<div class="gmail_quote">On Thu, Apr 9, 2009 at 11:51 AM, John Bradley <span dir="ltr"><<a href="mailto:john.bradley@wingaa.com">john.bradley@wingaa.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
The only identifier that the RP should discover is the claimed_id. If in the returned assertion by the OP the claimed_id and the openid.identity are not equal (less hash) the openid.identiy must be the <LocalID> in the discovered information.<br>
</blockquote></div><br><div>John, even if the claimed_id and the openid.identity are equal, the openid.identity must still "match" the discovered information, even if that information is implied by the absence of a LocalID tag. For instance, if LocalID is present with a value of "andrew", but the OP sends an assertion with an openid.identity that is equal to my claimed_id (which would necessarily not just be "andrew"), that is still a mismatch and the RP should not honor that assertion, even though openid.identity and openid.claimed_id are equal to each other. At least that's my reading.</div>