[OpenID] Too many providers... and here's one reason

[Nate Klingenstein]

Andrew,

> There is no trusted OP in my ideal scenario... unless it was the  
> Org's OP in question, but I'm trying to avoid creating that... or  
> at least the need to log in with that Org's OP.

I really think there's a trusted OP in your scenario regardless.   
Someone out there is authenticating organization XYZ's users.  That  
means both that organization XYZ and the RP trust them to correctly  
credential and identify users.  If they don't do that well, the risk  
is personal data leaking out and/or improper access to the RP's  
resources.

> With an XRI, is there no way to add a <Service> in the XRDS file  
> that somehow would point to the Org in some special way that could  
> (with programming on the RP's side) allow the RP to contact the Org  
> programmatically and check membership?  The XRDS seems like an  
> ideal place to put it.

Sure, something like this could be put together, basically analogous  
to an LDAP query.  It would remove the need for organization XYZ to  
manage authentication credentials, which is generally a win, and it  
decreases identity proliferation, which is probably a win.

However, it doesn't remove any of the trust from the OP, and it still  
requires some effort from organization XYZ.   The RP and organization  
XYZ never authenticate the user, so they need the OP to do a good job.

Take care,
Nate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080916/33cbaddd/attachment-0002.htm>