1. If the content is ‘self-identifying’, what’s the mechanism for another piece of content being called the same name, and thus having aggregated results in the LRS? In other words, how is content uniquely identified?
2. Similarly, users – if a login is not required, what if content01 says JoeSmith is taking the course and content05 says the same thing, but it’s a different JoeSmith? The only way to get around that is to require an existing account to authenticate against, correct? If not authentication is required, then the LRS is just going to have to expect duplicate usernames…? (perhaps this, and others, are addressed by ‘oAuth’ – I/we have not tried to get that far into the spec…)
3. If the destination LRS can be sent to the content via a launching page, what’s to prevent someone else from sending a different LRS location to someone else’s content – essentially using another’s content piece to track back to their own system (hijacking)?
4. And we have concerns about how enrollments will work – how will a system know if a user should be accessing the content…and what about transcripts – if a user wants to see their result summary…and sequencing? BUT perhaps those are all beyond the scope of xAPI/LRS as they’re so LMS-centric…and we just have to think outside that LMS box…