[OpenID] Where can I get a free i-name?

Martin Atkins mart at degeneration.co.uk
Sat Jan 13 11:17:11 UTC 2007


Kevin Turner wrote:
> On Fri, 2007-01-12 at 22:20 +0200, Dmitry Shechtman wrote:
>> Brad Topliff wrote:
>>> I can't speak to whether or not this is how the libraries generally handle
>>> XRI's but since I have seen it work *correctly* before, I have to assume
>>> it is an implementation issue.
>> Being a developer, I can confirm this assumption.
>>
>> This is clearly a bug in all JanRain libraries I'm aware of. It is hopefully
>> to be fixed in the upcoming versions. JanRain devs, are you listening?
> 
> Notabug!  Feature!  i.e. specification conformance!  I quote from
> http://openid.net/specs/openid-authentication-2_0-pre11.html:
> 
>         XRI and the CanonicalID Element
>         
>         When the identifier is an XRI, the <xrd:XRD> element that
>         contains the OpenID Authentication <xrd:Service> element MUST
>         also contain a <CanonicalID> element. The content of this
>         element MUST be used as the Claimed Identifier (see Section
>         11.4(Identifying the end user)). This is a vital security
>         consideration because a primary purpose of the <CanonicalID>
>         element is to assert a persistent identifier that will never be
>         reassigned, thus preventing the possibility of an XRI being
>         "taken over" by a new registrant. 
> 

I think the intent here is that you use the canonical i-number (after 
validating it, of course) as your "key" (for finding this identity 
later) but you use the user's chosen i-name for display.

There's no reason why the display identifier and the key identifier have 
to be the same, as long as you've ensured that the substitution is valid.

(Though there are questions about correctly cleaning all this up later 
when the i-name gets reassigned and the new owner signs in.)







More information about the general mailing list