Attributes like group membership belong in AX, not in the identifier.
I suspect the idea is to have a pseudonymous identifier that
discloses nothing about the person using it other than the fact that
they can assert the same ID each time they return to prevent
correlation.
To further prevent correlation, the OP may wish to support users in
authenticating as members of a group - *in such a way* that
individual users cannot be distinguished from one another. If not for
that, RP's could correlate information over time, establishing
theoretical profiles of the users.
I think one compromise could be to use a traditional identifier, and
then use AX to signal to the RP that the OP might vouch for more than
one individual having that URI.
-Shade
_______________________________________________
specs mailing list
[email protected]
http://openid.net/mailman/listinfo/specs
