The CanonicalID Approach

Johnny Bufu johnny at sxip.com
Fri Jun 8 23:08:54 UTC 2007


On 8-Jun-07, at 3:04 PM, Drummond Reed wrote:

> http://openid.aol.com/daveman692 - reassignable
> http://openid.aol.com/daveman692#1234 - persistent
>
> If an XRDS for the reassignable identifier asserts the persistent  
> identifier
> as a Canonical ID, a second round trip is not required because the  
> client
> can verify that http://openid.aol.com/ is authoritative for both  
> daveman692
> and daveman692#1234.

Because in the case of URLs delegation is decoupled from the  
identifiers, I don't think that verifying only the authority part  
will suffice.

I could have the XRDS at:

	http://openid.aol.com/johnny692

assert the cannonical ID:
	
	http://openid.aol.com/daveman692#1234

.. but have http://openid.aol.com/johnny692 delegate to my own OP  
running in my basement, which is configured to issue assertions with  
the above canonical id. Checking only the authority section would  
render such assertions valid.

Unless I'm missing something, I believe we should mandate a stricter  
verification, on the full URL without the fragment. (Whoever controls  
the URL without the fragment, also controls the URL with any fragments.)


Johnny




More information about the specs mailing list