Once the RP has the endpoint they can do an identity-less request to
the OP for the session that is currently logged in.
The OP returns what is the openID equivalent of a bearer token in
that it is about whoever presents it as it lacks a
"Subject"/claimed_id.
OP chaining? Assuming the user is known to the first OP, and that the
user is allright with this first OP knowing what other OP the user
wants to vouch for their identity, I'd wonder whether the first OP
would feel entitled to make its own decisions about who the user
should be allowed to trust. Such matters should not be addressed in
the spec, but I wonder if the school's XRD file (the same one that
said "members of this group URI can be treated as Us") could also
include a whitelist of OP's the school trusted to vouch for their
students' identity. Wouldn't stop OP's determined to do so from not
passing on user's choice of OP, but might provide an alternative to
the first OP having to be entirely in charge of that.
-Shade
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs