[OpenID] Where can I get a free i-name?

Kevin Turner kevin at janrain.com
Fri Jan 12 20:35:16 UTC 2007


On Fri, 2007-01-12 at 22:20 +0200, Dmitry Shechtman wrote:
> Brad Topliff wrote:
> > I can't speak to whether or not this is how the libraries generally handle
> > XRI's but since I have seen it work *correctly* before, I have to assume
> > it is an implementation issue.
> 
> Being a developer, I can confirm this assumption.
> 
> This is clearly a bug in all JanRain libraries I'm aware of. It is hopefully
> to be fixed in the upcoming versions. JanRain devs, are you listening?

Notabug!  Feature!  i.e. specification conformance!  I quote from
http://openid.net/specs/openid-authentication-2_0-pre11.html:

        XRI and the CanonicalID Element
        
        When the identifier is an XRI, the <xrd:XRD> element that
        contains the OpenID Authentication <xrd:Service> element MUST
        also contain a <CanonicalID> element. The content of this
        element MUST be used as the Claimed Identifier (see Section
        11.4(Identifying the end user)). This is a vital security
        consideration because a primary purpose of the <CanonicalID>
        element is to assert a persistent identifier that will never be
        reassigned, thus preventing the possibility of an XRI being
        "taken over" by a new registrant. 

kthx HTH HAND love,

 - JanRain devs





More information about the general mailing list