[OpenID] identify RP when it gets OpenID URL

Johnny Bufu johnny at sxip.com
Wed Oct 17 18:14:55 UTC 2007


On 16-Oct-07, at 7:58 PM, Manger, James H wrote:

> Use case: Alice wants to use different OPs for different RPs, while  
> keeping the same URL (eg http://alice.example.net/). For instance,  
> when logging into a service hosting her backups she wants to use an  
> OP that requires a one-time password from a hardware token for each  
> access. However, when leaving comments on blogs Alice wants to  
> authenticate using an OP that only requires a password and uses a  
> persistent cookie so she only has to log in once a day.

I believe there's a cleaner way to address this, that would not  
complicate the things that Alice needs to know about the inner  
workings of OpenID (and without her having to use different  
identities for different purposes):

The PAPE-enabled backup service requests that the OP authenticates  
Alice in a manner compliant with certain policies, that are  
satisfactory to Alice's security requirements for a backup service.


Johnny




More information about the specs mailing list