Sounds like a great idea to mock up for a demo. On Saturday, May 16, 2009, John Bradley <jbrad...@mac.com> wrote: > There is nothing that would stop an RP from performing discovery on some > group URI to discover a OP Endpoint. > > Once the RP has the endpoint they can do an identity-less request to the OP > for the session that is currently logged in. > > The OP returns what is the openID equivalent of a bearer token in that it is > about whoever presents it as it lacks a "Subject"/claimed_id. > > This would require some work to get right but is far better than overloading > the identifier. > > John Bradley > > > On 15-May-09, at 3:55 PM, SitG Admin wrote: > > > Keeping it identity-less also allows the assertion to come from a 3rd party. > > The group may be the only one that can say I belong to it. They may have the > openID's of there members and make membership assertions on there behalf > without being a full IDP. That could be done with AX or oAuth for > transferring the attributes. > > > How about a restricted-access "group" (community, whatever an OP calls it) > where members must have been approved? If the school doesn't want to run its > own IDP, it can host an XRD file showing the URI's for Groups (Communities) > on various 3rd-party sites that it has investigated and found to be run by > those who will be responsible (cue internal policy decisions, here), so it > declares them (groups, not sites) authoritative. > > From then on, if RP's want to know that a user is a student at that school, > they check the school's XRD file, then say "Okay, you can prove membership in > this group on Facebook, that group on LiveJournal, or some other group at > MySpace." > > This kind of "delegation" brings us back to using those URI's, though. Then > again . . . if the user's OP *is* that same site they are a member of some > Group on, couldn't something be done there? (If the user is employing > delegation as known to the spec, it seems unlikely that the Group page would > be available for that user to control the OpenID headers of.) > > -Shade > > >
-- -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs