Requiring Pseudonymous Identifier

SitG Admin sysadmin at
Fri May 15 22:55:11 UTC 2009

>Keeping it identity-less also allows the assertion to come from a 3rd party.
>The group may be the only one that can say I belong to it.  They may 
>have the openID's of there members and make membership assertions on 
>there behalf without being a full IDP.  That could be done with AX 
>or oAuth for transferring the attributes.

How about a restricted-access "group" (community, whatever an OP 
calls it) where members must have been approved? If the school 
doesn't want to run its own IDP, it can host an XRD file showing the 
URI's for Groups (Communities) on various 3rd-party sites that it has 
investigated and found to be run by those who will be responsible 
(cue internal policy decisions, here), so it declares them (groups, 
not sites) authoritative.

 From then on, if RP's want to know that a user is a student at that 
school, they check the school's XRD file, then say "Okay, you can 
prove membership in this group on Facebook, that group on 
LiveJournal, or some other group at MySpace."

This kind of "delegation" brings us back to using those URI's, 
though. Then again . . . if the user's OP *is* that same site they 
are a member of some Group on, couldn't something be done there? (If 
the user is employing delegation as known to the spec, it seems 
unlikely that the Group page would be available for that user to 
control the OpenID headers of.)


More information about the specs mailing list