[OpenID] Trust + Security @ OpenID

Tue Jul 10 21:10:25 UTC 2007

> With Attribute Exchange [1], RPs can request (and enforce if they
> choose to) whatever proof attributes they need, originating from third
> parties they choose to trust. 

Ive never seen that particular proof semantics attached to the attribute exchange, before.

In more specs using mofre formal-language (i.e. SAML) an attribute is either delcared to be an authenticationStatement (perhaps, a "proof grade" statement), or declared to be other than... an authenticationStatement.

I had also not picked up from the spec that non Authentication-grade attributes could be obtained from arbitary third parties, operating OpenID Exchange Listerers and Agents. 

In OpenID2, there was the implication that the OP was the supplier of such attributes, using the OpenID Exchange protocol; and, there was a means to subclass such OPs, for the different types of attribute sets to be supplied.

Now, the big question is...does the architecture of OpenID2 envision that "Attribute Authories" offering OpenID Exchange endpoints,  can complete the associated Exchange protocol in the absence of the user having completed OpenID Authentication with that very same AA (when, obviously, using its co-resident OP endpoints)?