Who is authoritative for a Subject will depend on the trust model.
In the common case it would be based on whoever controls the
signing/SSL certificate for the domain name in the URL.
It would be excellent if the common OpenID libraries could exceed
modern browsers' security model, in this respect; the root CA's are a
group from within which individual members may act in effective
anonymity. Being able to discriminate between different CA's would
also lower the bar to alternatives like self-signed certificates (or
someone using their own CA).
-Shade
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
