No subject


Fri Aug 15 23:49:43 UTC 2008 

Value: (optional) The Claimed Identifier.

"openid.claimed_id" and "openid.identity" SHALL be either both present or
both absent. If neither value is present, the assertion is not about an
identifier, and will contain other information in its payload, using
extensions (Extensions)<file:///C:/git/dotnetopenid/doc/specs/openid-authentication-2_0.html#extensions>.

So you can't include one without the other.  And having neither doesn't
provide any authentication at all.  Delegation *should* work, if you had an
openid identity page with a openid2.local_id tag that was exactly the opaque
RP-specific identifier that Google would assign the RP that you are trying
to log into.  That would mean you'd need a separate delegate page for every
single RP you log into... but it's theoretically possible.  It would just be
a maintenance nightmare. It would be interesting to test just to see if
Google actually implemented the spec correctly to handle *non*-directed
identity scenarios.

On Fri, Nov 7, 2008 at 5:40 PM, Breno de Medeiros <breno at google.com> wrote:

> On Fri, Nov 7, 2008 at 4:48 PM, Allen Tom <atom at yahoo-inc.com> wrote:
> > Deron Meranda wrote:
> >> Of course, from an OP usability perspective, it's not exactly straight
> >> forward for somebody to determine their actual Yahoo identity(-ies),
> >> although it is possible.
> >>
> > We definitely can improve the usability, but you can list your Yahoo
> > OpenID identifiers by going to http://openid.yahoo.com and clicking on
> > the "OpenID Home link" at the top of the page.
> >
> >> And, just from curiosity, why are the randomly generated URIs
> >> (both Google and Yahoo!) so long?
> > :)
> >
> >> So, the current Google situation makes it almost impossible to use
> delegation!
> >>
> >>
> > Hmm, it does appear that it's impossible for someone to delegate their
> > OpenID to Google.
>
> The OpenID spec says that the op_local is an optional field. I think
> in practice libraries set identity=claimed_id in this case. I assume
> it is then unspecified how the OP validates that the user is
> authorized over that URL. That changes nothing from the RP
> perspective, because it always has to depend on the OP to make that
> judgment.
>
> Bottom line: The fact that the op_local technique is not available for
> usage with the Google OP does not mean that it cannot support
> delegation.
>
> >
> > Allen
> >
> >
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general
> >
>
>
>
> --
> --Breno
>
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>

------=_Part_33960_29951344.1226114262623
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<p>From the spec:<br></p><p>
                  Value: (optional) The Claimed Identifier.
                
</p>
<p>
                  &quot;openid.claimed_id&quot; and &quot;openid.identity&quot; SHALL
                  be either both present or both absent. If neither
                  value is present, the assertion is not about an
                  identifier, and will contain other information in
                  its payload, using
                  <a class="info" href="file:///C:/git/dotnetopenid/doc/specs/openid-authentication-2_0.html#extensions">extensions<span> (</span><span class="info">Extensions</span><span>)</span></a>.
                
</p>So you can&#39;t include one without the other.&nbsp; And having neither doesn&#39;t provide any authentication at all.&nbsp; Delegation <i>should</i> work, if you had an openid identity page with a openid2.local_id tag that was exactly the opaque RP-specific identifier that Google would assign the RP that you are trying to log into.&nbsp; That would mean you&#39;d need a separate delegate page for every single RP you log into... but it&#39;s theoretically possible.&nbsp; It would just be a maintenance nightmare. It would be interesting to test just to see if Google actually implemented the spec correctly to handle <i>non</i>-directed identity scenarios.<br>
<br><div class="gmail_quote">On Fri, Nov 7, 2008 at 5:40 PM, Breno de Medeiros <span dir="ltr">&lt;<a href="mailto:breno at google.com">breno at google.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">On Fri, Nov 7, 2008 at 4:48 PM, Allen Tom &lt;<a href="mailto:atom at yahoo-inc.com">atom at yahoo-inc.com</a>&gt; wrote:<br>
&gt; Deron Meranda wrote:<br>
&gt;&gt; Of course, from an OP usability perspective, it&#39;s not exactly straight<br>
&gt;&gt; forward for somebody to determine their actual Yahoo identity(-ies),<br>
&gt;&gt; although it is possible.<br>
&gt;&gt;<br>
&gt; We definitely can improve the usability, but you can list your Yahoo<br>
&gt; OpenID identifiers by going to <a href="http://openid.yahoo.com" target="_blank">http://openid.yahoo.com</a> and clicking on<br>
&gt; the &quot;OpenID Home link&quot; at the top of the page.<br>
&gt;<br>
&gt;&gt; And, just from curiosity, why are the randomly generated URIs<br>
&gt;&gt; (both Google and Yahoo!) so long?<br>
&gt; :)<br>
&gt;<br>
&gt;&gt; So, the current Google situation makes it almost impossible to use delegation!<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt; Hmm, it does appear that it&#39;s impossible for someone to delegate their<br>
&gt; OpenID to Google.<br>
<br>
</div>The OpenID spec says that the op_local is an optional field. I think<br>
in practice libraries set identity=claimed_id in this case. I assume<br>
it is then unspecified how the OP validates that the user is<br>
authorized over that URL. That changes nothing from the RP<br>
perspective, because it always has to depend on the OP to make that<br>
judgment.<br>
<br>
Bottom line: The fact that the op_local technique is not available for<br>
usage with the Google OP does not mean that it cannot support<br>
delegation.<br>
<div class="Ih2E3d"><br>
&gt;<br>
&gt; Allen<br>
&gt;<br>
&gt;<br>
&gt; _______________________________________________<br>
&gt; general mailing list<br>
&gt; <a href="mailto:general at openid.net">general at openid.net</a><br>
&gt; <a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
&gt;<br>
<br>
<br>
<br>
</div><div class="Ih2E3d">--<br>
--Breno<br>
<br>
+1 (650) 214-1007 desk<br>
+1 (408) 212-0135 (Grand Central)<br>
MTV-41-3 : 383-A<br>
PST (GMT-8) / PDT(GMT-7)<br>
_______________________________________________<br>
</div><div><div></div><div class="Wj3C7c">general mailing list<br>
<a href="mailto:general at openid.net">general at openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br>

------=_Part_33960_29951344.1226114262623--

More information about the general mailing list