<HTML dir=ltr><HEAD></HEAD>
<BODY style="WORD-WRAP: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space">
<DIV id=idOWAReplyText80528 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2><A href="http://www.omii.ac.uk/downloads/project.jsp?projectid=227" target=_blank>http://www.omii.ac.uk/downloads/project.jsp?projectid=227</A></FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>what we see in the (research) project described in the link is that an SP (RP in OpenID terminology) can take the role of a party for whom a "legitimate" security model entitles it to (a) aggregate attributes from multiple (IDP) sources, and (b) deliver (authorization) decisions to others ( others being undefined in OpenID terminology).</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>We can perhaps abstract this to OpenID2. An RP can aggregate attributes from multiple OPs, assuming the user perhaps account links their OP's localid to a COMMON name held at the RP. Under the rules of AX, one RP can then deliver to another RP the _aggregated_ set of attributes when the AX responder verifies the request context to be "perform an authorization _decision_ (D.auth), under authorization policy (P.auth)"</FONT></DIV>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2></FONT> </DIV></DIV>
<DIV id=idSignature88642 dir=ltr>
<DIV><FONT face=Arial color=#000000 size=2><SPAN style="FONT-SIZE: 7.5pt">_________________________<BR></SPAN><B>Peter Williams<BR></B></FONT><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Peter Williams<BR><B>Sent:</B> Wed 5/28/2008 2:03 AM<BR><B>To:</B> Nate Klingenstein<BR><B>Cc:</B> general@openid.net<BR><B>Subject:</B> RE: [OpenID] Attribute Exchange without simultaneous authentication<BR></FONT><BR></DIV></DIV>
<DIV dir=ltr>
<DIV id=idOWAReplyText68748 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>From Dec 05: <A href="http://codebrane.com/blog/?p=164" target=_blank>http://codebrane.com/blog/?p=164</A>.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV><FONT face=Arial size=2>
<DIV dir=ltr><BR>I'm going to be focusing a fair amount of my energy seeing how SAML2/Shib fitted with the Grid world, to see which elements can be re-purposed. Perhaps the place for me to start to focus is the control models: how delegation works in theory and then in practice...for AX-like flows amongst RPs and then other flows between RPs and specialized authorities such as "repositories". With a focus on delegation, I'll probably start to understand where Microsoft is going, when leveraging TPMs in "claims handling" systems.</DIV>
<DIV dir=ltr></FONT><FONT face=Arial color=#000000 size=2></FONT> </DIV></DIV>
<DIV id=idSignature13509>
<DIV><FONT face=Arial color=#000000 size=2><SPAN style="FONT-SIZE: 7.5pt">_________________________<BR></SPAN><B>Peter Williams<BR></B></FONT></DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Nate Klingenstein<BR><B>Sent:</B> Tue 5/27/2008 1:12 AM<BR><B>To:</B> Peter Williams<BR><B>Cc:</B> general@openid.net<BR><B>Subject:</B> Re: [OpenID] Attribute Exchange without simultaneous authentication<BR></FONT><BR></DIV>
<DIV>
<DIV style="MARGIN: 0px">I agree with Peter. Tacking things onto particular specs should be avoided to limit proliferation of fields and terms for conceptually similar things. It seems to me that the idea of openid.identity, as the OP-local identifier, would still be applicable in this sense.</DIV>
<DIV style="MIN-HEIGHT: 14px; MARGIN: 0px; FONT: 12px Helvetica"><BR></DIV>
<DIV style="MARGIN: 0px"><FONT style="FONT: 12px Helvetica" face=Helvetica size=3>Is there a reason not to generalize this?</FONT></DIV>
<DIV style="MARGIN: 0px"><FONT style="FONT: 12px Helvetica" face=Helvetica size=3>Nate.</FONT></DIV>
<DIV style="MARGIN: 0px"><BR></DIV>
<DIV>On 26 May 2008, at 19:31, Peter Williams wrote:<BR class=Apple-interchange-newline>
<BLOCKQUOTE type="cite"><SPAN class=Apple-style-span style="WORD-SPACING: 0px; FONT: 10px Arial; TEXT-TRANSFORM: none; COLOR: rgb(0,0,0); TEXT-INDENT: 0px; WHITE-SPACE: normal; LETTER-SPACING: normal; BORDER-COLLAPSE: separate; orphans: 2; widows: 2; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0">I think its more important to fix the critical issue: follow through the intent and ensure the docs allow any (perhaps vendor-defined) extension (not only AX) to leverage a pre-existing OpenID Association without seeking an athentication Statement (or imply the processing of authenticaiton requests signals, by an OP).</SPAN></BLOCKQUOTE></DIV><BR></DIV></DIV></BODY></HTML>