[OpenID] What Should an OpenId Be? [WAS: RE: Proposal for Modularizing Auth 2.0 Discovery]

Stephen Paul Weber singpolyma at gmail.com
Thu Mar 1 13:32:19 UTC 2007

> Bottom Line (repeating myself): We need to be clear and define exactly what
> *is* and what *is not* an Open Id Identifier.  I think the current spec is
> right on the money here:  OpenId Identifiers should be an Http URI or an
> XRI.

I agree except about XRIs.  But that's been debated before and I won't
bring it up again....

The only point I made in the earlier debate is that all email
addresses ARE URIs (without a protocol).  Thus,
singpolyma at singpolyma.net (which is normalized to
http://singpolyma@singpolyma.net/) is actually a valid OpenID at this
very moment.  Some very basic extra coding would make it so that
someone at singpolyma.net was the OpenID for another user (I haven't done
that yet, but it would be easy).

So yes, OpenID should be URIs (and HTTP for simplicity) that can be
accessed via standard GET request.  I think we need to be more
open-minded about all forms of a URI - but we can't force certain
forms to always work (ie email addresses over HTTP, above) but we
shouldn't say they're not allowed to work.

Not sure about 'secondary' identifiers that have to be mapped to HTTP
in some other way, except to say that XRI seems to fall into this
category (since one has to remap it to GET over HTTP).

More information about the general mailing list