[OpenID] Persistence of e-mail accounts

[Breno de Medeiros]

This is a global setting for the OP (not user-account dependent). So
if we want to be able to communicate this, it probably should be made
through a static configuration during discovery rather than on a
per-user basis during the authorization request.


On Wed, Nov 5, 2008 at 9:55 AM, SitG Admin
<sysadmin at shadowsinthegarden.com> wrote:
>> You can safely associate this new email address to the same account if
>> the received URL identifier is the same.
>
> If the RP doesn't, they could inadvertently grant access to one user's
> account, to another user - unintentionally acting as a "hostile" RP in that
> instance. Should there be quality assurance exchanges for RP-to-OP so the OP
> can warn its user that the RP is using a setup that could potentially be
> compromised?
>
> -Shade
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)