (Indirect Communication), the OP SHOULD
>> >>> identify the User-Agent, and determine whether the end user
>> >>> wishes to complete the authentication.
>> >>
>> >> I have no idea what the term "identify" means here. Do you mean:
>> >>> When an authentication request comes from the User-Agent via
>> >>> indirect communication (Indirect Communication), the OP SHOULD
>> >>> determine the validity of the current session of the User-Agent
>> >>> with the OP, and -- with or without direct interaction with the
>> >>> user, this is left to implementors -- determine whether the end
>> >>> user wishes to complete the authentication with this
>> particular RP.
>
> Re-worded in http://openid.net/svn/listing.php?
> repname=specifications&path=%2F&rev=235&sc=1
>
> New text:
>
> When an authentication request comes from the User-Agent via
> indirect communication
> (Indirect Communication), the OP SHOULD determine that an
> authorized end user
> wishes to complete the authentication. If an authorized end user
> wishes to complete the
> authentication, the OP SHOULD send a positive assertion (Positive
> Assertions) to the
> Relying Party.
>
> Methods of identifying authorized end users and obtaining approval
> to return an OpenID
> Authentication assertion are beyond the scope of this specification.
>
> I think that's all the issues that were in my court. Did I miss
> anything?
>
> Josh
More information about the specs
mailing list