[OpenID] Password age and password reset
Peter Williams
pwilliams at rapattoni.com
Wed May 13 19:23:53 UTC 2009
In the delegated case , the rp does not know which op introduced the current session. The id and endpoint of the asserting op is not stored state info. The op used on the next run of openid auth may not be the same as the previous session (since it depends on on criteria, and the latest vals in the vanity xrds). If we had identiless transaction (that "resume" a previous security context, cryptographically) we'd be in better shape.
-----Original Message-----
From: Breno de Medeiros <breno at google.com>
Sent: Wednesday, May 13, 2009 2:44 PM
To: Peter Williams <pwilliams at rapattoni.com>
Cc: Santosh Rajan <santrajan at gmail.com>; general at openid.net <general at openid.net>
Subject: Re: [OpenID] Password age and password reset
On Wed, May 13, 2009 at 11:07 AM, Peter Williams
<pwilliams at rapattoni.com> wrote:
> Out of interest, assuming the user has bound several openids to the rp account,which op gets all this data? The one introducing the current session, or all of them?
I assume the OP that the user is trying to use to login now?
>
> Does the rp using a vanity openid need the users consent before reporting suspicious or improper (user) conduct to a third party (the op)? Or should the transfer be covert?
In what I am proposing the transfer is intermediated by the browser,
so not covert.
--
--Breno
+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
More information about the general
mailing list