On 02/02/2008, Kevin Turner <[EMAIL PROTECTED]> wrote: > On Sat, 2008-02-02 at 08:51 +1100, James Henstridge wrote: > > > 5. A way for OpenID relying parties to filter out Ops. In a business > > > scenario, if I run the Sun employee store, I may only want the Sun OP to > > > talk with me. > > > > This is already possible with OpenID 2.0: > [snip] > > This is already possible with OpenID 1.0: > > Perform discovery on the given identifier. Compare the discovered OP > Endpoint to those in your filter. If you do not like what you see, do > not proceed.
Right. I guess I forgot about that after using directed identity for a few cases just like this. I'd argue that directed identity with a fixed OP URL can provide a nicer workflow for these sort of closed environments though: 1. the RP need not ask for a user name, so all authentication occurs on the OP. 2. If the user is already authenticated to the OP, the user could be authenticated to the RP without having to enter any input (if desired). 3. As mentioned earlier, the user does not need to know their identity URL (or even that they have one) -- they only need ot know the credentials needed to log into the OP. James. _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
