<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple style='word-wrap: break-word;
-webkit-nbsp-mode: space;-webkit-line-break: after-white-space'>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> John Bradley
[mailto:john.bradley@wingaa.com] <br>
<b>Sent:</b> Thursday, April 09, 2009 5:41 PM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> Andrew Arnott; openid General<br>
<b>Subject:</b> Re: [OpenID] OpenID 2.1 clarification on use of LocalID<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>It works fine if the RP performs the discovery on the
returned claimed_id and makes certain that if the openid.identity is not
== openid.clamed_id it is in the discovered information as the
<LocalID><o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>The user supplied value is only used for the first
discovery. The second discovery if there is one uses the
returned.clamed_id. <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>If the calimed_id doesn't change then you don't
need a second discovery because you already have the discovery info.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>So logically if the claimed_id that is returned by
the OP is the same one that is sent, (as it would be for delegation) if ANY of
the other three parameters are changed in the assertion from the OP,
that assertion must be rejected. <o:p></o:p></p>
</div>
<div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>I have found RPs that were only checking for the
openid.claimed_id changing.<o:p></o:p></p>
<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></i></b></p>
<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>yes. That is consistent with the rule that defined the requirement,
discussed during the review – as I recall. Request assertion about a claim.
Receive an assertion about a different claim. Thus, discover actual claim
asserted and establish user ownership, to ensure owner authorizes said claim to
be evidence supporting the actual openid that the RP will know the user by –
as retrieved from the user supplied id and its supporting (unsigned) XRD.<o:p></o:p></span></i></b></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>This allowed me to get a OP to assert a claimed_id for a
delegated ID while logging in with any valid ID at the OP.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Checking the values in the
returned assertion against the discovery information is critical. <o:p></o:p></p>
<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></i></b></p>
<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>[Peter Williams] But until now, only when the OP returns claim !=
requested claim. There were no other conditions, originally.</span></i></b><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>FYI Google and Yahoo are treating the combination of
delegation and directed identity differently. <o:p></o:p></p>
<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></i></b></p>
<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>[Peter Williams] I always thought it was cute that an RP could get
the user’s vantity XRD , be given thereby a localid1 and be directed to
use directed mode, have request claim = OP Identifier, receive claim via assertion
where specific claim value != requested value (OP Identifier), and thus be
required to perform discovery on the specific claim value from assertion, which
would induce RP to consult the (non vanity) XRD at the OP – which supports
the ownerhip of specific claim (may establish a second localid(2) relevant to
the OP.)<o:p></o:p></span></i></b></p>
<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></i></b></p>
<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Now my assumption is that the openid bound to an RP’s
account in the above case is localid1, not localid2.<o:p></o:p></span></i></b></p>
<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></i></b></p>
<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If the form of localid1 is an XRI, http/https or HXRI form openid,
one has (with directed id based resolution of evidence of id control) achieved
delegation and portability, VERY much as it was in openid 1.x.<o:p></o:p></span></i></b></p>
<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></i></b></p>
<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The key thing is the obligation of the OP to do RP discovery (to
ensure the realm is authorized), and the RP to do claim discovery according to
the “changed” rules.<o:p></o:p></span></i></b></p>
<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></i></b></p>
<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>[Peter Williams] If any of the above is not sensible , don’t
study it too hard. I’m recalling it from my mental model formed several
months ago, when I last thought I understood the security andcontrol model underlying
openid auth v2. <o:p></o:p></span></i></b></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>John Bradley<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<div>
<p class=MsoNormal>On 9-Apr-09, at 4:40 PM, Peter Williams wrote:<o:p></o:p></p>
</div>
<p class=MsoNormal><br>
<br>
<o:p></o:p></p>
<div>
<p class=MsoNormal><br>
<br>
<br>
<o:p></o:p></p>
<p class=MsoNormal>-----Original Message-----<o:p></o:p></p>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>From: <a href="mailto:general-bounces@openid.net">general-bounces@openid.net</a>
[<a href="mailto:general-bounces@openid.net">mailto:general-bounces@openid.net</a>]
On<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>Behalf Of John Bradley<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>Sent: Thursday, April 09, 2009 11:51 AM<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>To: Andrew Arnott<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>Cc: openid General<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>Subject: Re: [OpenID] OpenID 2.1 clarification on use of
LocalID<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>Yes that has come up in the XRD 1.0 work.<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>The <LocalID> is a string and can be a XRI, URI,
e-mail or any other<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>thing that the OP uses to identify the user.<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>In most cases that is a URL or a XRI but it could be
anything.<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>Delegation is a term that carried over from openID 1.0 and
probably is<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>not accurate any more.<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>The provider you are asserting is your provider.<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>If for some reason you provider knows you by some identifier
other<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>than the claimed_id then you can use the local_id to send an
arbitrary<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>string in the openid.identity.<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>The only identifier that the RP should discover is the
claimed_id. If<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>in the returned assertion by the OP the claimed_id and the<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>openid.identity are not equal (less hash) the
openid.identiy must be<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>the <LocalID> in the discovered information.<o:p></o:p></p>
</blockquote>
<p class=MsoNormal><br>
Nah.<br>
<br>
If the values are not equal, the RP must perform discovery on the value
supplied. This requirement provides the openid 1.1 delegation semantics,
expressed now through localid (whose value is supplied from the initial XRD
discovery).<br>
<br>
We went through this ad nauseum during the review of openid2.0. It works fine
for delegation through directed identity mode, too.<br>
<br>
<br>
<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>RP's not properly verifying that is an issue where someone
delegates<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>to a OP doing "Identifier Select". (By issue
I mean gaping security<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>hole)<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>That is a RP problem that can only occur when the User
delegates there<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>identity.<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>Someone delegating a URI to a iName would be entering a XRI
like<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>=jbradley as the <LocalID>.<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>It is also possible that someone delegating might not
include the<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>scheme ie ve7jtb.pip.verisignlabs.com as the <LocalID>
that should<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>work.<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>John Bradley<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>On 9-Apr-09, at 11:27 AM, Andrew Arnott wrote:<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>No where in the OpenID 1.x or 2.0 spec (that I can find) is
the<o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>user's LocalID (openid.identity) mandated to be a URI.
Yes, it's a<o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>"local identifier", but the OP might choose to let
that be simply<o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>the local username like "andrew". In this
case, the OP hosted<o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>identity page might include something like this:<o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><o:p> </o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><link rel="openid2.provider" href="<a
href="http://provider/opendpoint">http://provider/opendpoint</a>"><o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><link rel="openid2.local_id" href="andrew"><o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><o:p> </o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>So this looks like delegation because a local_id is given,
but in<o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>this case it's not. It just causes the RP to customize
the<o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>openid.identity parameter to be 'andrew', which the OP will
use to<o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>look up the username that should control the claimed_id.<o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><o:p> </o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>The reason I bring this up is because I've seen many
libraries<o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>assume that local_id is a URI and treat it as such.
I've even heard<o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>ideas of performing discovery on the local_id. Now,
there's no<o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>reason to perform discovery on the local_id... only the
claimed_id<o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>needs to be discovered.<o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><o:p> </o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>I don't even know if any OP out there uses non-URIs for
local_id's.<o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>But since it's not a contradiction in the OpenID 1.1 or 2.0
specs, I<o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>think that the 2.1 spec should call out EITHER that it MUST
be a URI<o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>(and indicate whether discovery is required to succeed) OR
that it<o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>CAN be any string at all that the OP is expecting.<o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><o:p> </o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>--<o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>Andrew Arnott<o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>"I [may] not agree with what you have to say, but I'll
defend to the<o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>death your right to say it." - Voltaire<o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><o:p> </o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>_______________________________________________<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>general mailing list<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><a href="mailto:general@openid.net">general@openid.net</a><o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><o:p></o:p></p>
</blockquote>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</body>
</html>