On 6/9/07, Martin Atkins <[EMAIL PROTECTED]> wrote: > I'm assuming that the RP authenticates > http://inconvenient.example.com/0000001, not > http://impersonation.example.com/mart. Just as with delegation, if I can > successfully authenticate as the persistent identifier and the > non-persistent identifier points at the persistent one, we can assume > that http://impersonation.example.com/mart is "me" as well.
If you agree that: 1. In order to "authenticate as the persistent identifier," discovery must be done on the persistent identifier 2. In order to determine that "the non-persistent identifier points at the persistent one," discovery must be done on the non-persistent identifier. then two discovery steps are necessary in order to use this scheme. Josh _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs