[OpenID] Password age and password reset
Andrew Arnott
andrewarnott at gmail.com
Fri May 15 04:40:33 UTC 2009
Then I return to "Why doesn't the RP know which OP sent the assertion?" In
Peter's scenario the RP forgets all OpenID state regarding which OP sent the
assertion because it wasn't needed any more. But doesn't wanting to log the
user out of the OP suggest that it *is* needed? Saying "I can't do that
because I forgot the details since I didn't need them any more" is a
self-contradicting statement. If you need them for log off, don't forget
them. :)
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
2009/5/14 SitG Admin <sysadmin at shadowsinthegarden.com>
> Peter, the claimed identifier which the RP associates with the local
>> user account is the same for every login regardless of which OP in the
>> xrds is selected to authenticate the user. You seemed to say that if
>> OP #3 was selected the RP might not recognize the asserted user but
>> the selected OP should be irrelevant. Or am I misunderstanding you?
>>
>
> My understanding (which may be wrong) is that, if an XRDS file lists
> several OP's, the RP might select one for logout that had not been aware the
> user was logged into that RP, because the user had been logged in with
> another.
>
> -Shade
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090514/ec28def9/attachment.htm>
More information about the general
mailing list