[OpenID] OpenID Information Card

Prabath Siriwardena siriwardena.prabath at gmail.com
Tue Dec 18 19:04:11 UTC 2007 

Hi Johny;

Thanks a lot for the reply. Please find my comments inline.

On Dec 19, 2007 12:01 AM, Johnny Bufu <johnny at sxip.com> wrote:
> Hi Prabath,
>
> On 18-Dec-07, at 4:03 AM, Prabath Siriwardena wrote:
> > In a normal, OpenID case, once the user enters his OpenID at the
> > relying party - he will be redirected to the OpenID Provider for
> > authentication - and also there will be an association between the
> > OpenID RP and the OpenID Provider. So, in the case of OpenID
> > Information Card , there will be no direct communication between the
> > OpenID RP and the OpenID Provider. Is this a correct understanding?
>
> Only half of it:
> - the RP is not be able to make an association with the OP, because
> it doesn't know the user's identifier until the final step
> - the RP *has to* make a direct call to verify the signature of the
> assertion directly with the OP.
>
Clear. So this is the only time RP makes a direct a call to OP - and
that is only for the verification - but even by then [before the
direct call] we have the requested attributes with the corresponding
values at the RP,
which is extracted from OpenIDToken came with the Infocard - please
clarify this understanding.

> > My second question is - with this approach are we losing the Single
> > Sign-on feature found with normal OpenID case?
>
> Not sure what exactly you are referring to here - can you provide an
> example?
>

In a normal OpenID case, once the user entered the OpenID, he will be
redirected to the OP for authentication and user will be given the
opportunity to set ' Allow forever' for the requested attribues for
the corresponding
RP and set the remember password for the OP authentication. So, once
the user visits the same RP again and enters his OpenID at the RP
site, he won't be [physically] redirected to the OP for authentication
and will be able to directly access the protected web page.

But, in the case of OpenID Information card - there is no redirection
to the OP's site - and whether to allow RP to some attributes or not,
is decided by the user at the Infocard level. So, whenever user visits
this RP he has to follow the same procedure again and again and
alsways has to enter the password.

> > Third - we won't be able to use Personal Infocards for this approach?
>
> Assuming you mean "self-issued cards", then yes - OpenID Infocards
> are a type of managed cards.
>
Yes, I meant self-issued cards - thanks.
>
> Johnny
>
>

Thanks & regards.

- Prabath

More information about the general mailing list