<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">
Trey & Shade,<div><br></div><div>Here's a picture and writeup courtesy of UAB, NCSA & their early proxying experiments that might help:</div><div><br></div><div><a href="https://spaces.internet2.edu/display/GS/MyVocs">https://spaces.internet2.edu/display/GS/MyVocs</a><br><div><br></div><div><div><blockquote type="cite"><p style="margin: 0.0px 0.0px 0.0px 0.0px"><font face="Helvetica" size="3" style="font: 12.0px Helvetica">About #1. If openId's are unique why would the authenticating party need to specify which one out of two or more? Assuming they were using one openId for my properties we could use that openId-provider.com/username as the key to lookup the user on the original domain.</font></p></blockquote><div><br></div><div>In your example, would the RP receive the identifier auth.com/trey, or openid.com/trey? Who would have issued and confirmed it? How do you avoid auth.com/trey going to openid.com/ndk or microsoft.com/bgates?</div><div><br></div><div>It gets worse when you start dealing with attributes.</div><div><br></div><blockquote type="cite"> <p style="margin: 0.0px 0.0px 0.0px 0.0px"><font face="Helvetica" size="3" style="font: 12.0px Helvetica">Also, to double check. You are saying that openId supports -- or maybe more specifically doesn't prohibit -- chaining authentication to an intermediary server?</font></p></blockquote><div><br></div><div>If you're just using openid.com/trey to authenticate for auth.com/trey, then you're probably within the specs. If your intention is to allow auth.com to be authoritative for openid.com/trey through some other process, you've probably moved outside the specs, as Shade alludes to.</div><div><br></div><div>In particular, you'd have issues with the Return URL. What does openid.com stick in there that is spec-legal, goes to auth.com, and will be trusted by related-a.com?</div><div><br></div><blockquote type="cite"> <p style="margin: 0.0px 0.0px 0.0px 0.0px"><font face="Helvetica" size="3" style="font: 12.0px Helvetica">Lastly, is there anything published online (specs, docs, howtos, thoughts or reflections) about what we're trying to do here that you know of?</font></p></blockquote><br></div><div>See the document above(as well as the IAMSuite work out of Australia). The flow diagram is significantly more complicated than it needs to be because they were trying to integrate with existing software packages. I can also send you an old paper I wrote on this off-list if you're interested. There are a few other ways to skin this cat.</div><div><br></div><div>Glad to have your insights on this old problem,</div><div>Nate.</div></div></div></body></html>