Re: Re[2]: [PROPOSAL] Separate Public Identifier from IdP Identifier

2006-10-09 Thread Dick Hardt
On 6-Oct-06, at 11:14 AM, Chris Drake wrote: An ***IdP*** can *initiate* the OpenID login with the RP using openid:Token. How the User arrived at the RP with this token is not the concern of the RP. (could be javascript, browser plugins, participating IdP helper CGIs, or even the RP

Re[2]: [PROPOSAL] Separate Public Identifier from IdP Identifier

2006-10-06 Thread Chris Drake
Hi Martin, This is getting very close to what I believe is the main important thing we need in the spec to facilitate privacy, true SingleSignOn, and to help avoid confusing users by getting them to key IdP URLs. The only tweak I would like to see is right at the start, and is implemented using

Re[2]: [PROPOSAL] Separate Public Identifier from IdP Identifier

2006-10-06 Thread Chris Drake
CHRIS DRAKE'S PROPOSED FLOW 1) User *enters* UPI, but a Discovery Agent intercepts this: UPI does *not* get posted to RP 2) Discovery Agent sends UPI to IdP 3) IdP authenticates against UPI 4) IdP selects appropriate RP-specific IPI 5) IdP initiates authentication with RP using IPI Kind