On 2011-07-20, at 11:24 AM, John Kemp wrote: > On Jul 20, 2011, at 12:10 PM, Dick Hardt wrote: > >>>>>> BrowserID is user-centric in that the RP can verify the signature of >>>>>> whichever email provider the user chooses. It doesn't rely on a prior >>>>>> agreements between the RP and IdP. >>>>> >>>>> I agree with your specific statement - so I won't quibble over whether >>>>> this is necessarily "user-centric" or not ;) >>>> >>>> I think that is one of the key aspects of user-centricity. The user is >>>> making choices on which attributes to share. The user is determining "who" >>>> she wants to be in a given RP context. >>> >>> Yes, I understand what you mean. I'm just personally not sure that >>> BrowserID is really so much more "user-centric" in the way you mean than >>> OpenID (Connect). >> >> The flow is moving from my agent (the browser) to the RP rather than from >> the IdP to the RP. > > Isn't this *exactly* the same as using a browser plugin or an OS-level > component invoked by the browser with OpenID performed "behind the scenes" > with the RP? These solutions all assert the attributes directly from the > user-agent, and the attributes are potentially signed by an IdP and stored as > an assertion on the client.
OpenID Connect does not work that way. It is based on OAuth, which is great for delegating authority -- but once delegated, the user is not involved anymore. OpenID 2.0 is user-centric. Did you watch my presentation? If so, I would love to hear how that was not clearly explained! -- Dick _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
