<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:D="DAV:" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:0cm;
line-height:115%;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=PT link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span lang=EN-US>Hello.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>I’ve a rather basic question
regarding the OpenID Information Cards 1.0 specification, namely the underlying
trust model.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>If I understand this specification
correctly, the message flow is the following:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>1) The User accesses an RP page requiring
authentication and containing an infocard OBJECT or XHTML element. This element
requires a token with OpenID specific type and inner claims<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>2) The User-agent delegates this request to
the User’s Identity Selector (IS). The IS shows to the User the list of
cards compatible with the requesting element. Then it uses the metadata
contained in the selected card to perform a WS-Trust request: sends a RST message
and receives a RSTR response containing an OpenIDToken. This token contains a
set of name value pairs, corresponding to the content of the id_res response
message.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>3) The User-agent sends this token to the
RP<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>4) The RP uses the content of the token as
an id_res response and executes the remaining of the OpenID 2.0 protocol,
namely by sending a check_authentication directly to the OP<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>My question is: how does the RP know that
the OP has “authentication authority” over the asserted User URL.
In the original protocol, the OP was pointed by an element contained in the
HTML document referenced by the identity URL, that is, the owner of the URL
delegated the authentication to the OP by defining the address of the OP.
However, in the “OpenID Information Cards” this protocol step is
absent.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>What forbids me of creating an OP that
asserts any identity URL that I want?<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Thanks.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Pedro Felix<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>