Directed Identity and the '#' symbol
SitG Admin
sysadmin at shadowsinthegarden.com
Sun Apr 26 16:52:35 UTC 2009
At 2:16 AM -0700 4/26/09, Santosh Rajan wrote:
>In that case the spec could have specified "http" only without the user
>having to know.
The user DOESN'T have to know. RP's "in the wild" today have shown me
"shadowsinthegarden.com" as my OpenID, even though internally they
are surely prefixing this with the protocol.
>Because discovery does not require https or anything else.
It sure does if you want security through trust :p
(I know, I know; "OpenID is about identity, not trust." But still.)
At 7:17 AM -0700 4/26/09, Andrew Arnott wrote:
>Shade, why make the user add #secure to their URI, Shade? Why not
>just have them prefix their identifier with "https://" like every
>other RP?
To clarify: they *may* use the full address if they so desire. If
they find this confusing, though, or happen to forget; they *may*
find such an alternative more convenient. I won't remove the
"https://" if they omit "#secure"; I'll just *add* it (replacing
"http://" if necessary) if they *do* add that argument.
-Shade
More information about the specs
mailing list