Re: Re[2]: [PROPOSAL] Separate Public Identifier from IdP Identifier

2006-10-09 Thread Dick Hardt
On 6-Oct-06, at 11:14 AM, Chris Drake wrote: An ***IdP*** can *initiate* the OpenID login with the RP using openid:Token. How the User arrived at the RP with this token is not the concern of the RP. (could be javascript, browser plugins, participating IdP helper CGIs, or even the RP

Re: [PROPOSAL] Separate Public Identifier from IdP Identifier

2006-10-06 Thread Josh Hoyt
On 10/6/06, Martin Atkins [EMAIL PROTECTED] wrote: * The IdP returns a document naming its authentication endpoint (in the URI field) and a special anonymous token as openid:Token. openid:Token may be the same as the public identifier from the previous step, but this is not required.

RE: [PROPOSAL] Separate Public Identifier from IdP Identifier

2006-10-06 Thread Drummond Reed
Public Identifier from IdP Identifier On 10/6/06, Martin Atkins [EMAIL PROTECTED] wrote: * The IdP returns a document naming its authentication endpoint (in the URI field) and a special anonymous token as openid:Token. openid:Token may be the same as the public identifier from the previous step

Re[2]: [PROPOSAL] Separate Public Identifier from IdP Identifier

2006-10-06 Thread Chris Drake
Hi Martin, This is getting very close to what I believe is the main important thing we need in the spec to facilitate privacy, true SingleSignOn, and to help avoid confusing users by getting them to key IdP URLs. The only tweak I would like to see is right at the start, and is implemented using

Re[2]: [PROPOSAL] Separate Public Identifier from IdP Identifier

2006-10-06 Thread Chris Drake
CHRIS DRAKE'S PROPOSED FLOW 1) User *enters* UPI, but a Discovery Agent intercepts this: UPI does *not* get posted to RP 2) Discovery Agent sends UPI to IdP 3) IdP authenticates against UPI 4) IdP selects appropriate RP-specific IPI 5) IdP initiates authentication with RP using IPI Kind

Re: [PROPOSAL] Separate Public Identifier from IdP Identifier

2006-10-06 Thread Kevin Turner
From http://www.lifewiki.net/openid/SeparateIdentifierFromIdPToken (change #3): Impact on XRI-based auth: An XRI is, for this purpose, a URI that can be resolved into a URL at which we can do Yadis discovery. Once Yadis discovery begins, flow continues as in the original proposal, where

RE: [PROPOSAL] Separate Public Identifier from IdP Identifier

2006-10-06 Thread Drummond Reed
+1 to Kevin's point here -- no second discovery step is needed with an XRI. =Drummond -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Turner Sent: Friday, October 06, 2006 1:58 PM To: specs@openid.net Subject: Re: [PROPOSAL] Separate Public

Re: [PROPOSAL] Separate Public Identifier from IdP Identifier

2006-10-05 Thread Marius Scurtescu
Sent: Wednesday, October 04, 2006 11:34 AM To: specs@openid.net Subject: [PROPOSAL] Separate Public Identifier from IdP Identifier Currently the conceptual model is that each user has a public (that is, presented to RPs) identifier, but can optionally create additional identifiers which