2009/5/13 RL 'Bob' Morgan <rlmor...@washington.edu>:
>
> On Tue, 12 May 2009, Luke Shepard wrote:
>
>> Agreed. If all you want is a group, then I’d think that the response
>> would just not include an identifier.
>>
>> You could use an extension, perhaps AX, to request information about the
>> group a user belongs to.
>>
>> For example, if you wanted to understand company membership, you could
>> request and return only http://axschema.org/company/name.

How do you validate such a response? You need to make sure that the
party making the assertion is authorized to do so. That's what OpenID
discovery is for, and that requires an identifier.

> FWIW, this is consistent with years of practice in many technical domains,
> including Kerberos and SAML.

There, you don't have that problem. In those cases there is only one
party that is allowed to make such assertions.

Dirk.

>
>  - RL "Bob"
>
> _______________________________________________
> specs mailing list
> specs@openid.net
> http://openid.net/mailman/listinfo/specs
>
>
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Reply via email to