[OpenID] Scheme in OP-Local ID

[Johnny Bufu]

On 6-Sep-07, at 2:56 PM, Jack wrote:

> Johnny Bufu wrote (quoting Peter):
>>
>>> We cannot make the assumption that XRDS metadata for normalized
>>> user input URL will be identical with the XRDS metadata for the
>>> claimed_id in the check_id response
>>
>> That's the equivalent of saying "we cannot make the assumption that
>> verification of discovered information will succeed all the time,
>> even when the XRDS discovery data is wrong or the OP issues bad
>> assertions".
>
> So we have potentially _three_ identifiers, and necessarily at  
> least two
> identifiers, being handled in each authentication transaction: the
> claimed_id, and the user-supplied id, and possibly a distinct  
> local_id.

Yes; the meaning of each of them is outlined in the terminology  
section at the beginning of the spec.

> Any two of these might be byte-for-byte identical, but they are
> different things - because the claimed_id is validated, and neither of
> the others is (and sadly, the one the user relies on is one of the two
> that aren't validated - the user-supplied id.)

How do you define "relies"?

As far as the user is concerned it can be said that there is only  
one: OpenID Identifier. The fact that they enter example.com and  
http://example.com/ gets validated shouldn't matter to them. In the  
'user input' text box they are equivalent.

Enforcing consistency here would require users to always type in http 
(s):// .

The OP-Local Identifier is likely seen only once by the user, when he  
configures the delegation to their provider of choice. During all the  
subsequent transactions it is hidden behind the scenes.


Agreed - when getting down to coding, the three identifiers (user- 
supplied, claimed, op-local) need to be treated as separate entities.


Johnny