John: A user-centric architecture has the user's agent in the middle of identity transactions.
If transactions are encrypted, the user playing MITM has no verifiable idea of which attributes are being transferred through them. It's like being a blind tunnel.
My understanding of user-centric architecture had been more that the user's agent was an *endpoint*: we don't have that yet, attributes and Identity (as whatever core identifier) are still transferred between third parties that primarily hold them, and allegedly require a user's key for authorization of release.
-Shade _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
