[OpenID] OpenID Information Card

[Johnny Bufu]

On 18-Dec-07, at 11:04 AM, Prabath Siriwardena wrote:
>> - the RP is not be able to make an association with the OP, because
>> it doesn't know the user's identifier until the final step
>> - the RP *has to* make a direct call to verify the signature of the
>> assertion directly with the OP.
>>
> Clear. So this is the only time RP makes a direct a call to OP - and
> that is only for the verification - but even by then [before the
> direct call] we have the requested attributes with the corresponding
> values at the RP,
> which is extracted from OpenIDToken came with the Infocard - please
> clarify this understanding.

Yes, this is correct.

[...]
> But, in the case of OpenID Information card - there is no redirection
> to the OP's site - and whether to allow RP to some attributes or not,
> is decided by the user at the Infocard level. So, whenever user visits
> this RP he has to follow the same procedure again and again and
> alsways has to enter the password.

Not sure how much of this behavior is part of the identity selector  
spec, and how much can be an implementation choice.

I expect, for example, that remembering which sets of attributes the  
user released to each RP (and not prompting again) does not violate  
the spec, and can be a feature of an identity selector implementation.

The call to the STS/OP is mandatory. A selector implementation could  
remember both the username and the password and submit the required  
credentials automatically, without prompting the user.

Or, if a self-issued card was used to authenticate to the STS/OP, the  
selector could remember and automate the submission of the  
credentials in this case as well.


Johnny