Why do you say the RP doesn't know which OP introduced the current session? If it cared to know, it could store that information easily enough. Every RP must be conscious of which OP asserted the user the last time he logged into the RP in order to verify the assertion.<br>
<br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Wed, May 13, 2009 at 12:23 PM, Peter Williams <span dir="ltr"><<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
In the delegated case , the rp does not know which op introduced the current session. The id and endpoint of the asserting op is not stored state info. The op used on the next run of openid auth may not be the same as the previous session (since it depends on on criteria, and the latest vals in the vanity xrds). If we had identiless transaction (that "resume" a previous security context, cryptographically) we'd be in better shape.<br>
<div class="im"><br>
-----Original Message-----<br>
From: Breno de Medeiros <<a href="mailto:breno@google.com">breno@google.com</a>><br>
Sent: Wednesday, May 13, 2009 2:44 PM<br>
To: Peter Williams <<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>><br>
Cc: Santosh Rajan <<a href="mailto:santrajan@gmail.com">santrajan@gmail.com</a>>; <a href="mailto:general@openid.net">general@openid.net</a> <<a href="mailto:general@openid.net">general@openid.net</a>><br>
Subject: Re: [OpenID] Password age and password reset<br>
<br>
<br>
On Wed, May 13, 2009 at 11:07 AM, Peter Williams<br>
<<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>> wrote:<br>
> Out of interest, assuming the user has bound several openids to the rp account,which op gets all this data? The one introducing the current session, or all of them?<br>
<br>
I assume the OP that the user is trying to use to login now?<br>
<br>
><br>
> Does the rp using a vanity openid need the users consent before reporting suspicious or improper (user) conduct to a third party (the op)? Or should the transfer be covert?<br>
<br>
In what I am proposing the transfer is intermediated by the browser,<br>
so not covert.<br>
<br>
<br>
<br>
--<br>
</div><div class="im">--Breno<br>
<br>
+1 (650) 214-1007 desk<br>
+1 (408) 212-0135 (Grand Central)<br>
MTV-41-3 : 383-A<br>
PST (GMT-8) / PDT(GMT-7)<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
</div><div><div></div><div class="h5"><a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br>