It means: "TTP certifies that the user presenting identity X is indeed a user known to me, and is an acceptable user for the purposes that Site asked about: not a bot, not a spammer".
The idea that TTP certifies User against particular requirements of Site, and gives User an identity which User can give to Site. TTP keeps the "real" identity of the user hidden from Site, replacing it with a temporary identity.
TTP does not givel Site anything; User shares the temporary identity with Site. Then Site can check the identity, cryprographically and/or by asking TTP directly.
The identity should also be checked by a challenge-response protocol between Site and User, so that stealing it from User would be pointless. E.g. User keeps the private key and Site receives the public key, and Site asks to encrypt a random string, then tries to decrypt it.
> It means: "TTP certifies that the user presenting identity X is indeed a user known to me, and is an acceptable user for the purposes that Site asked about: not a bot, not a spammer".
How does the TTP know that the user isn't a spammer? Is there a backchannel for reidentifying users in case of abuse allegations? Does the TTP just refuse to issue credentials on behalf of the same user very frequently?
The idea that TTP certifies User against particular requirements of Site, and gives User an identity which User can give to Site. TTP keeps the "real" identity of the user hidden from Site, replacing it with a temporary identity.
TTP does not givel Site anything; User shares the temporary identity with Site. Then Site can check the identity, cryprographically and/or by asking TTP directly.
The identity should also be checked by a challenge-response protocol between Site and User, so that stealing it from User would be pointless. E.g. User keeps the private key and Site receives the public key, and Site asks to encrypt a random string, then tries to decrypt it.