[OpenID] Logout Use Case

[Andrew Arnott]

Ah, I see what you're getting at now.  Thanks for explaining it to me.  You
know, in the return message from RP to OP a few varying degrees could be
given without giving away too much I think: "logged out", "not logged out".
 That way in the OP's iframe it could just show an exclamation mark at that
RP saying "we couldn't log you out here".  Windows Live ID and Facebook has
similar functionality here I think.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


On Sat, Oct 3, 2009 at 9:12 AM, SitG Admin
<sysadmin at shadowsinthegarden.com>wrote:

>  >The detail that RP1 required positive assertions from OP1* and* OP2 to
> log the user in seems inconsequential.
>
> Or it could be a varying-levels-of-assurance login, with the user able to
> provide higher levels as needed to take sensitive actions (perhaps through
> an OP that only authenticates for 5 minutes at a time, and uses one-time
> passwords).
>
> >As soon as RP1 gets the "log out" assertion from the OP, it only has OP2
> with a standing positive assertion left, and therefore logs the user out.
>
> Or it lowers the user's level of access, and the user merely *thinks* their
> terminal has been logged out. This worries me. If the OP signals (somehow)
> that this is (intended as) a universal logout, how does a RP signal back
> that the user ought to visit their site for more actions, without revealing
> the likelihood of other active OP's? (It may be unavoidable. RP's supporting
> MultiAuth should probably alert the user to the difficulty of balancing
> privacy with universal logout.)
>
> -Shade
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091003/f7b121ce/attachment.htm>