[OpenID] URL normalization issues

Lukas Rosenstock lukas.rosenstock at identity20.eu
Fri Mar 23 22:42:08 UTC 2007

> One of the problems with XRDS discovery (formerly known as Yadis) is

Is it not Yadis anymore?

> that it makes it difficult to avoid serving more than one URL that can
> be used as an identifier: the XRDS file's URI is *also* a valid
> identifier. You can observe this problem if you have a MyOpenID.com
> account by trying to sign in somewhere that supports XRDS discovery
> (i.e. not LiveJournal) with <http://youraccount.myopenid.com/xrds>.

If you log in somewhere using youraccount.myopenid.com/xrds, that RP  
accepts this identifier, but sends it as openid.identifier to MyOpenID.com  
and MyOpenID.com should not accept this ... okay, my mistake, if the XRDS  
file contains an oid:Delegate (and MyOpenID.com contains it) MyOpenID.com  
will never know about the "wrong" identifier.
I don't see this as a fundamental problem, because users will not very  
likely add /xrds to their identifier and if they do call it a feature and  
not a bug ;-)
Anyway, can we change the Yadis spec to work around this problem, e.g. add  
something to the XRDS to say that this document belongs to a particular  

Lukas Rosenstock
Identity 2.0 Europe :: http://identity20.eu/

More information about the general mailing list