On Tue, Dec 16, 2008 at 4:41 PM, Johannes Ernst <span dir="ltr"><jernst+<a href="http://openid.net">openid.net</a>@<a href="http://netmesh.us">netmesh.us</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
It's a bit more complicated than that. In many of those cases there is a requirement that some service (say the travel site, for argument's sake) cannot tell the difference whether it was the executive or the assistant who logged in. (Let's call it the vanity argument: executive is trying to pretend that she can be on top of all things at the same time)<br>
<br>
Also, the information that assistant is allowed to act on behalf of the executive should be centralized in one place (perhaps the corporate directory, for argument's sake), while relying parties should not have to be modified to allow for this delegation model or, see above, not even be able to tell.<br>
<br>
I'm thinking that some kind of chained identity might help ... where, say, assistant uses OpenID <a href="http://example.com/alice" target="_blank">example.com/alice</a> and executive uses <a href="http://example.com/bob" target="_blank">example.com/bob</a>, both of which can be used to authenticate into the account <a href="http://example.com/executive" target="_blank">example.com/executive</a>. That latter OpenID would then be used by either to log into the travel site.<div>
<div></div><div class="Wj3C7c"><br></div></div></blockquote></div><br>Couldn't you use OAuth here, except instead of providing access to an application, you're providing access to a piece of what a particular user could use? After all, isn't OAuth about authorization? <br>