The CanonicalID Approach
Johnny Bufu
johnny at sxip.com
Fri Jun 8 23:08:54 UTC 2007
On 8-Jun-07, at 3:04 PM, Drummond Reed wrote:
> http://openid.aol.com/daveman692 - reassignable
> http://openid.aol.com/daveman692#1234 - persistent
>
> If an XRDS for the reassignable identifier asserts the persistent
> identifier
> as a Canonical ID, a second round trip is not required because the
> client
> can verify that http://openid.aol.com/ is authoritative for both
> daveman692
> and daveman692#1234.
Because in the case of URLs delegation is decoupled from the
identifiers, I don't think that verifying only the authority part
will suffice.
I could have the XRDS at:
http://openid.aol.com/johnny692
assert the cannonical ID:
http://openid.aol.com/daveman692#1234
.. but have http://openid.aol.com/johnny692 delegate to my own OP
running in my basement, which is configured to issue assertions with
the above canonical id. Checking only the authority section would
render such assertions valid.
Unless I'm missing something, I believe we should mandate a stricter
verification, on the full URL without the fragment. (Whoever controls
the URL without the fragment, also controls the URL with any fragments.)
Johnny
More information about the specs
mailing list