Directed Identity and the '#' symbol

Andrew Arnott andrewarnott at gmail.com
Sun Apr 26 14:17:15 UTC 2009


Shade, why make the user add #secure to their URI, Shade?  Why not just have
them prefix their identifier with "https://" like every other RP?  People
are already pretty used to checking for https:// to make them feel secure in
my experience, even if they don't know what it actually menas, but that's
ok.
Santosh, RPs are supposed to accept #3 as the user's identifier.  While
internally they normalize that to include an http:// prefix during
authentication, they can remove it again before displaying it as their login
name to the user.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Sun, Apr 26, 2009 at 1:30 AM, SitG Admin <sysadmin at shadowsinthegarden.com
> wrote:

>  3) santosh.rajan.myopenid.com
>> 4) http://santosh.rajan.myopenid.com
>> 5) http://myopenid.com/santoshrajan
>>
>> Now (1) and (2) are not practical so we will eliminate that. (3) is the
>> best
>> option as I see it. I know you will say that there is no difference
>> between
>> (3) and (4). But if you are an average user it makes a huge difference.
>>
>
> While it is true that 3 will default to 4 (and it would be nice if users
> had a way to specify 6, i.e. httpS), this is primarily for discovery and
> internal distinction - since users cannot be known as 3 (because it is not a
> legal URI), there is no risk of confusing an entry for 4 with an entry for
> 3, and RP's can trivially omit the 'http://' before users' ID's, so that,
> to the average user, they DO show up as 3; they need never know they are
> being treated any differently. (This is most apparent in the case of XRI,
> where the user's unique Identity might be '=!F83.62B1.44F.2813' even when
> '=drummond' is what appears to users.)
>
> When you see actions attributed to OpenID users at some RP's site, there
> might be a little "Secure" logo/label to show off that the user took THAT
> action when authenticated over SSL.
>
> One of the #options I had planned was to use HTTPS instead of HTTP where
> the user added '#secure' to their URI; this wouldn't help with attackers
> hijacking DNS, but it would help the user to not accidentally go to the
> wrong server. (I said 'help', not 'ensure'; users would still be responsible
> for listening to their browser's warnings about bad certificates, and
> probably still ignore them.)
>
>  So the puzzle is why wasn't (3) chosen as the Openid instead of (4) and
>> (5)
>>
>
> Because browsers need to know where they're looking for the resource; HTTP
> is merely one protocol, others can be launched through the browser (FTP and
> TELNET come to mind).
>
>
> -Shade
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090426/a4ad1331/attachment.htm>


More information about the specs mailing list