Once the RP has the endpoint they can do an identity-less request to the OP for the session that is currently logged in.

The OP returns what is the openID equivalent of a bearer token in that it is about whoever presents it as it lacks a "Subject"/claimed_id.

OP chaining? Assuming the user is known to the first OP, and that the user is allright with this first OP knowing what other OP the user wants to vouch for their identity, I'd wonder whether the first OP would feel entitled to make its own decisions about who the user should be allowed to trust. Such matters should not be addressed in the spec, but I wonder if the school's XRD file (the same one that said "members of this group URI can be treated as Us") could also include a whitelist of OP's the school trusted to vouch for their students' identity. Wouldn't stop OP's determined to do so from not passing on user's choice of OP, but might provide an alternative to the first OP having to be entirely in charge of that.

-Shade
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Reply via email to