[OpenID] uri/nickname
Dick Hardt
dick at sxip.com
Sun Jun 3 11:56:47 UTC 2007
On 31-May-07, at 7:09 AM, Peter Williams wrote:
> Presumably, the Right Way to do this is the relying party site to
> be doing an attribute query against the/an OP endpoint, to get your
> personal profile - so as to personalize the experience (now it has
> knowledge of who you are, by the URI/XRI).
>
> How "real" is attribute querying in OpenID land?
>
> ----------
>
> Im wondering if the payload of an OpenID attribute response could
> include a hash of some digital signature bytes, stored at the OP ,
> computed over the attributes in some (local to OP ) encoding. Then,
> the OP can be a trustworthy repository of records, concerning the
> accuracy of the attributes it has supplied - in compliance with
> some or other privacy policy in force between the OP and OP
> endpoint's assertion-consumer.
The attribute exchange spec has been out there for a while and
hopefully will be final when OpenID 2.0 is final.
The attributes are moved as part of the message from the OP, so they
are signed so the RP has assurance the attribute received is the
attribute the OP sent.
-- Dick
More information about the general
mailing list