<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Andrew,</div><div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; ">There is no trusted OP in my ideal scenario... unless it was the Org's OP in question, but I'm trying to avoid creating that... or at least the need to log in with that Org's OP.</span></blockquote><div><br></div><div>I really think there's a trusted OP in your scenario regardless. Someone out there is authenticating organization XYZ's users. That means both that organization XYZ and the RP trust them to correctly credential and identify users. If they don't do that well, the risk is personal data leaking out and/or improper access to the RP's resources.</div><br><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div>With an XRI, is there no way to add a <Service> in the XRDS file that somehow would point to the Org in some special way that could (with programming on the RP's side) allow the RP to contact the Org programmatically and check membership? The XRDS seems like an ideal place to put it. </div></span></blockquote></div><br><div>Sure, something like this could be put together, basically analogous to an LDAP query. It would remove the need for organization XYZ to manage authentication credentials, which is generally a win, and it decreases identity proliferation, which is probably a win.</div><div><br></div><div>However, it doesn't remove any of the trust from the OP, and it still requires some effort from organization XYZ. The RP and organization XYZ never authenticate the user, so they need the OP to do a good job.</div><div><br></div><div>Take care,</div><div>Nate.</div></body></html>