[OpenID] Laws of id, openid with ssl

[Peter Williams]

So I just went through a user experience, using a infocard (that sometime long ago I created during a liveID pilot) on identityblog.com.

Yes, C9P-8DF9-R6S is my "site specific card ID" (reported to me by the cardspace desktop -- which apparently has a trusted path to the TCB). Its apparently not the same as the PPID, technically or mathematically - though it is apparently linked. Apparently, this is "directed identity" - for which OpenID2 has its analogue when a user select/chooses/provides a directed-openid at an OP, once that OP has been invoked using is OP Identifier and once the RP has applied the locating policies denoted in the OPs own XRD file.

Having logged on, guess what - it sent me an email so it would verify possession of the email claim. Then, I would supposedly have rights to leave a comment. I didn't bother; life is too short and there are billion other blogs still to read. Presumably, certain managed cards are whitelisted by manager/provider, so the RP site would trust the email claim straight away, granting associated commenting rights immediately.

Presumably in openid2, now, an application of openid2 at the RP site would be entitled to apply the exact same value-added email-confirmation controls, not granting rights to the directed-id until the associated user has applied a confirmation procedure (in the "unmanaged-OP" case).