Rowan, Thanks for your response. Again, I have no formal education, so don't bother if my comments are worthless. I just want to specify the concerns I do have, based on my own experience, in case they are of any use to the process.
Rowan Kerr skrev: > The RP can send an "update_url" to the OP when it fetches the > attributes, so it will get new values when the user changes them at > the OP. But the RP can't know if the "update_url" is honored, i.e. if it will ever receive any updates from the OP. Imagine an RP requesting your bank account number X from your OP. Time goes by, and your OP goes out of business. Later, you switch banks and your account number X is assigned to someone else. In the meantime, the RP has been preparing a payment for a job you have done for them. The RP look up your account number in its database, and see X. And since the RP has not received any updates to your bank account information, it reasons that your account number is still X and consequently disburse your payment on a stranger's account ... One could say that OpenID should not be relied on to exchange sensitive information like bank account numbers, but 1) I think its a shame to limit a technology with such great potential, and 2) chances are that OpenID will be relied upon anyway - the sensitive transactions will just be performed longer down the chain, where they can't be checked. >> * If an OP fails to update an attribute, the RP will never know - no >> fall-backs can be implemented. >> > > Fails when? On a Store request? Yes, or if the Store request never leaves the OP server, for whatever reason. > Not sure I understand this. OP's normally would not have interest > in any particular RPs the User has interest in RPs :) Although it is > up to the individual OP to set rules about who it wants to talk to. User interest in RP's come and go, but this is not reflected in the OP's database. After a couple of years use, each user is likely to have some thousands of RP entries associated with their identity in the OP's database, while the user may only have active interest in a fraction of these. > You're free to publish the RDF for the attributes you support... then > they are reference-able aren't they? My point was that attributes does not have a canonical identifier that can be passed on to someone else who might put the attribute to better use. As far as I can see, the wheel more or less has to be reinvented each time someone wish to exchange attribute references (unless someone outside OpenID standardize the exchange process). Regards, Anders Feder _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
