On 2-Oct-06, at 2:48 AM, Martin Atkins wrote: > Recordon, David wrote: >> That was going to be my exact follow-up to my own message, though got >> distracted. What I phrased was how Dick described it. >> >> I like the feature, though agree that many IdPs may be unable to >> implement it due to how they do session handling. It could be >> augmented >> to also contain a response parameter telling the RP if the IdP >> acknowledged it, then the RP could make the decision if it wants >> to proceed. >> > > But again, IdPs will just send it whether they did it or not, because > it's like a "make it work" flag; people will quickly forget/dismiss > what > it really means and set it just to make their IdP work. > > Unless you've got some way to *prove* that you did it (I can't > think of > one) there's no point. > > This also ignores the fact that not all "IdPs" are going to use > sessions > and passwords. One could potentially make one that acts on a presented > certificate, for example. Or one which just returns "Yes" to > everything > as an anonymising tool.
OpenID, like many other protocols, places trust on the IdP that it will operate per the protocol. The user takes responsibility for choosing an IdP that they trust to operate appropriately. eg: There is nothing that stops an IdP from *proving* a particular URL belongs to a particular user. Currently I have blame.ca pointing to dick.hardt.myopenid.com, the myopenid.com server could state any user at myopenid.com owns blame.ca, but I trust myopenid.com to not do that. There is no way to *prove* it is me using the URL. -- Dick _______________________________________________ specs mailing list email@example.com http://openid.net/mailman/listinfo/specs