Johnny Bufu gives a reason for directed identity as; “- user changing their mind at the OP (OP can keep better track of which identifiers the user presented at each RP)”
This is another good reason for identifying the RP during discovery so the “name provider” can redirect the user-entered identifier to the identifier the user presents at this RP. [http://openid.net/pipermail/specs/2007-October/002007.html] You can get functionality quite similar to “directed identity”, but using an extra redirect during discovery, instead of performing discovery twice (before and after authentication). Directed identity should be kept, but the RP should also identify themself during discover. Add to spec: “The Relying Party MUST include a "From" HTTP header field in each HTTP request made during discovery.” ---------- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Johnny Bufu Sent: Saturday, 17 November 2007 5:08 AM To: [EMAIL PROTECTED] Cc: [email protected] Subject: Re: [security] Validating openid.identity in authenticationresponses On 16-Nov-07, at 9:01 AM, David Recordon wrote: > This is actually desired functionality to allow for "directed > identity". The use case here is that an End User might type their OP > Identifier such as "http://aol.com"; to start the discovery process. > Then while at the OP, they could potentially create a new OpenID > Identifier on the fly or might only have one which is where this can > also serve as a convenience feature. I'll add to that: - OP initiated login - user changing their mind at the OP (OP can keep better track of which identifiers the user presented at each RP) _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
