Some suggestions about Open Id AX profile
SitG Admin
sysadmin at shadowsinthegarden.com
Wed Jun 3 20:07:23 UTC 2009
>Score is not about the OP it's about the method used to gather the
>attributes itself.
Which is good if you trust the OP to score itself.
>In my opinion, and to keep things easy, trust should be binary I
>[trust|don't trust] this OP.
For you as a Relying Party this seems workable; but since your users
are placing their trust in *you*, while at the same time the actual
entities they end up trusting are the OP's of those people they are
forming/signing contracts with, this seems like an untenable position
unless you can either restrict the OP (whitelist) to those you have
verified (or had verified for you by a 3rd party *you* trust), which
doesn't give users much freedom to select their OP's but does limit
possible abuses, or fairly transfer responsibility for trust onto
users.
>But what If (and this is only an early idea) user A asks it's OP
>saying , I want to know B's name. So A's OP would then ask B's name
>to B's OP the same way a RP would do.
Except that A's OP isn't necessarily a RP; there is something called
OAuth that might fit better here.
-Shade
More information about the specs
mailing list