[OpenID] Proposal: SMTP service extension for Yadis discovery
Martin Atkins
mart at degeneration.co.uk
Tue Feb 13 21:12:30 UTC 2007
Stephen Paul Weber wrote:
> On 08 Feb 2007 16:38:00 +0100, Claus Färber <claus at faerber.muc.de> wrote:
>> Hallo,
>> Stephen Paul Weber <singpolyma at gmail.com> schrieb/wrote:
>>>> Email-based OpenIDs (or let's call them user at realm-based OpenIDs, which
>>>> just resemble email adresses) could be as simple as a convention to map
>>>> <user at example.com> to <http://example.com/~user>.
>>> which would work... but is there a need, since
>>> http://user@example.com/ is a legal URL?
>> It does not work as intended. In http://user@example.com/, "user" is an
>> identity suggested to access http://example.com/. A RP could not
>> retrieve different information depending on the "user" part wihtout
>> knowing the password for each user (which it is supposed not to know).
>
> How so? The user part is transferred in the HTAUTH headers which the
> script can easily read...
It can actually be quite tricky in some cases to get at the
authentication header. Apache does not allow direct access to that
header value from CGI scripts, and it only makes the username available
in the REMOTE_USER environment variable if it has successfully completed
some kind of authentication.
However, given that these user at example.com-shaped identifiers are only
intended to be used by "big" services (if I'm hosting my own identifier,
I can just use a bare user.com or whatever) this probably isn't a
massive issue in this case.
More information about the general
mailing list