[OpenID] Normalizing claimed identifier (remove the #?)
Peter Williams
pwilliams at rapattoni.com
Fri Feb 29 18:25:46 UTC 2008
Fun to add querystring values onto the "return" claimed ID, e.g. an openid. Allows for all manner of bridging in various directions, with resulting 4 corner assurance models.
If an "intermediating" RP is also an OP, it can detect a certain form of claimed ID is returned by the downstream OP and ...now.. it assert on its own account to the RP "site" mentioned in goto: "...#frag?goto=http://site".
Obviously, it adds "a evaulation" rating to the downstream OP, qualifying it for the benefit of site. Under normalization, it obviously strips the #frag on start the second phase of the openid auth handshake.
The assurance of its own rating service depends on which SSL server cert it cites to the site-RP. No need for prior art search on the use of SSL server cert to attest to assurance level of the _service_ bound to an https endpoint. Its well researched.
From: Nat Sakimura
Sent: Fri 2/29/2008 9:08 AM
To: Markus Lanthaler
Cc: general at openid.net
Subject: Re: [OpenID] Normalizing claimed identifier (remove the #?)
Read 11.5.1. Identifier Recycling.
The fragment is this.
The full URL with the fragment part constitutes the Claimed Identifier
in positive assertions and you must not strip it off. You have to
distinguish between the claimed identifier in authentication request
and the claimed identifier in the positive assertion. The
normalization is for the claimed identifier in authentication request.
=nat
2008/2/29, Markus Lanthaler <markus at silverstripe.com>:
> Hey all,
>
> I just tested the new Yahoo OpenIDs. It seems that they are appending to all
> their some ID, e.g. https://me.yahoo.com/markus.lanthaler gets
> https://me.yahoo.com/markus.lanthaler#a5b3f. The problem I have is that I
> don't know for what reason that fragment is appended and if I should strip
> it before saving the URL (as it is stated in the spec:
> http://openid.net/specs/openid-authentication-2_0.html#normalization).
>
> That fragment is never shown to the user so it's difficult for an
> administrator to set the OpenIDs for all the users if they cannot tell him
> their full URL.
> Any ideas why they do it that way? Any suggestions how I should handle them?
>
>
> Thanks,
> Markus
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
--
Nat Sakimura (=nat)
http://www.sakimura.org/en/
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080229/01fb7b9f/attachment-0002.htm>
More information about the general
mailing list