Comments on Auth 2.0 - Pre-Draft 11

[Johannes Ernst]

I think this is better, but it just occurs to me that we don't  
necessarily want to limit this to "authorized end users" -- it could  
also be "authorized software agents" or what have you.

On Dec 15, 2006, at 16:27, Josh Hoyt wrote:

> On 12/11/06, Johannes Ernst <jernst+openid.net at netmesh.us> wrote:
>> >> 10 Responding to Authentication Requests
>> >>
>> >> First sentence:
>> >>> When an authentication request comes from the User-Agent via
>> >>> indirect communication (Indirect Communication), the OP SHOULD
>> >>> identify the User-Agent, and determine whether the end user
>> >>> wishes to complete the authentication.
>> >>
>> >> I have no idea what the term "identify" means here. Do you mean:
>> >>> When an authentication request comes from the User-Agent via
>> >>> indirect communication (Indirect Communication), the OP SHOULD
>> >>> determine the validity of the current session of the User-Agent
>> >>> with the OP, and -- with or without direct interaction with the
>> >>> user, this is left to implementors -- determine whether the end
>> >>> user wishes to complete the authentication with this  
>> particular RP.
>
> Re-worded in http://openid.net/svn/listing.php? 
> repname=specifications&path=%2F&rev=235&sc=1
>
> New text:
>
>  When an authentication request comes from the User-Agent via
> indirect communication
>  (Indirect Communication), the OP SHOULD determine that an  
> authorized end user
>  wishes to complete the authentication. If an authorized end user
> wishes to complete the
>  authentication, the OP SHOULD send a positive assertion (Positive
> Assertions) to the
>  Relying Party.
>
>  Methods of identifying authorized end users and obtaining approval
> to return an OpenID
>  Authentication assertion are beyond the scope of this specification.
>
> I think that's all the issues that were in my court. Did I miss  
> anything?
>
> Josh