Requiring Pseudonymous Identifier
John Bradley
jbradley at mac.com
Sun May 17 01:29:47 UTC 2009
There is nothing that would stop an RP from performing discovery on
some group URI to discover a OP Endpoint.
Once the RP has the endpoint they can do an identity-less request to
the OP for the session that is currently logged in.
The OP returns what is the openID equivalent of a bearer token in that
it is about whoever presents it as it lacks a "Subject"/claimed_id.
This would require some work to get right but is far better than
overloading the identifier.
John Bradley
On 15-May-09, at 3:55 PM, SitG Admin wrote:
>> Keeping it identity-less also allows the assertion to come from a
>> 3rd party.
>>
>> The group may be the only one that can say I belong to it. They
>> may have the openID's of there members and make membership
>> assertions on there behalf without being a full IDP. That could be
>> done with AX or oAuth for transferring the attributes.
>
> How about a restricted-access "group" (community, whatever an OP
> calls it) where members must have been approved? If the school
> doesn't want to run its own IDP, it can host an XRD file showing the
> URI's for Groups (Communities) on various 3rd-party sites that it
> has investigated and found to be run by those who will be
> responsible (cue internal policy decisions, here), so it declares
> them (groups, not sites) authoritative.
>
> From then on, if RP's want to know that a user is a student at that
> school, they check the school's XRD file, then say "Okay, you can
> prove membership in this group on Facebook, that group on
> LiveJournal, or some other group at MySpace."
>
> This kind of "delegation" brings us back to using those URI's,
> though. Then again . . . if the user's OP *is* that same site they
> are a member of some Group on, couldn't something be done there? (If
> the user is employing delegation as known to the spec, it seems
> unlikely that the Group page would be available for that user to
> control the OpenID headers of.)
>
> -Shade
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1722 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090516/f54aa30f/attachment-0002.bin>
More information about the specs
mailing list