Consolidated Delegate Proposal
Dick Hardt
dick at sxip.com
Tue Oct 10 18:11:09 UTC 2006
On 10-Oct-06, at 10:18 AM, Martin Atkins wrote:
> Recordon, David wrote:
>> Dick,
>> It is needed in the case where there is delegation with a URL,
>> openid.identity is the actual URL on the IdP and then
>> openid.rpuserid is
>> the URL that the user entered which delegates to openid.identity.
>> This
>> is then also used in the similar case with XRI delegation.
>>
>
> Does the IdP really need to know what URL I gave to the RP?
>
> Earlier versions handled this adequately by the library including
> implementer-defined variables in the return_to URL, which allows a
> stateful RP to hide the real identifier behind a meaningless session
> token, which satisfies Brad's criteria that the RP should be able to
> hide from the IdP the fact that delegation is in use.
Given that a Google of the delegate tag will yield all URLs
containing it,
there is no value in hiding delegation anymore.
More information about the specs
mailing list