[OpenID] Calling OpenID 2.0 editors (was RE:Problems withOpenID and TAG httpRange-14)

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Sat Mar 8 02:04:12 UTC 2008 

Brendan Taylor:
> On Fri, Mar 07, 2008 at 10:18:10AM -0800, Johnny Bufu wrote:
>   
>> Perhaps you should explain why your assumption (user-supplied id ==  
>> claimed_id) should superceed the spec (condidering that without it  
>> the spec stands).
>>     
>
> This is *not* assumed. The user-supplied ID doesn't come into it at all.
>
> The claim is that a 303 is a special case, and that ID normalization should
> end when it receives one. (of course, the redirect still needs to be
> followed for discovery)
>
> Example:
>
> http://example.org/me           301 redirect to http://example.org/bct
> http://example.org/bct          303 redirect to http://example.org/about.html
> http://example.org/about.html   301 redirect to http://example.org/about
> http://example.org/about        200 OK with content that discovery can be
>                                   performed on
>
> if the user enters http://example.org/me or http://example.org/bct:
>   currently:  claimed identifier = http://example.org/about
>   proposed:   claimed identifier = http://example.org/bct
>
> if the user enters http://example.org/about.html or http://example.org/about:
>   both cases: claimed identifier = http://example.org/about
>   
>   
The underlying semantics of http has nothing to do with the actual ID. 
Even if http://example.org/about returns 200 OK, this doesn't have to be 
the actual ID, instead the OP can return also something completely else 
to the RP like http://me.otherdomain.net/ for http://example.org/about. 
As Johnny stated above:  user-supplied id != claimed_id

It's the job of the OP to know what he's doing with each redirect and 
not lose the information he is required to know in order to successfully 
authenticate. Actually I think we shouldn't care at all about how many 
and which redirects an OP might perform since it doesn't have any 
meaning to OpenID (except secure transport layer of course).

-- 
Regards 
 
Signer:  	Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber:  	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog:  	Join the Revolution! <http://blog.startcom.org>
Phone:  	+1.213.341.0390
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080308/6efe99cd/attachment-0002.htm>

More information about the general mailing list