[OpenID] Too many providers... and here's one reason

[Dick Hardt]

On 15-Sep-08, at 4:45 PM, Andrew Arnott wrote:

> I just spoke with an organization that wants to become a Provider so  
> that other RP web sites can specifically tell if the logging in user  
> is a member of this organization by whether their OpenID Identifier  
> was asserted by that org's OP.
>
> Ideally, I'd like this org to choose to be an RP instead of an OP  
> because there are already too many OPs out there and not enough RPs,  
> IMO.
>
> How can an RP accept an OpenID Identifier from arbitrary OPs, but at  
> each login determine whether the Identifier represents a user who  
> belongs to a particular Organization?  Basically the Organization  
> needs to send an assertion about the Identifier's membership, but  
> only be willing to do so if that identifier is confirmed as having  
> logged in successfully to that RP.  This would be easy to do if that  
> Org was an OP, but I'm trying to reduce the # of reasons to be an OP.

I have envisioned this as a chain of assertions / claims.

The user has a claim that their identifier is a member of the org.  
This claim could be cached or obtained each time it is needed.

The user then presents that claim (binding identifier to org  
membership) and also proves that they control the identifier presented  
to the RP.

InfoCards has this flow speced out ... will be interesting to see if  
there is interest in this from the OpenID community, particularly  
since this is where the identity  protocols really  start to  
differentiate themselves from existing username/password and form fill.

-- Dick