<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Peter,</div><div><br></div>Unfortunately the need for pseudonymous identifiers directly conflicts with delegation.<div><br></div><div>You would be on the correct track to assume that if a particular RP has a requirement to not be able to correlate the user ID then Delegation would be prohibited.</div><div><br></div><div>In cases where pseudonymous identifiers are not required it is possible to have delegation as long as the OP that is delegated to is certified. If you change delegated OP's your new OP would need to be certified as well to have it work.</div><div><br></div><div>OPs themselves may not feel comfortable for liability reasons providing assertions for claimed_id that they are not authoritative for. </div><div><br></div><div>Your milage on delegation will very depending on the RP and the OP delegated too.</div><div><br></div><div>John B.</div><div><br></div><div><div><div>On 11-Aug-09, at 10:22 AM, <a href="mailto:openid-general-request@lists.openid.net">openid-general-request@lists.openid.net</a> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><span class="Apple-style-span" style="font-family: monospace; ">Date: Tue, 11 Aug 2009 09:30:33 -0700<br>From: Peter Williams <<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>><br>Subject: Re: [OpenID] OpenID + Government<br>To: "J. Trent Adams" <<a href="mailto:jtrentadams@gmail.com">jtrentadams@gmail.com</a>>, Chris Messina<br><span class="Apple-tab-span" style="white-space: pre; "> </span><<a href="mailto:chris.messina@gmail.com">chris.messina@gmail.com</a>><br>Cc: OpenID List <<a href="mailto:general@openid.net">general@openid.net</a>><br>Message-ID:<br><span class="Apple-tab-span" style="white-space: pre; "> </span><<a href="mailto:BFBC0F17A99938458360C863B716FE463DCDF43EC4@simmbox01.rapnt.com">BFBC0F17A99938458360C863B716FE463DCDF43EC4@simmbox01.rapnt.com</a>><br>Content-Type: text/plain; charset="us-ascii"<br><br><br>"That draft includes requirements that OpenID or related Info Card identities not be used to authenticate people who are physically present (it's just for remote online access), "<br><br><br>given an openid is controlled by the user (not the provider), how can any one provider assure the govt of this?<br><br>The whole point of openid (in contrast to incommon's version of SAML2, say) is that the identity is controlled by the user. If the google suspends or terminates the relationship with a given user today (because Google claims the user violate their terms of service), the use HAS to have the means to be access his/her Plaxo RP account -- with no additional steps.<br><br>Im going to guess that for any complying provider, they will have to disable supprot for openid delegation, which allows one openid to be used (a) in compliance with the draft requirements (when yahoo is the TSP-certified OP selected by a .gov website), and (b) not in compliance (when some non-certified OP "testing for and claiming physical presence" is the OP select by some other, non .gov website).<br><br>Since the architecture allows any 1 id through delegation to be different things to different assertion consumers, the only way for Yahoo (say) to comply with the assurance draft is to ELIMINATE ITS SUPPORT FOR OPENID DELEGATION (which google has already done, apparently).<br><br>We seem to be rapidly losing what openid is/was all about: user empowerment and control.<br></span></span></blockquote></div><br></div></body></html>