No, the profile does not allow delegation. But not for the reason one might expect.<div><br></div><div>In the profile, RPs are <i>not allowed</i> to display a text field for user entry. The profile is quite paranoid about not exposing any PII, and if the user were allowed to enter anything, that might give away something about the personal identity of the user. So instead, RPs must use the nascar OP button display, which means all authentications begin with an OP identifier (thus no delegation).</div>
<div><br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Wed, Sep 9, 2009 at 6:45 AM, Peter Williams <span dir="ltr"><<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p><span style="font-size:11.0pt;color:#1F497D">Does it work with delegation?</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D">That is, will the US govt RPs will pick one of the OPs from my
list (which I may change)? </span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p><b><span style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt">
<a href="mailto:openid-general-bounces@lists.openid.net" target="_blank">openid-general-bounces@lists.openid.net</a>
[mailto:<a href="mailto:openid-general-bounces@lists.openid.net" target="_blank">openid-general-bounces@lists.openid.net</a>] <b>On Behalf Of </b>Andrew
Arnott<br>
<b>Sent:</b> Wednesday, September 09, 2009 6:36 AM<br>
<b>To:</b> general<br>
<b>Subject:</b> [OpenID] DotNetOpenAuth announces support of the Government
profile of OpenID</span></p>
</div><div><div></div><div class="h5">
<p> </p>
<div>
<div>
<p>The <a href="http://www.idmanagement.gov/drilldown.cfm?action=openID_openGOV" target="_blank">government has just announced</a> that they are piloting
accepting OpenID on several of their web sites, and the major OpenID Providers
(Google, Yahoo, AOL, PayPal, Verisign) will be <a href="http://openid.net/u-s-government-openid-pilot-program-participants/" target="_blank">supporting Providers</a> of this new Government profile for
OpenID.</p>
</div>
<div>
<p> </p>
</div>
<div>
<p>What is this "<a href="http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf" target="_blank">government profile</a>"? Basically it's a set of
rules that an OP and RP must follow. These rules are more restrictive
than, but nonetheless compliant with, the OpenID 2.0 spec. For example,
HTTPS must be used throughout the process, and shared associations must only
last up to a given maximum length of time.</p>
</div>
<div>
<p> </p>
</div>
<div>
<div>
<p>I'm very pleased to announce that <b><a href="http://dotnetopenauth.net/" target="_blank">DotNetOpenAuth</a> has support for this
government profile</b>, and in fact is the underlying library used by the NIH
for its OpenID RP support. Watch for a new release of DNOA (3.2.1) in the
next day or two that actually includes the government profile in it.</p>
</div>
<div>
<p> </p>
</div>
</div>
<p><a href="http://www.techcrunch.com/2009/09/09/us-government-to-embrace-openid-courtesy-of-google-yahoo-paypal-et-al/" target="_blank">More in the news</a><span style="color:#888888"></span></p>
<div>
<p><span style="color:#888888"><br clear="all">
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre</span></p>
</div>
</div>
<p> </p>
</div></div></div>
</div>
</blockquote></div><br></div>