[OpenID] Question regarding the OpenID Information Cards 1.0

[Pedro Felix]

Hello.

I've a rather basic question regarding the OpenID Information Cards 1.0
specification, namely the underlying trust model.

If I understand this specification correctly, the message flow is the
following:

1) The User accesses an RP page requiring authentication and containing an
infocard OBJECT or XHTML element. This element requires a token with OpenID
specific type and inner claims

2) The User-agent delegates this request to the User's Identity Selector
(IS). The IS shows to the User the list of cards compatible with the
requesting element. Then it uses the metadata contained in the selected card
to perform a WS-Trust request: sends a RST message and receives a RSTR
response containing an OpenIDToken. This token contains a set of name value
pairs, corresponding to the content of the id_res response message.

3) The User-agent sends this token to the RP

4) The RP uses the content of the token as an id_res response and executes
the remaining of the OpenID 2.0 protocol, namely by sending a
check_authentication directly to the OP

My question is: how does the RP know that the OP has "authentication
authority" over the asserted User URL. In the original protocol, the OP was
pointed by an element contained in the HTML document referenced by the
identity URL, that is, the owner of the URL delegated the authentication to
the OP by defining the address of the OP. However, in the "OpenID
Information Cards" this protocol step is absent.

What forbids me of creating an OP that asserts any identity URL that I want?

Thanks.

Pedro Felix

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070903/c6d2af7e/attachment-0002.htm>