[OpenID] Multiple Domains and State
Nate Klingenstein
ndk at internet2.edu
Thu Apr 24 14:34:25 UTC 2008
Trey,
> I apologize but the language of the spec (9.2) from a standpoint of
> speculation is hard to follow. I can't quite grasp how realms would
> facilitate the task at hand. Also I would assume auth.com is a
> trusted resource of some kind which is given permission to act as a
> proxy from which openId authentication occurs from.
Using realms as in 9.2, you could ask openid.com to issue an
assertion that was valid at both auth.com and end-domain.com by using
appropriate wildcarding. Then, auth.com could just forward the
assertion along unmodified and end-domain.com could accept it. The
trouble is, issuing a *.com assertion is extremely bad practice, so
you need either a lot of commonality in domain names, a real trust
fabric, or, preferably, both.
Appreciate your patience through my long-winded explanations,
Nate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080424/d41cc21a/attachment-0001.htm>
More information about the general
mailing list