[OpenID] Identity-less OpenID

[Santosh Rajan]

Where in OpenID 2.0 does it talk about checkid_*? I havent seen it. I am
looking again now.


Andrew Arnott wrote:
> 
> The OpenID 2.0 spec allows for checkid_* messages to omit openid.identity
> and openid.claimed_id in order to send a message whose useful is entirely
> in
> the extensions it carries.  For a long time I thought "what's the point of
> that??" but I finally found a use case.  So I'm adding built-in support
> for
> it into DotNetOpenAuth both at the RP and OP sides.  Now that I've done
> it,
> I'm checking various OPs to see if they support it.  Google: no,
> myopenid.com: no, Yahoo.com: no, myvidoop.com: no.  I'm out of OPs that
> I'd
> have guessed had any chance of supporting it. (Actually, I guess
> myvidoop.com didn't have a chance since they only do a strange mixture of
> OpenID 1.1 with some 2.0 features support).  My favorite part of this is
> that every OP says there's something wrong with the request, instead of
> "this feature isn't supported."
> 
> Does anyone know of an OP that actually supports this feature?  (or an RP
> that uses it?)  I'm puzzled that such a feature was included in the spec
> without anyone driving for its support.
> 
> In case you're interested in the scenario in which this is useful, here it
> is:  Remember past threads where I've advocated against an organization
> becoming an OP just so RPs can force users to log in with that OP to
> verify
> some membership in the organization?    The alternative that I had
> proposed
> was for that org to set up an OAuth SP. While that idea is still valid, it
> might be the only reason for that org and an RP to add OAuth support,
> which
> may not be trivial.  If, on the other hand, the RP sent an identity-less
> OpenID request to the org's OP, with an "organization member check"
> extension request, then the OP could issue a positive assertion that
> carries
> no identity, but can assert that yes, the user is in fact a member of the
> org.  Of course the OP would still have to authenticate the user somehow,
> but the RP and OP would not have to agree on an Identifier to use for
> referring to the person.
> 
> In fact there are many times perhaps when the RP doesn't care how the OP
> may
> identify the user, but just wants to get certain claims about the user
> because it trusts the OP.  Identity-less OpenID, which is in the 2.0 spec
> but no site seems to support it, seems to be a good answer.
> 
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - Voltaire
> 
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
> 
> 


-----

Santosh Rajan
http://santrajan.blogspot.com http://santrajan.blogspot.com 
-- 
View this message in context: http://www.nabble.com/Identity-less-OpenID-tp23419997p23420233.html
Sent from the OpenID - General mailing list archive at Nabble.com.