Requiring Pseudonymous Identifier

John Bradley jbradley at mac.com
Sun May 17 01:29:47 UTC 2009


There is nothing that would stop an RP from performing discovery on  
some group URI to discover a OP Endpoint.

Once the RP has the endpoint they can do an identity-less request to  
the OP for the session that is currently logged in.

The OP returns what is the openID equivalent of a bearer token in that  
it is about whoever presents it as it lacks a "Subject"/claimed_id.

This would require some work to get right but is far better than  
overloading the identifier.

John Bradley


On 15-May-09, at 3:55 PM, SitG Admin wrote:

>> Keeping it identity-less also allows the assertion to come from a  
>> 3rd party.
>>
>> The group may be the only one that can say I belong to it.  They  
>> may have the openID's of there members and make membership  
>> assertions on there behalf without being a full IDP.  That could be  
>> done with AX or oAuth for transferring the attributes.
>
> How about a restricted-access "group" (community, whatever an OP  
> calls it) where members must have been approved? If the school  
> doesn't want to run its own IDP, it can host an XRD file showing the  
> URI's for Groups (Communities) on various 3rd-party sites that it  
> has investigated and found to be run by those who will be  
> responsible (cue internal policy decisions, here), so it declares  
> them (groups, not sites) authoritative.
>
> From then on, if RP's want to know that a user is a student at that  
> school, they check the school's XRD file, then say "Okay, you can  
> prove membership in this group on Facebook, that group on  
> LiveJournal, or some other group at MySpace."
>
> This kind of "delegation" brings us back to using those URI's,  
> though. Then again . . . if the user's OP *is* that same site they  
> are a member of some Group on, couldn't something be done there? (If  
> the user is employing delegation as known to the spec, it seems  
> unlikely that the Group page would be available for that user to  
> control the OpenID headers of.)
>
> -Shade

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1722 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090516/f54aa30f/attachment-0002.bin>


More information about the specs mailing list