Hilarie,
We may want to extend the notion above to encompass callout
servers, but I'm not sure.
I would say 'yes', it should be extended to emcompass callout servers,
in particular as callout servers might be in an authoritative domain
different from the one the OPES intermediary is in.
A topic for discussion, I believe, is whether or not "transparent"
delegation is allowed, [...]
What exactly do you mean by "transparent" delegation? Do you mean sort
of "transitive", i.e. if A trusts B and B trusts C, than B can
"transparently" delegate authority given by A to C?
Should the OPES callout servers be visible parts of the delegation
mechanism?
Hm, I would say 'yes', see above. It might, for example, be possible
that the same service is available on different callout servers, but I
only trust few of them...
In the consideration 2.2 below, it appears to me that that the only
OPES intermediaries permitted would be one "hop" away from the end-user,
effectively preventing any publisher-authorized intermediaries.
Isn't it the case that the publisher also is an end-user, thus
allowing the publisher to authorize intermediaries one hop away?
Further, while this language would seem to preclude chained
intermediaries, later language specfically overrides this notion,
apparently allowing trusted chains of intermediaries, possibly without
explicit trust relationships (?).
Could you give a specific example where the docment later overrides
this notion? You're certainly right that we need to clarify this.
-Markus