[OpenID] Proposal: SMTP service extension for Yadis discovery

Martin Atkins mart at degeneration.co.uk
Tue Feb 13 21:12:30 UTC 2007

Stephen Paul Weber wrote:
> On 08 Feb 2007 16:38:00 +0100, Claus Färber <claus at faerber.muc.de> wrote:
>> Hallo,
>> Stephen Paul Weber <singpolyma at gmail.com> schrieb/wrote:
>>>> Email-based OpenIDs (or let's call them user at realm-based OpenIDs, which
>>>> just resemble email adresses) could be as simple as a convention to map
>>>> <user at example.com> to <http://example.com/~user>.
>>> which would work... but is there a need, since
>>> http://user@example.com/ is a legal URL?
>> It does not work as intended. In http://user@example.com/, "user" is an
>> identity suggested to access http://example.com/. A RP could not
>> retrieve different information depending on the "user" part wihtout
>> knowing the password for each user (which it is supposed not to know).
> How so?  The user part is transferred in the HTAUTH headers which the
> script can easily read...

It can actually be quite tricky in some cases to get at the 
authentication header. Apache does not allow direct access to that 
header value from CGI scripts, and it only makes the username available 
in the REMOTE_USER environment variable if it has successfully completed 
some kind of authentication.

However, given that these user at example.com-shaped identifiers are only 
intended to be used by "big" services (if I'm hosting my own identifier, 
I can just use a bare user.com or whatever) this probably isn't a 
massive issue in this case.

More information about the general mailing list