[OpenID] Negotiating a backup OP from the current OP

[SitG Admin]

>This thread assumes a backup OP must be recommended from the current OP. But

Must be? Not correct! I specifically acknowledged that the user COULD 
simply list multiple OP's at their site, the challenge is why every 
user has to be responsible for this? (Consider the low technical 
knowledge of most users.)

Also consider the open nature of an XRDS document versus an OP's 
ability to dole out information one piece at a time; this may enhance 
privacy. If the RP says "we need an OP with these security features", 
why would the RP need to know what secondary OP's the user supports 
that are *not* secure enough to be used? Also, if the OP finds 4 
different secondary OP's on its list that meet the requirements, why 
should the *RP* be free to look among those and dictate to the user 
its own favorite, when the *user* could select their own preference?

>OpenID users and RPs already have a mechanism for "negotiating" selection of

But the OpenID users do not have the ability to authorize another 
party (one better at bartering) to make deals in its place. It is a 
very one-sided "negotiation".

The situation you describe seems like it would very naturally give 
rise to unofficial "partnerships" where only the most (commercially) 
powerful OP's would consistently be in use; if the RP can select any 
one out of a group of "meeting the minimum requirements" OP's, it 
would logically prefer the *most* secure, yes? Or, in the case of a 
tie, whichever it was allied with. But if the RP really wants that 
user, shouldn't there be pressure upon the *RP* to accept the *user*? 
If the RP says "We need to do it this way." and the OP says "I have 
this independent OP which meets your needs.", can the RP afford to 
change its mind? Revealing that it had hidden requirement (or was 
blackinglisting a particular OP), without even knowing if the user 
had another OP to authenticate with?

-Shade