[OpenID] Directed Identity vs. "what the user typed"

[SitG Admin]

>If one were to be using the SAML account linking modes, the user 
>typed input of <mailto:peter at rapattoni.com>peter at rapattoni.com could 
>be dynamically linked at the RP to the asserted subject name (a 
>persistent pseudonym claimed identifier in openid terminology) upon 
>receiving the assertion. If the RP maintains state to retain the 
>user typed input (as in openid delegation state management), such 
>account linking could be automatic - and be private to the browser 
>and RP.

Or, if state could not be maintained, the RP could generate a 
private/"public" key pair (neither intended for public use) and 
encrypt the user-typed input before sending it out along with the 
other OpenID parameters - if a user came in from an OP lacking this 
parameter or if it did not decrypt correctly, the RP could then 
reject their login. (The same key pair could be used on all strings - 
to prevent privacy from being compromised when the same encrypted 
string is seen on successive requests, randomly generated strings of 
a specific length can be concatenated to the user's input and then 
removed after decryption.)

-Shade
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090324/5ddc38f7/attachment-0002.htm>