<div>During the session cookie request, we are notifying the RP of the isLoggedIn attribute. The RP will already have this value (along with the matching OpenID Identifier) because it was notified of the value when the isLoggedIn attribute was updated. The RP can then build a cookie that matches the User Agent to the Identitifier.</div>
<div> </div>
<div>Because AX unsolicited responses have to be verified with the OpenID Provider, forcing the RP to look up the Identifier using the value of the isLoggedIn attribute ensures that we are matching up to the correct Identifier, and removes a potential security hole.</div>
<div> </div>
<div>For RP-initiated log-out scenario, you can have the RP update the isLoggedIn attribute using Attribute Exchange. Since the change requires user approval, this will ensure a rogue RP cannot accidentally log the user out. </div>
<div> </div>
<div>Although browser extensions are great ideas, not all types of browsers can load extensions. For instance, a mobile phone or web tablet may not have the ability to install Verisign's Seatbelt. This is intended to be a way to have SSO-like functions without modifying the User Agent.</div>
<div> </div>
<div>Also, this is not technically a SSO implementation. We are not assuring all the RPs that this User Agent owns this OpenID. Only that we think it does. This means that each RP will have to perform its own (automated) OpenID login process when the User Agent visits the site. Since the cookie makes it easy to figure out which OpenID Identifier to use, the process becomes easy.</div>
<div> </div>
<div>Thanks,</div>
<div> </div>
<div>John<br> </div>
<div><span class="gmail_quote">On 2/20/08, <b class="gmail_sendername">Tatsuya KATSUHARA</b> <<a href="mailto:t-katsuhara@nri.co.jp">t-katsuhara@nri.co.jp</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Thanks!<br><br>1st: How to input OpenID implicitly.<br>2nd: How to SLO from RP/OP(How to notify to RP or OP).<br>
<br>For 1st, you issue site-specific session cookie and notify the value<br>of *isLoggedin* attribute requested on the last? explicit login from<br>RP and UA'll get the authenticated session cookie via IMG tag. I think<br>
federationId should include OpenID/iname, or RP get anonymous user's<br>authenticated session. Do you mention it?<br><br>Incidentally, I think it's enough that browser extention feeds OpenID<br>to the form automatically and start with openid.mode="immedidate".<br>
<br>For 2nd, what you say is good way. In fact SAML2.0 do SingleLogOut<br>negotiation. To add another word, it would be good to add RP-initiate<br>logout scenario.<br><br>As I said, browser extention acheve to logout automatically. But<br>
SingleLogOut timing should be right unlike SingleSingIn in the view of<br>security. If any, please let me know good ideas.<br><br><br>In all honesty, I feel this draft is a little tricky, but whether<br>OpenID that is low-coupled takes SingleSingIn/LogOut into spec or not<br>
is very interesting issue. I would like to know how do subscribers<br>think...<br><br>--<br>=katsuhara <<a href="http://xri.net/=katsuhara">http://xri.net/=katsuhara</a>><br><br><br>John Ehn wrote:<br>> I've posted a Draft 0 version to the OpenID Wiki. Please feel free to<br>
> comment and modify as needed.<br>><br>> <a href="http://wiki.openid.net/Federation_Extension">http://wiki.openid.net/Federation_Extension</a><br>><br>> Thanks,<br>><br>> John<br>><br>> On 2/19/08, John Ehn <<a href="mailto:john@extremeswank.com">john@extremeswank.com</a>> wrote:<br>
>> Brett,<br>>><br>>> No formal process. All RFC through the mailing list.<br>>><br>>> Thanks,<br>>><br>>> John<br>>><br>>><br>>> On 2/19/08, Brett Carter <<a href="mailto:brett@rdnzl.net">brett@rdnzl.net</a>> wrote:<br>
>>> John Ehn wrote:<br>>>>> Sounds good. I'm working on a draft. Once it's in a readable state,<br>>>>> I'll post it for comments.<br>>>>><br>>>>> Thanks!<br>
>>> Is there a formal process for submitting a proposal yet? Or are we just<br>>>> going with RFC format for now?<br>>>> -Brett<br>>>><br>>><br>><br>><br>> ------------------------------------------------------------------------<br>
><br>> _______________________________________________<br>> specs mailing list<br>> <a href="mailto:specs@openid.net">specs@openid.net</a><br>> <a href="http://openid.net/mailman/listinfo/specs">http://openid.net/mailman/listinfo/specs</a><br>
<br>_______________________________________________<br>specs mailing list<br><a href="mailto:specs@openid.net">specs@openid.net</a><br><a href="http://openid.net/mailman/listinfo/specs">http://openid.net/mailman/listinfo/specs</a><br>
</blockquote></div><br>