[OpenID] Identity-less OpenID

Santosh Rajan santrajan at gmail.com
Thu May 7 05:18:22 UTC 2009 

Ha Ok misunderstood.


Santosh Rajan wrote:
> 
> Where in OpenID 2.0 does it talk about checkid_*? I havent seen it. I am
> looking again now.
> 
> 
> Andrew Arnott wrote:
>> 
>> The OpenID 2.0 spec allows for checkid_* messages to omit openid.identity
>> and openid.claimed_id in order to send a message whose useful is entirely
>> in
>> the extensions it carries.  For a long time I thought "what's the point
>> of
>> that??" but I finally found a use case.  So I'm adding built-in support
>> for
>> it into DotNetOpenAuth both at the RP and OP sides.  Now that I've done
>> it,
>> I'm checking various OPs to see if they support it.  Google: no,
>> myopenid.com: no, Yahoo.com: no, myvidoop.com: no.  I'm out of OPs that
>> I'd
>> have guessed had any chance of supporting it. (Actually, I guess
>> myvidoop.com didn't have a chance since they only do a strange mixture of
>> OpenID 1.1 with some 2.0 features support).  My favorite part of this is
>> that every OP says there's something wrong with the request, instead of
>> "this feature isn't supported."
>> 
>> Does anyone know of an OP that actually supports this feature?  (or an RP
>> that uses it?)  I'm puzzled that such a feature was included in the spec
>> without anyone driving for its support.
>> 
>> In case you're interested in the scenario in which this is useful, here
>> it
>> is:  Remember past threads where I've advocated against an organization
>> becoming an OP just so RPs can force users to log in with that OP to
>> verify
>> some membership in the organization?    The alternative that I had
>> proposed
>> was for that org to set up an OAuth SP. While that idea is still valid,
>> it
>> might be the only reason for that org and an RP to add OAuth support,
>> which
>> may not be trivial.  If, on the other hand, the RP sent an identity-less
>> OpenID request to the org's OP, with an "organization member check"
>> extension request, then the OP could issue a positive assertion that
>> carries
>> no identity, but can assert that yes, the user is in fact a member of the
>> org.  Of course the OP would still have to authenticate the user somehow,
>> but the RP and OP would not have to agree on an Identifier to use for
>> referring to the person.
>> 
>> In fact there are many times perhaps when the RP doesn't care how the OP
>> may
>> identify the user, but just wants to get certain claims about the user
>> because it trusts the OP.  Identity-less OpenID, which is in the 2.0 spec
>> but no site seems to support it, seems to be a good answer.
>> 
>> --
>> Andrew Arnott
>> "I [may] not agree with what you have to say, but I'll defend to the
>> death
>> your right to say it." - Voltaire
>> 
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>> 
>> 
> 
> 


-----

Santosh Rajan
http://santrajan.blogspot.com http://santrajan.blogspot.com 
-- 
View this message in context: http://www.nabble.com/Identity-less-OpenID-tp23419997p23420391.html
Sent from the OpenID - General mailing list archive at Nabble.com.

More information about the general mailing list