If an RP only needs group membership and no individual identity, then why assert an identifier at all? Use OAuth or identity-less OpenID. I think it would seriously cloud OpenID's Identifiers if an AX attribute that may or may not be noticed or included significantly changes what the identifier's significant meaning is.
-- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Wed, May 13, 2009 at 8:36 PM, SitG Admin <sysad...@shadowsinthegarden.com > wrote: > Attributes like group membership belong in AX, not in the identifier. >> >> I suspect the idea is to have a pseudonymous identifier that discloses >> nothing about the person using it other than the fact that they can assert >> the same ID each time they return to prevent correlation. >> > > To further prevent correlation, the OP may wish to support users in > authenticating as members of a group - *in such a way* that individual users > cannot be distinguished from one another. If not for that, RP's could > correlate information over time, establishing theoretical profiles of the > users. > > I think one compromise could be to use a traditional identifier, and then > use AX to signal to the RP that the OP might vouch for more than one > individual having that URI. > > -Shade > > _______________________________________________ > specs mailing list > specs@openid.net > http://openid.net/mailman/listinfo/specs >
_______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs