<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I dont see why this is that un-openid. It seems mostly built
into the architecture of AX, and AX’s relationship to openid auth’s identity validation
procedures.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>One RP can already induce an AX update to one or more RPs.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>That RP is entitled - under UCI - to now be act as an OP.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I still cannot tell from the AX text whether that second RP (1) can
or cannot originate an unsolicited assertion, and (2) assuming it can, whether
its AX fetch response MAY,SHOULD or MUST contain identity field populated (making
the AX fetch response also an authentication statement when populated).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'> general-bounces@openid.net
[mailto:general-bounces@openid.net] <b>On Behalf Of </b>Paul Madsen<br>
<b>Sent:</b> Wednesday, December 03, 2008 3:34 AM<br>
<b>To:</b> SitG Admin<br>
<b>Cc:</b> general@openid.net<br>
<b>Subject:</b> Re: [OpenID] 2-Headed OpenID Auth for Increased Security?<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>SitG Admin wrote: <o:p></o:p></p>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>We toyed with this idea in Liberty for SAML but never did
anything with it - partly because it would already work out of the box with SSO
protocols as they are if the RP coordinates the multiple authentications. <o:p></o:p></p>
</blockquote>
<p class=MsoNormal><br>
Exactly - the exciting answers here will not be "HOW can we do it?"
but "WHY should we do it?". <br>
<br>
<br>
<o:p></o:p></p>
<p class=MsoNormal>We did think of optimizations whereby you could eliminate
some redirects by having (in OpendID terminology) the first RP indicate
to the first OP the second OP in the openid.return_to - I'm not sure this
would be legal in OpenID? <o:p></o:p></p>
<p class=MsoNormal><br>
What do you mean by the first RP? <o:p></o:p></p>
<p class=MsoNormal>yes, 'first' is redundant, there is only the one<br>
<br>
<o:p></o:p></p>
<p class=MsoNormal><br>
My understanding of the process here (my own poor statements notwithstanding)
is that the user would have multiple *URI's*, each with their own OP, and use
all of these with a single (suspicious) RP. <o:p></o:p></p>
<p class=MsoNormal>yes, and by default the sequence would be<br>
<br>
RP-OP1-RP-OP2-RP<br>
<br>
a permutation would have the first OP, after authenticating the user, redirect
the browser to the second OP rather than back to the RP. Only after
authenticating would the browser be sent to the RP<br>
<br>
RP-OP1-OP2-RP<br>
<br>
But this muddies up the request/response model and creates privacy
implications<br>
<br>
if its the RP doing the coordinating, its not clear to me what the relevance of
XRDS to enable or optimize this. If an RP cares enough to require 2
authns, it will likely have its own idea as to what OPs are appropriate,
notwithstanding any 'primary' or 'secondary' designations <br>
<br>
<br>
<o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
-Shade <br>
<br>
<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal>-- <br>
<a href="http://feeds.feedburner.com/%7Er/blogspot/gMwy/%7E6/1"><span
style='text-decoration:none'><img border=0 width=400 height=82 id="_x0000_i1025"
src="cid:image001.gif@01C95518.378C2FC0" alt=ConnectID></span></a><o:p></o:p></p>
</div>
</div>
</body>
</html>