[OpenID] Negotiating a backup OP from the current OP

Sat Jun 28 01:47:49 UTC 2008

Is there a way for RPs to verify an OP's claim made via PAPE?  I mean, I can
write an OP that uses PAPE to *say* I'm Verisign authorized.  But how can an
RP verify that claim?

--
Andrew Arnott

On Fri, Jun 27, 2008 at 5:43 PM, Anders Feder <lists.anders at feder.dk> wrote:

> I think what you are suggesting can almost be done with PAPE already. It
> would just be a matter of producing the necessary policies (and get them
> recognized).
>
> For instance, VeriSign could produce a policy called "OP certified by
> VeriSign" and upon seeing this request from the RP, your 'default OP'
> would be able to redirect sign in to an OP it know supports the "OP
> certified by VeriSign" policy.
>
> fre, 27 06 2008 kl. 16:00 -0700, skrev SitG Admin:
> > I was reading this:
> > http://self-issued.info/?p=75
> > (Posted to the board at openid.net list by Mike Jones.)
> >
> > I was disturbed to see, in the first paragraph, that OpenID would be
> > accepted from "two" Providers; this is exactly the kind of lock-in
> > that will effectively *lock-OUT* the small, independent Providers.
> >
> > Listing multiple OP's on the claimed Identity page may be one way to
> > get around that; just let the RP discard options until it runs out of
> > OP's or finds one it likes. But why should each user have to handle
> > their own complexities this way?
> >
> > Couldn't an OP offer that sort of thing as a feature? Couldn't a RP
> > trust an OP designated by the user to at least report which *other*
> > OP's the user had approved for use if the RP didn't trust that OP to
> > authenticate the user?
> >
> > I don't know what the flow would look like here, but I'm thinking
> > vaguely of something like the RP sending the user to the listed OP
> > with some arguments like "openid.untrusted", and possibly an
> > additional value for the preferred OP, or maybe the OP would respond
> > with an affirmative if it wanted to open negotiations with the RP
> > about what OP would be trusted. At some point the user would then be
> > sent to their OP, get prompted (or at least notified) about accepting
> > the other OP (or given a list of their options, whatever the RP would
> > accept), and proceed on to the new OP using the arguments that the RP
> > sent to their OP.
> >
> > -Shade
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general
> >
>
> --
> Anders Feder <lists.anders at feder.dk>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080627/0efb92f0/attachment-0002.htm>