[OpenID] Using OpenID to store encrypted data

[SitG Admin]

>>Also, access logs *may* reveal OpenID request strings (since they 
>>pass some OpenID arguments as part of the URL), which would reveal 
>>URI's to anyone breaking in.
>
>Of course, this cannot work. The thing that led me to ideas was 
>Google's Federated Login: the response from Google include (1) the 
>user's email, and (2) the OpenID URL, which is unrelated to the 
>email and unique for a given realm. OK, I don't know if the realm 
>can be faked (?), but if not, this would allow me to store the 
>user's email as their unique identifier, and use the OpenID url as a 
>key, as only my host can obtain that, and only after a successful 
>user login.

Are you thinking of Directed Identity, perhaps? Something like, the 
user enters "me.yahoo.com" and Yahoo delivers back "yahoo.com/user"? 
Unique to your RP, of course.

>Yes, if the OP can tell if a user is logged into my system, I can't 
>see why he shouldn't also be able to dictate keys used in my app? Or 
>perhaps I misunderstand your point?

Are we still speaking of cryptographic keys? That would be like doing 
a background check on someone you were considering for a security 
clearance, then saying "Eh, the fellow I have doing this background 
check has the power to tell me anything he wants and effectively 
*guarantee* that I issue the clearance, so I may as well issue the 
same clearance to him as I was *thinking* about giving to this other 
fellow." - there's a big difference between trusting someone to tell 
you who another person is, and trusting that same someone with the 
information you encrypted for that other person!

-Shade