[OpenID] URL normalization issues
Lukas Rosenstock
lukas.rosenstock at identity20.eu
Fri Mar 23 22:42:08 UTC 2007
> One of the problems with XRDS discovery (formerly known as Yadis) is
Is it not Yadis anymore?
> that it makes it difficult to avoid serving more than one URL that can
> be used as an identifier: the XRDS file's URI is *also* a valid
> identifier. You can observe this problem if you have a MyOpenID.com
> account by trying to sign in somewhere that supports XRDS discovery
> (i.e. not LiveJournal) with <http://youraccount.myopenid.com/xrds>.
If you log in somewhere using youraccount.myopenid.com/xrds, that RP
accepts this identifier, but sends it as openid.identifier to MyOpenID.com
and MyOpenID.com should not accept this ... okay, my mistake, if the XRDS
file contains an oid:Delegate (and MyOpenID.com contains it) MyOpenID.com
will never know about the "wrong" identifier.
I don't see this as a fundamental problem, because users will not very
likely add /xrds to their identifier and if they do call it a feature and
not a bug ;-)
Anyway, can we change the Yadis spec to work around this problem, e.g. add
something to the XRDS to say that this document belongs to a particular
identifier?
--
Lukas Rosenstock
Identity 2.0 Europe :: http://identity20.eu/
More information about the general
mailing list