[OpenID] OpenID Information Card

[Prabath Siriwardena]

On Dec 19, 2007 4:28 AM, Johnny Bufu <johnny at sxip.com> wrote:
>
> On 18-Dec-07, at 11:04 AM, Prabath Siriwardena wrote:
> >> - the RP is not be able to make an association with the OP, because
> >> it doesn't know the user's identifier until the final step
> >> - the RP *has to* make a direct call to verify the signature of the
> >> assertion directly with the OP.
> >>
> > Clear. So this is the only time RP makes a direct a call to OP - and
> > that is only for the verification - but even by then [before the
> > direct call] we have the requested attributes with the corresponding
> > values at the RP,
> > which is extracted from OpenIDToken came with the Infocard - please
> > clarify this understanding.
>
> Yes, this is correct.
>
> [...]
> > But, in the case of OpenID Information card - there is no redirection
> > to the OP's site - and whether to allow RP to some attributes or not,
> > is decided by the user at the Infocard level. So, whenever user visits
> > this RP he has to follow the same procedure again and again and
> > alsways has to enter the password.
>
> Not sure how much of this behavior is part of the identity selector
> spec, and how much can be an implementation choice.
>
> I expect, for example, that remembering which sets of attributes the
> user released to each RP (and not prompting again) does not violate
> the spec, and can be a feature of an identity selector implementation.
>
> The call to the STS/OP is mandatory. A selector implementation could
> remember both the username and the password and submit the required
> credentials automatically, without prompting the user.
>
> Or, if a self-issued card was used to authenticate to the STS/OP, the
> selector could remember and automate the submission of the
> credentials in this case as well.
>

But, in the case of OpenID Information Cards, we won't be able to use
self-issued card.

>
> Johnny
>
>

Thanks a lot for the reply.

- Prabath