No subject


Tue Apr 24 11:52:11 UTC 2007


(according to and satisfying the Consumer's SSL key management policy)

the "final URL" is https://peteraccount.rapdata.com/ . This  string,

furthermore, is the "final, canonicalized URL" ( in the absence of an

openid.delegated link field value in the HTML document delivered over

https). This is thus the "End User's Identifier".

=20

------------

=20

Lets continue the thought experiment:-

=20

Lets say the that openid.server link value is

https://login.rapmlsstg.com/sp/SsoHandler.aspx. We can note that this

URL has little formal relationship to the End User's Identifier

https://peteraccount.rapdata.com/=20

=20

Nevertheless, the consumer can now expect to find an OP Provider

listener at that link value URL. If this is true, the consumer agent and

provider agent then engage in the "OpenID Authentication Protocol".

=20

In the course of completing the protocol, the provider agent will

normally be required to perform BY MEANS BEYOND THE SCOPE OF OPENID AUTH

SPEC, user authentication - before it supplies the "cryptographic proof"

that a user controls the End User's Identifier. After following some

series of locally-defined redirects to a form-login page, users might

perform this by completing the action of typing in a correct

username/password combination.

=20

Is there any flaw in my understanding, in any of the above?=20

=20

Are the example's "complying"?

=20

=20

=20

_______________________________________________

general mailing list

general at openid.net

http://openid.net/mailman/listinfo/general


------_=_NextPart_001_01C7C1AB.C2C99BD8
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" =
xmlns:p=3D"urn:schemas-microsoft-com:office:powerpoint" =
xmlns:a=3D"urn:schemas-microsoft-com:office:access" =
xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" =
xmlns:s=3D"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" =
xmlns:rs=3D"urn:schemas-microsoft-com:rowset" xmlns:z=3D"#RowsetSchema" =
xmlns:b=3D"urn:schemas-microsoft-com:office:publisher" =
xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadsheet" =
xmlns:c=3D"urn:schemas-microsoft-com:office:component:spreadsheet" =
xmlns:oa=3D"urn:schemas-microsoft-com:office:activation" =
xmlns:html=3D"http://www.w3.org/TR/REC-html40" =
xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/" xmlns:D=3D"DAV:" =
xmlns:x2=3D"http://schemas.microsoft.com/office/excel/2003/xml" =
xmlns:ois=3D"http://schemas.microsoft.com/sharepoint/soap/ois/" =
xmlns:dir=3D"http://schemas.microsoft.com/sharepoint/soap/directory/" =
xmlns:ds=3D"http://www.w3.org/2000/09/xmldsig#" =
xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint/dsp" =
xmlns:udc=3D"http://schemas.microsoft.com/data/udc" =
xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema" =
xmlns:sps=3D"http://schemas.microsoft.com/sharepoint/soap/" =
xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance" =
xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile" =
xmlns:wf=3D"http://schemas.microsoft.com/sharepoint/soap/workflow/" =
xmlns:mver=3D"http://schemas.openxmlformats.org/markup-compatibility/2006=
" xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns:mrels=3D"http://schemas.openxmlformats.org/package/2006/relationshi=
ps" =
xmlns:ex12t=3D"http://schemas.microsoft.com/exchange/services/2006/types"=
 xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
	{mso-style-priority:99;
	mso-style-link:"Plain Text Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.5pt;
	font-family:Consolas;}
span.PlainTextChar
	{mso-style-name:"Plain Text Char";
	mso-style-priority:99;
	mso-style-link:"Plain Text";
	font-family:Consolas;}
span.EmailStyle19
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.EmailStyle20
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><span style=3D'color:#1F497D'>Agreed. =
<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal><span style=3D'color:#1F497D'>6 needs to convey =
back and forth
a state vector, which upon return reconnects the browser to the OpenID =
Provider
state machine, which is in a wait state. The &#8220;indication&#8221; of =
the
state vector + the result of the user authentication will allow it to =
resume
its processing.<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal><span style=3D'color:#1F497D'>We already =
demonstrated this
basic process, when we took the JanRain Provider and made the browser =
follow
redirects back and forth &nbsp;to/from the login site at a third party =
site &#8230;
before the JanRain provider continued upon return from user auth with =
the
OpenID state machine.<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div>

<div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt =
0in 0in 0in'>

<p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>=
</b><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Recordon, =
David
[mailto:drecordon at verisign.com] <br>
<b>Sent:</b> Sunday, July 08, 2007 2:56 PM<br>
<b>To:</b> Peter Williams; general at openid.net<br>
<b>Subject:</b> RE: [OpenID] canonical Identifier URL,without using =
delegated
authentication<o:p></o:p></span></p>

</div>

</div>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal><span style=3D'color:#1F497D'>For 6 and 7, as long =
as the
Provider maintains the OpenID Authentication request through the login
redirects then it shouldn't be a problem.&nbsp; It just needs to =
maintain the
state so once the user logs in they can proceed, allow the OpenID =
request, and
then have the Provider redirect them back to the =
RP.<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'color:#1F497D'>--David<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div>

<div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt =
0in 0in 0in'>

<p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>=
</b><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Peter =
Williams
[mailto:pwilliams at rapattoni.com] <br>
<b>Sent:</b> Sunday, July 08, 2007 2:53 PM<br>
<b>To:</b> Recordon, David; general at openid.net<br>
<b>Subject:</b> RE: [OpenID] canonical Identifier URL,without using =
delegated
authentication<o:p></o:p></span></p>

</div>

</div>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText>The only amendment Id make concerns 6 and =
7.<o:p></o:p></p>

<p class=3DMsoPlainText><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'>Hey =
Peter,<o:p></o:p></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'>I think I'm following =
you...<o:p></o:p></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'>1) The End User =
provides<o:p></o:p></p>

<p class=3DMsoPlainText =
style=3D'margin-left:.5in'>https://login.rapmlsstg.com/IdpSsoHandler2.asp=
x?Target=3Dhttps%3a%2f%2fsso<o:p></o:p></p>

<p class=3DMsoPlainText =
style=3D'margin-left:.5in'>.rapmlsstg.com%3a12030%2fidp%2fstartSSO.ping%3=
fPartnerSpId%3drapattoni:s<o:p></o:p></p>

<p class=3DMsoPlainText =
style=3D'margin-left:.5in'>tg:customer%26IdpAdapterId=3DSTGIdp%26TargetRe=
source%3dhttps%3a%2f%2petera<o:p></o:p></p>

<p class=3DMsoPlainText =
style=3D'margin-left:.5in'>ccount.rapdata.com/&amp;Contract=3D2
to the RP.<o:p></o:p></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'><span =
style=3D'color:black'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'>2) The RP fetches the =
Claimed
Identifier which has a series of 302<o:p></o:p></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'>Redirects (to a =
logged out
user-agent...the RP) which end at<o:p></o:p></p>

<p class=3DMsoPlainText =
style=3D'margin-left:.5in'>https://peteraccount.rapdata.com/.<o:p></o:p><=
/p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'>3)
https://peteraccount.rapdata.com/ is now the canonicalized =
Claimed<o:p></o:p></p>

<p class=3DMsoPlainText =
style=3D'margin-left:.5in'>Identifier.<o:p></o:p></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'>4) The RP performs =
discovery on
the Claimed Identifier resulting in an<o:p></o:p></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'>HTML-Based Discovery
openid.server tag with the value of<o:p></o:p></p>

<p class=3DMsoPlainText =
style=3D'margin-left:.5in'>https://login.rapmlsstg.com/sp/SsoHandler.aspx=
.<o:p></o:p></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'>5) The RP redirects =
the user to<o:p></o:p></p>

<p class=3DMsoPlainText =
style=3D'margin-left:.5in'>https://login.rapmlsstg.com/sp/SsoHandler.aspx=

with the appropriate<o:p></o:p></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'>OpenID Authentication =
request.<o:p></o:p></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'>6) The user =
authenticates
however they need to, or is already<o:p></o:p></p>

<p class=3DMsoPlainText =
style=3D'margin-left:.5in'>authenticated.<o:p></o:p></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'>7) The user allows =
the
transaction at their Provider which responds to<o:p></o:p></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'>the =
RP.<o:p></o:p></p>

<p class=3DMsoPlainText style=3D'margin-left:.5in'><span =
style=3D'color:black'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoPlainText =
style=3D'margin-left:.5in'>--David<o:p></o:p></p>

<p class=3DMsoPlainText><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText><span =
style=3D'color:black'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoPlainText><span =
style=3D'color:black'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoPlainText><span style=3D'color:black'>6) the =
sp/SsoHandler.aspx
redirects the browser with 302 responses one or more times, to some =
remote
login-site where the user authenticates however they need to, or is =
already
authenticated.<o:p></o:p></span></p>

<p class=3DMsoPlainText><span =
style=3D'color:black'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoPlainText><span style=3D'color:black'>7) after user =
authentication,
the login site redirects the browser one or more times back to
sp/SsoHandler.aspx, whereupon the user allows the transaction at their =
Provider
which responds to the RP.<o:p></o:p></span></p>

<p class=3DMsoPlainText><span =
style=3D'color:black'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoPlainText><span =
style=3D'color:black'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoPlainText><span style=3D'color:black'>If we can agree that =
this is
generally consistent with the intent and model of OpenID, I'll go and =
build it.
It would be merely an extension of the OpenID experiment we already =
performed,
with folks at www.scardsoft.com.<o:p></o:p></span></p>

<p class=3DMsoPlainText><span =
style=3D'color:black'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoPlainText><span =
style=3D'color:black'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoPlainText><span =
style=3D'color:black'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoPlainText><span =
style=3D'color:black'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoPlainText><span =
style=3D'color:black'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoPlainText><span =
style=3D'color:black'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoPlainText><span style=3D'color:black'>FYI: =
<o:p></o:p></span></p>

<p class=3DMsoPlainText><span =
style=3D'color:black'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoPlainText><span style=3D'color:black'>The redirects on the =
front and
back ends provide me with great added value. They will allow me resolve =
such as
XRIs without using a proxy architecture. An XRI form of Claimed Identity =
(<a
href=3D"https://mls.com/=3DPeter.Williams">https://mls.com/=3DPeter.Willi=
ams</a>) can
now be resolved as a side effect of OP provider discovery. Similarly, a
protocol of &#8220;trusted redirects&#8221; can secure the discovery =
process
itself, automatically deliver name-federation-based name resolution, and =
optionally
automatically use pseudonyms to enforce privacy firewalls during a =
discovery
run that the discovery subsystem recognizes as crossing security domain
boundaries.<o:p></o:p></span></p>

<p class=3DMsoPlainText><span =
style=3D'color:black'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoPlainText>-----Original Message-----<o:p></o:p></p>

<p class=3DMsoPlainText>From: general-bounces at openid.net =
[mailto:general-bounces at openid.net]
On<o:p></o:p></p>

<p class=3DMsoPlainText>Behalf Of Peter Williams<o:p></o:p></p>

<p class=3DMsoPlainText>Sent: Friday, July 06, 2007 11:39 =
PM<o:p></o:p></p>

<p class=3DMsoPlainText>To: general at openid.net<o:p></o:p></p>

<p class=3DMsoPlainText>Subject: [OpenID] canonical Identifier =
URL,without using
delegated<o:p></o:p></p>

<p class=3DMsoPlainText>authentication<o:p></o:p></p>

<p class=3DMsoPlainText><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText>Let's test an edge case of the following =
&quot;Note&quot;
in the specification:<o:p></o:p></p>

<p class=3DMsoPlainText><o:p>&nbsp;</o:p></p>

<p =
class=3DMsoPlainText>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;
&quot;The End User is NOT REQUIRED to prefix their =
Identifier<o:p></o:p></p>

<p class=3DMsoPlainText>URL with &quot;http://&quot; or postfix it with =
a
trailing slash. Consumers MUST<o:p></o:p></p>

<p class=3DMsoPlainText>canonicalize the Identifier URL, following =
redirects, and
note the final<o:p></o:p></p>

<p class=3DMsoPlainText>URL. The final, canonicalized URL is the End =
User's
Identifier. &quot;<o:p></o:p></p>

<p =
class=3DMsoPlainText>[http://openid.net/specs/openid-authentication-1_1.h=
tml]<o:p></o:p></p>

<p class=3DMsoPlainText><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText>This seems to imply that if the Consumer gets a =
series of
302 HTTP<o:p></o:p></p>

<p class=3DMsoPlainText>redirects it must follow the location headers in =
the
response(s) till it<o:p></o:p></p>

<p class=3DMsoPlainText>receives a 200 response which also delivers an =
HTML
resource (with at<o:p></o:p></p>

<p class=3DMsoPlainText>least markup for the openid.server link =
value).<o:p></o:p></p>

<p class=3DMsoPlainText><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText>Ok. Lets now pick a silly (but legal) edge case =
of this
rule. Lets make<o:p></o:p></p>

<p class=3DMsoPlainText>the &quot;Identifier URL&quot; typed into the =
Login field
[s3.2]:<o:p></o:p></p>

<p class=3DMsoPlainText><o:p>&nbsp;</o:p></p>

<p =
class=3DMsoPlainText>https://login.rapmlsstg.com/IdpSsoHandler2.aspx?Targ=
et=3Dhttps%3a%2f%2fsso<o:p></o:p></p>

<p =
class=3DMsoPlainText>.rapmlsstg.com%3a12030%2fidp%2fstartSSO.ping%3fPartn=
erSpId%3drapattoni:s<o:p></o:p></p>

<p =
class=3DMsoPlainText>tg:customer%26IdpAdapterId=3DSTGIdp%26TargetResource=
%3dhttps%3a%2f%2petera<o:p></o:p></p>

<p =
class=3DMsoPlainText>ccount.rapdata.com/&amp;Contract=3D2<o:p></o:p></p>

<p class=3DMsoPlainText><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText>Ugh! You might say. But, such a convoluted value =
is
really NOT beyond<o:p></o:p></p>

<p class=3DMsoPlainText>the realm of possibility for machine-based logon =
. We
have all seen what<o:p></o:p></p>

<p class=3DMsoPlainText>Microsoft Word conversion to HTML did to the use =
of HTML
markup, making<o:p></o:p></p>

<p class=3DMsoPlainText>it unreadable by humans!<o:p></o:p></p>

<p class=3DMsoPlainText><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText>Now, if we follow the Important Note in the =
spec, the
Consumer shall<o:p></o:p></p>

<p class=3DMsoPlainText>apparently follow the redirects caused by that =
URL's
resolution. As the<o:p></o:p></p>

<p class=3DMsoPlainText>resource at the URL happens to cause (for =
authorized
users) an<o:p></o:p></p>

<p class=3DMsoPlainText>IDP-initiated SAML flow (via, say, the REDIRECT =
binding),
a series of<o:p></o:p></p>

<p class=3DMsoPlainText>redirects will occur eventually landing on a =
site for the
URL<o:p></o:p></p>

<p class=3DMsoPlainText>peteraccount.rapdata.com
&lt;http://www.peteraccount.crsdata.com&gt;&nbsp; etc (if<o:p></o:p></p>

<p class=3DMsoPlainText>the DNS registrations and SAML trust relations =
all hold
up, at<o:p></o:p></p>

<p class=3DMsoPlainText>evaluation time).<o:p></o:p></p>

<p class=3DMsoPlainText><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText>From what I can determine, once https delivers =
the HTML
document<o:p></o:p></p>

<p class=3DMsoPlainText>(according to and satisfying the Consumer's SSL =
key
management policy)<o:p></o:p></p>

<p class=3DMsoPlainText>the &quot;final URL&quot; is
https://peteraccount.rapdata.com/ . This&nbsp; string,<o:p></o:p></p>

<p class=3DMsoPlainText>furthermore, is the &quot;final, canonicalized =
URL&quot;
( in the absence of an<o:p></o:p></p>

<p class=3DMsoPlainText>openid.delegated link field value in the HTML =
document
delivered over<o:p></o:p></p>

<p class=3DMsoPlainText>https). This is thus the &quot;End User's
Identifier&quot;.<o:p></o:p></p>

<p class=3DMsoPlainText><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText>------------<o:p></o:p></p>

<p class=3DMsoPlainText><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText>Lets continue the thought =
experiment:-<o:p></o:p></p>

<p class=3DMsoPlainText><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText>Lets say the that openid.server link value =
is<o:p></o:p></p>

<p class=3DMsoPlainText>https://login.rapmlsstg.com/sp/SsoHandler.aspx. =
We can
note that this<o:p></o:p></p>

<p class=3DMsoPlainText>URL has little formal relationship to the End =
User's
Identifier<o:p></o:p></p>

<p class=3DMsoPlainText>https://peteraccount.rapdata.com/ =
<o:p></o:p></p>

<p class=3DMsoPlainText><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText>Nevertheless, the consumer can now expect to =
find an OP
Provider<o:p></o:p></p>

<p class=3DMsoPlainText>listener at that link value URL. If this is =
true, the consumer
agent and<o:p></o:p></p>

<p class=3DMsoPlainText>provider agent then engage in the &quot;OpenID
Authentication Protocol&quot;.<o:p></o:p></p>

<p class=3DMsoPlainText><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText>In the course of completing the protocol, the =
provider
agent will<o:p></o:p></p>

<p class=3DMsoPlainText>normally be required to perform BY MEANS BEYOND =
THE SCOPE
OF OPENID AUTH<o:p></o:p></p>

<p class=3DMsoPlainText>SPEC, user authentication - before it supplies =
the
&quot;cryptographic proof&quot;<o:p></o:p></p>

<p class=3DMsoPlainText>that a user controls the End User's Identifier. =
After
following some<o:p></o:p></p>

<p class=3DMsoPlainText>series of locally-defined redirects to a =
form-login page,
users might<o:p></o:p></p>

<p class=3DMsoPlainText>perform this by completing the action of typing =
in a
correct<o:p></o:p></p>

<p class=3DMsoPlainText>username/password combination.<o:p></o:p></p>

<p class=3DMsoPlainText><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText>Is there any flaw in my understanding, in any of =
the
above? <o:p></o:p></p>

<p class=3DMsoPlainText><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText>Are the example's =
&quot;complying&quot;?<o:p></o:p></p>

<p class=3DMsoPlainText><o:p>&nbsp;</o:p></p>

<p class=3DMsoPlainText>&nbsp;<o:p></o:p></p>

<p class=3DMsoPlainText><o:p>&nbsp;</o:p></p>

<p =
class=3DMsoPlainText>_______________________________________________<o:p>=
</o:p></p>

<p class=3DMsoPlainText>general mailing list<o:p></o:p></p>

<p class=3DMsoPlainText>general at openid.net<o:p></o:p></p>

<p =
class=3DMsoPlainText>http://openid.net/mailman/listinfo/general<o:p></o:p=
></p>

</div>

</body>

</html>

------_=_NextPart_001_01C7C1AB.C2C99BD8--


More information about the general mailing list