What is Facebook could send a message logging out users from Google and Microsoft without the users consent?
I see an identity correlation attack where the OP is offering anonymous Identities as requested but the user is not availing themselves of this for any non-secure site: if you want to test whether a user of site B (insecure, non-anonymous Identity) is also currently active on site A (secure) as an anonymous user, keep the session active and then suddenly initiate single-sign-out from A, seeing if the activity on B also ceases.
-Shade _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
