[PROPOSAL] Handle "http://user at example.com" Style Identifiers
David Fuelling
sappenin at gmail.com
Fri Nov 10 15:19:51 UTC 2006
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Martin Atkins
> Sent: Friday, November 10, 2006 2:41 AM
> To: general at openid.net
> Subject: Re: [PROPOSAL] Handle "http://user@example.com" Style
Identifiers
>
> I provide email addresses to some of my friends, but I don't provide
> them with corresponding OpenID identities. By an unfortunate twist of
> fate, the domain I provide these addresses in is also my website, and
> since my site doesn't require authentication the WWW-Authenticate header
> is ignored. Consequently, http://anyusername@mydomain.com/ will end up
> at *my* website, not the website of the person who uses
> anyusername at mydomain.com.
>
Ok, so (just to clarify) in your example we're talking about an email
address 'anyusername at mydomain.com' that maps to a url at an IdP, such that
the mapped URL includes the username ('http://anyusername@mydomain.com')
[** just to be clear, this is David R's proposal...my proposal ignores the
userid in the email address **]
So, in your example, if you have given someone an email address with a
domain 'mydomain.com', and you choose not to offer OpenId services, then
emails in your domain can't be used with OpenId. I don't see the problem,
-- you own the domain, after all, and should control that decision.
Additionally, your scenario is also true in the case of a regular Identity
URL that you give out. If you provide an Identity URL
'http://someuser.mydomain.com', but you happen to support some other User
Centric Identity standard (i.e., not OpenId), and your user tries to use
the URL that you provided (with an OpenId RP), he'd get the same result.
More information about the specs
mailing list