Rowan,

Thanks for your response. Again, I have no formal education, so don't 
bother if my comments are worthless. I just want to specify the concerns 
I do have, based on my own experience, in case they are of any use to 
the process.

Rowan Kerr skrev:
> The RP can send an "update_url" to the OP when it fetches the
> attributes, so it will get new values when the user changes them at  
> the OP.

But the RP can't know if the "update_url" is honored, i.e. if it will 
ever receive any updates from the OP.

Imagine an RP requesting your bank account number X from your OP. Time 
goes by, and your OP goes out of business. Later, you switch banks and 
your account number X is assigned to someone else. In the meantime, the 
RP has been preparing a payment for a job you have done for them. The RP 
look up your account number in its database, and see X. And since the RP 
has not received any updates to your bank account information, it 
reasons that your account number is still X and consequently disburse 
your payment on a stranger's account ...

One could say that OpenID should not be relied on to exchange sensitive 
information like bank account numbers, but 1) I think its a shame to 
limit a technology with such great potential, and 2) chances are that 
OpenID will be relied upon anyway - the sensitive transactions will just 
be performed longer down the chain, where they can't be checked.

>> * If an OP fails to update an attribute, the RP will never know - no
>> fall-backs can be implemented.
>>     
>
> Fails when? On a Store request? 

Yes, or if the Store request never leaves the OP server, for whatever 
reason.

> Not sure I understand this. OP's normally would not have interest
> in any particular RPs the User has interest in RPs :) Although it is
> up to the individual OP to set rules about who it wants to talk to.  

User interest in RP's come and go, but this is not reflected in the OP's 
database. After a couple of years use, each user is likely to have some 
thousands of RP entries associated with their identity in the OP's 
database, while the user may only have active interest in a fraction of 
these.

> You're free to publish the RDF for the attributes you support... then
> they are reference-able aren't they?  

My point was that attributes does not have a canonical identifier that 
can be passed on to someone else who might put the attribute to better 
use. As far as I can see, the wheel more or less has to be reinvented 
each time someone wish to exchange attribute references (unless someone 
outside OpenID standardize the exchange process).

Regards,
Anders Feder



_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Reply via email to