[OpenID] OP-initiated RP discovery

[SitG Admin]

>Though in the spirit of the onion network I would hope that the OP 
>is using PPID identifiers for you so that you are not coralatable by 
>the RP,  using a omni-directional openID sort of defeats part of the 
>purpose.

Tor hides IP address, so attackers can't geo-locate or attack the 
user's network directly. If the OpenID does not disclose that 
information (or make it possible to figure out), users should still 
have something to gain from this.

>I should clarify.
>
>RP discovery for return_to validation is required by the GSA profile.

I wonder if XRI will (some day) offer a Tor extension gatewaying to 
that network, so users can have *URI's* on Tor with the server on 
their personal laptop, bringing it online as needed through internet 
cafes or other hot spots. (This wouldn't break recurring checks to 
the user's URI, since it would be online as long as the user was.)

Anyone can (physically) compromise a server you only have remote 
access to. To be *sure* the service (be it RP's data or user's 
URI/OpenID) is only working when and as *you* want it to, keep the 
hardware on you at all times and keep attackers from being able to 
locate it. (This isn't absolute, but at least you'll probably know 
the moment someone compromises its physical security.)

-Shade