Ah, I see what you're getting at now. Thanks for explaining it to me. You know, in the return message from RP to OP a few varying degrees could be given without giving away too much I think: "logged out", "not logged out". That way in the OP's iframe it could just show an exclamation mark at that RP saying "we couldn't log you out here". Windows Live ID and Facebook has similar functionality here I think.<div>
<br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Sat, Oct 3, 2009 at 9:12 AM, SitG Admin <span dir="ltr"><<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div><div class="im">
<div>>The detail that RP1 required positive assertions from OP1<i>
and</i> OP2 to log the user in seems inconsequential.</div>
<div><br></div>
</div><div>Or it could be a varying-levels-of-assurance login, with the user
able to provide higher levels as needed to take sensitive actions
(perhaps through an OP that only authenticates for 5 minutes at a
time, and uses one-time passwords).</div><div class="im">
<div><br></div>
<div>>As soon as RP1 gets the "log out" assertion from
the OP, it only has OP2 with a standing positive assertion left, and
therefore logs the user out.</div>
<div><br></div>
</div><div>Or it lowers the user's level of access, and the user merely
*thinks* their terminal has been logged out. This worries me. If the
OP signals (somehow) that this is (intended as) a universal logout,
how does a RP signal back that the user ought to visit their site for
more actions, without revealing the likelihood of other active OP's?
(It may be unavoidable. RP's supporting MultiAuth should probably
alert the user to the difficulty of balancing privacy with universal
logout.)</div>
<div><br></div>
<div>-Shade</div>
</div>
</blockquote></div><br></div>