[OpenID] Calling OpenID 2.0 editors (was RE: Problems with OpenID and TAG httpRange-14)

Drummond Reed drummond.reed at cordance.net
Wed Mar 5 03:55:41 UTC 2008 

Three notes on this thread:

 

1) First, RE the issue as to whether specifying the redirect as the
canonical identifier when using a URL is "correct" under HTTP architecture:
I'm not an OpenID editor but I remember that there was a great deal of
discussion around this and there was a good reason (security as I recall)
that the final redirect needed to be treated as the claimed identifier. I
don't remember exactly what it was. Josh, David, and Johnny: can you chime
in here?

 

2) John and Eddy both pointed out that whatever the claimed identifier was,
it can be "overridden" by the OP in the response to the RP. In that case,
the intermediate redirects don't matter.

 

3) From a SemWeb standpoint, I believe the right answer is that ALL the
identifiers in the chain - the original identifier, all redirects, and any
"override" back from the OP - should all be considered synonyms for the
identified resource. In other words, rdf:sameAs statements.

 

=Drummond 

 

 

  _____  

From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Tuesday, March 04, 2008 3:22 PM
To: John Panzer
Cc: general at openid.net
Subject: Re: [OpenID] Problems with OpenID and TAG httpRange-14

 

John Panzer: 

Some thoughts...

I own abtractioneer.org.  Due to the vagaries of technology not under my
control, I'm forced to actually host content on a subdomain --
www.abstractioneer.org -- while maintaining a (302) redirect from
http://abstractioneer.org to http://www.abstractioneer.org.  The latter
actually has the openid metadata.  This will be true for all Blogger-hosted
blogs, so it's not just me.  So there's some annoyance there, I apparently
must be known as www.  That's not great.

What about when a page moves?  Specifically, on Blogger if you acquire a
custom domain for your blog, your old x.blogger.com page redirects to the
new domain. The idea is to not break links, bookmarks, or other things that
depend on the URLs.  So abstractioneer.blogspot.com currently redirects to
www.blogspot.com.  But what if I had established an account as
abstractioneer.blogspot.com on some service, do the custom domain thing, and
then need to go back and login to that service?  If resolution works as
below, I can never authenticate as abstractioneer.blogspot.com.  But if the
service remembered the URL I provided, I could choose, by providing
abstractioneer.blogspot.com or abstractioneer.org to the site depending on
the site.

 

Eddy wrote:

Does this matter at all? Because the OP must return the claimed ID anyway,
so what do we care which URL it gets directed too? If you enter
"abstractioneer.org" or "myid.abstractioneer.org" doesn't really matter if
discovery works correctly, since the claimed ID will return always
"myid.abstractioneer.org". Or do I miss the point here?

-- 


Regards 


 


Signer: 

Eddy Nigg, StartCom <http://www.startcom.org>  Ltd.


Jabber: 

startcom at startcom.org


Blog: 

Join the <http://blog.startcom.org>  Revolution!


Phone: 

+1.213.341.0390


 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080304/c4a6a076/attachment-0002.htm>

More information about the general mailing list