[OpenID] Identity-less OpenID

Johannes Ernst jernst+openid.net at netmesh.us
Thu May 7 15:40:45 UTC 2009 

On May 6, 2009, at 21:22, Andrew Arnott wrote:

> The OpenID 2.0 spec allows for checkid_* messages to omit  
> openid.identity and openid.claimed_id in order to send a message  
> whose useful is entirely in the extensions it carries.  For a long  
> time I thought "what's the point of that??" but I finally found a  
> use case.  So I'm adding built-in support for it into DotNetOpenAuth  
> both at the RP and OP sides.  Now that I've done it, I'm checking  
> various OPs to see if they support it.  Google: no, myopenid.com:  
> no, Yahoo.com: no, myvidoop.com: no.  I'm out of OPs that I'd have  
> guessed had any chance of supporting it. (Actually, I guess  
> myvidoop.com didn't have a chance since they only do a strange  
> mixture of OpenID 1.1 with some 2.0 features support).  My favorite  
> part of this is that every OP says there's something wrong with the  
> request, instead of "this feature isn't supported."
>
> Does anyone know of an OP that actually supports this feature?  (or  
> an RP that uses it?)  I'm puzzled that such a feature was included  
> in the spec without anyone driving for its support.

I believe this was one of Sxip's contributions that was closer to the  
roots of the original Sxip protocols that weren't driven by a unique  
identifier / URL.

>
>
> In case you're interested in the scenario in which this is useful,  
> here it is:  Remember past threads where I've advocated against an  
> organization becoming an OP just so RPs can force users to log in  
> with that OP to verify some membership in the organization?    The  
> alternative that I had proposed was for that org to set up an OAuth  
> SP. While that idea is still valid, it might be the only reason for  
> that org and an RP to add OAuth support, which may not be trivial.   
> If, on the other hand, the RP sent an identity-less OpenID request  
> to the org's OP, with an "organization member check" extension  
> request, then the OP could issue a positive assertion that carries  
> no identity, but can assert that yes, the user is in fact a member  
> of the org.  Of course the OP would still have to authenticate the  
> user somehow, but the RP and OP would not have to agree on an  
> Identifier to use for referring to the person.
>
> In fact there are many times perhaps when the RP doesn't care how  
> the OP may identify the user, but just wants to get certain claims  
> about the user because it trusts the OP.  Identity-less OpenID,  
> which is in the 2.0 spec but no site seems to support it, seems to  
> be a good answer.
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the  
> death your right to say it." - Voltaire
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

Johannes Ernst
NetMesh Inc.

   http://netmesh.info/jernst



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090507/ccc52f14/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 977 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090507/ccc52f14/attachment-0004.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openid.gif
Type: image/gif
Size: 903 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090507/ccc52f14/attachment-0005.gif>

More information about the general mailing list