[OpenID] Password age and password reset
Peter Williams
pwilliams at rapattoni.com
Wed May 13 18:58:48 UTC 2009
Just remember that openid is supposed to be uci , not an idp- or rp- centric federations model.
An rp will surely have to retain knowledge of (and control over) whether the user or has not authorized signalling between rp and op. This consent can be (rp) persisted, or vanity xrds based.
Should such post assertion signalling (info about the current auth session) be origin authenticated over the current openid session (or will the peers need to negotiate new nonces, recheck xrds realms etc, re do discovery?)
Can the users vanity xrds control whether or not the rp may see/exploit an op's "other" endpoints (just like it does for the auth endpoint)?
-----Original Message-----
From: Breno de Medeiros <breno at google.com>
Sent: Wednesday, May 13, 2009 2:44 PM
To: Peter Williams <pwilliams at rapattoni.com>
Cc: Santosh Rajan <santrajan at gmail.com>; general at openid.net <general at openid.net>
Subject: Re: [OpenID] Password age and password reset
On Wed, May 13, 2009 at 11:07 AM, Peter Williams
<pwilliams at rapattoni.com> wrote:
> Out of interest, assuming the user has bound several openids to the rp account,which op gets all this data? The one introducing the current session, or all of them?
I assume the OP that the user is trying to use to login now?
>
> Does the rp using a vanity openid need the users consent before reporting suspicious or improper (user) conduct to a third party (the op)? Or should the transfer be covert?
In what I am proposing the transfer is intermediated by the browser,
so not covert.
--
--Breno
+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
More information about the general
mailing list