<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="City"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="place"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Arial Unicode MS";
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"\@Arial Unicode MS";
panose-1:2 11 6 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0cm;
margin-right:0cm;
margin-bottom:6.0pt;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Arial Unicode MS";
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
@page Section1
{size:595.3pt 841.9pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-AU link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial Unicode MS"'>It
can be useful to know who the Relying Party (RP) is during the discovery phase.
That is, the RP should state their identify when they are looking up a user’s
OpenID URL (Claimed Identifier).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial Unicode MS"'><o:p> </o:p></span></p>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial Unicode MS"'>Use
case</span></b><span style='font-size:10.0pt;font-family:"Arial Unicode MS"'>: <st1:City
w:st="on"><st1:place w:st="on">Alice</st1:place></st1:City> wants to use
different OPs for different RPs, while keeping the same URL (eg
http://alice.example.net/). For instance, when logging into a service hosting
her backups she wants to use an OP that requires a one-time password from a
hardware token for each access. However, when leaving comments on blogs <st1:place
w:st="on"><st1:City w:st="on">Alice</st1:City></st1:place> wants to
authenticate using an OP that only requires a password and uses a persistent
cookie so she only has to log in once a day.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial Unicode MS"'><o:p> </o:p></span></p>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial Unicode MS"'>Problem</span></b><span
style='font-size:10.0pt;font-family:"Arial Unicode MS"'>: Only one OP can be
specified with a <link rel="openid2.provider"…/> element or in
a Yadis document.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial Unicode MS"'>[A
Yadis document may be able to list many OPs, but I don’t think there is any
mechanism for the RP to pick the right one.]<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial Unicode MS"'><o:p> </o:p></span></p>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial Unicode MS"'>Solution</span></b><span
style='font-size:10.0pt;font-family:"Arial Unicode MS"'>: The RP could include
a From HTTP header when performing discovery.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial Unicode MS"'>Instead
of serving a static HTML page (or Yadis document) at <a
href="http://alice.example.net/">http://alice.example.net/</a>, the page could
be dynamically generated based on the value of the From header.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial Unicode MS"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial Unicode MS"'>Suggested
text for the authentication spec (draft 12):<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial Unicode MS"'>Add
the following paragraph at the end of section 7.3 Discovery:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial Unicode MS"'>“The
Relying Party MUST include a From HTTP header field in each HTTP request made
during discovery. The From field holds an email address for the RP (eg From: <a
href="mailto:openid@example.net">openid@example.net</a>) [RFC2616]. This enables
the discovered information to vary based on the RP. The From field is not
authenticated so it is not appropriate to use for access control.”<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial Unicode MS"'><o:p> </o:p></span></p>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial Unicode MS"'>Other
solutions</span></b><span style='font-size:10.0pt;font-family:"Arial Unicode MS"'>:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial Unicode MS"'>The
source IP address of the discovery request will often identify the RP, but this
would be an unreliable mechanism due to proxies, clusters, load balancing, and
changes at the RP.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial Unicode MS"'>Separate
user-supplied identifiers could be used, but that unnecessarily complicates the
system for users.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial Unicode MS"'>OPs
can offer different authentication mechanisms based on the openid.return_to or
openid.realm parameter in an authentication request. However, the user has less
flexibility when they have to relying on OPs.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial Unicode MS"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial Unicode MS"'>James
Manger<o:p></o:p></span></p>
</div>
</body>
</html>