[Dev] Acting As If =you were @example*dept

[Michael Mell]

An ibroker Customer has registered @example. Customer has a Legacy  
system which can only be configured to grant access to a single  
identifier, in this case, @example*dept. Customer wants =you and =me  
to authenticate using OpenID 1.1 to this system /as/ @example*dept  
without giving the @example*dept password to either =you or =me.

I see a very simple way to implement this: The OP will enable  
@example*dept to create and manage a list of inames that are  
permitted to Act As @example*dept. The registrant enters =you and =me  
to this mapping. After creating the mapping, =you will enter  
"@example*dept" at the OpenID login box at the Legacy RP. The browser  
will be redirected to the OP for @example*dept. The OP will recognize  
that @example*dept has Acting As mappings so, in addition to the  
usual password field, the OP will present an iname form field to  
allow =you or =me to authenticate to the OP as =you or =me. After  
verifying the =you or =me password, the OP will redirect the browser  
back to the Legacy RP with the appropriate @example*dept tokens to  
confirm authentication as @example*dept.

The OP will not accept Acting As authentications to manage the  
account -- =you may not Act As @example*dept at the OP.

This method could be extended a step further so that the mapping list  
is irrelevant and any OP account can Act As a configured account such  
as @anonymous. Clearly the @anonymous registrant and Acting As users  
would need to be educated about the effects of this authentication.

As I understand the term, this is a form of directed identity. Do  
people see this as a valuable feature in an OP?

Thanks,
Mike