2009/5/13 RL 'Bob' Morgan <rlmor...@washington.edu>: > > On Tue, 12 May 2009, Luke Shepard wrote: > >> Agreed. If all you want is a group, then I’d think that the response >> would just not include an identifier. >> >> You could use an extension, perhaps AX, to request information about the >> group a user belongs to. >> >> For example, if you wanted to understand company membership, you could >> request and return only http://axschema.org/company/name.
How do you validate such a response? You need to make sure that the party making the assertion is authorized to do so. That's what OpenID discovery is for, and that requires an identifier. > FWIW, this is consistent with years of practice in many technical domains, > including Kerberos and SAML. There, you don't have that problem. In those cases there is only one party that is allowed to make such assertions. Dirk. > > - RL "Bob" > > _______________________________________________ > specs mailing list > specs@openid.net > http://openid.net/mailman/listinfo/specs > > _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs