So, from the looks of it, you're redoing delegation to rely on the OP
instead of the URI, and reducing the URI (formerly the primary
identifier) to just another item of profile data (like name or
photo), the "profile URL".
I'm not seeing how this "your Identity is primarily tied to your OP"
approach does anything but reinforce walled gardens. It's nice "when
people follow the rules": grand, but useless to protect against
malicious OP's.
-Shade
Postscript: reliance on SSL endpoints - considering how panicky the
modern browsers get over self-signed certificates, isn't this
discouraging (and effectively disqualifying) users from running their
own OAuth/OpenID endpoints?
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
