Score is not about the OP it's about the method used to gather the attributes itself.
Which is good if you trust the OP to score itself.
In my opinion, and to keep things easy, trust should be binary I [trust|don't trust] this OP.
For you as a Relying Party this seems workable; but since your users are placing their trust in *you*, while at the same time the actual entities they end up trusting are the OP's of those people they are forming/signing contracts with, this seems like an untenable position unless you can either restrict the OP (whitelist) to those you have verified (or had verified for you by a 3rd party *you* trust), which doesn't give users much freedom to select their OP's but does limit possible abuses, or fairly transfer responsibility for trust onto users.
But what If (and this is only an early idea) user A asks it's OP saying , I want to know B's name. So A's OP would then ask B's name to B's OP the same way a RP would do.
Except that A's OP isn't necessarily a RP; there is something called OAuth that might fit better here.
-Shade _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
