Is there a way for RPs to verify an OP's claim made via PAPE? I mean, I can write an OP that uses PAPE to <i>say</i> I'm Verisign authorized. But how can an RP verify that claim?<br clear="all"><br>--<br>Andrew Arnott
<br><br><div class="gmail_quote">On Fri, Jun 27, 2008 at 5:43 PM, Anders Feder <<a href="mailto:lists.anders@feder.dk">lists.anders@feder.dk</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I think what you are suggesting can almost be done with PAPE already. It<br>
would just be a matter of producing the necessary policies (and get them<br>
recognized).<br>
<br>
For instance, VeriSign could produce a policy called "OP certified by<br>
VeriSign" and upon seeing this request from the RP, your 'default OP'<br>
would be able to redirect sign in to an OP it know supports the "OP<br>
certified by VeriSign" policy.<br>
<br>
fre, 27 06 2008 kl. 16:00 -0700, skrev SitG Admin:<br>
<div><div></div><div class="Wj3C7c">> I was reading this:<br>
> <a href="http://self-issued.info/?p=75" target="_blank">http://self-issued.info/?p=75</a><br>
> (Posted to the <a href="mailto:board@openid.net">board@openid.net</a> list by Mike Jones.)<br>
><br>
> I was disturbed to see, in the first paragraph, that OpenID would be<br>
> accepted from "two" Providers; this is exactly the kind of lock-in<br>
> that will effectively *lock-OUT* the small, independent Providers.<br>
><br>
> Listing multiple OP's on the claimed Identity page may be one way to<br>
> get around that; just let the RP discard options until it runs out of<br>
> OP's or finds one it likes. But why should each user have to handle<br>
> their own complexities this way?<br>
><br>
> Couldn't an OP offer that sort of thing as a feature? Couldn't a RP<br>
> trust an OP designated by the user to at least report which *other*<br>
> OP's the user had approved for use if the RP didn't trust that OP to<br>
> authenticate the user?<br>
><br>
> I don't know what the flow would look like here, but I'm thinking<br>
> vaguely of something like the RP sending the user to the listed OP<br>
> with some arguments like "openid.untrusted", and possibly an<br>
> additional value for the preferred OP, or maybe the OP would respond<br>
> with an affirmative if it wanted to open negotiations with the RP<br>
> about what OP would be trusted. At some point the user would then be<br>
> sent to their OP, get prompted (or at least notified) about accepting<br>
> the other OP (or given a list of their options, whatever the RP would<br>
> accept), and proceed on to the new OP using the arguments that the RP<br>
> sent to their OP.<br>
><br>
> -Shade<br>
> _______________________________________________<br>
> general mailing list<br>
> <a href="mailto:general@openid.net">general@openid.net</a><br>
> <a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
><br>
<br>
</div></div><div class="Ih2E3d">--<br>
Anders Feder <<a href="mailto:lists.anders@feder.dk">lists.anders@feder.dk</a>><br>
<br>
_______________________________________________<br>
</div><div><div></div><div class="Wj3C7c">general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br>