[OpenID] Negotiating a backup OP from the current OP

[Dick Hardt]

On 27-Jun-08, at 4:59 PM, SitG Admin wrote:

>> To do that, we need to evolve the protocol so that RPs don't feel  
>> they need to distinguish between OPs.
>
> Quick thought - I agree that doing this in OpenID is a good thing,  
> since it lifts some of the burden from RP's, but more delineation in  
> security for just about *any* website these days is a good thing -  
> most of them have a great deal of room for improvement :(
>
> I just started to expand this quick thought and then realized it's  
> way too much for the time I have now. Let me say, then, that RP's  
> could restrict access to some operations by OP, saying "You can use  
> any old OP for your daily stuff, but when you want to change account  
> info you must use Verisign's secure authentication."

I would agree except I would use a generic strong authentication  
instead of a vendor specific mechanism.

Similar to mechanisms today. Amazon lets you do somethings on your  
account if you have a cookie from a previous session, but requires you  
to authenticate when you want to make a purchase.

(I also don't have enough time to go deeper -- but also like to have  
small, snack size posts that are easy to digest!)

-- Dick