[OpenID] Calling OpenID 2.0 editors(wasRE:ProblemswithOpenIDand TAG httpRange-14)
Peter Williams
pwilliams at rapattoni.com
Thu Mar 13 19:41:00 UTC 2008
I do. Openid says:
1. want to delegate? for an http URI? So, use the (security) metadata
provided for that very purpose. The place YOU stick the metadata is
authoritative - in the UCI model.
2. want to delegate? for an XRI URI? So, use the (security) metadata
provided for that very purpose. The place YOU stick the metadata is
authoritative - in the UCI model.
3. want to use either an XRI or an HXRN (for the same i-number) at an
RP, the behavior should be IDENTICAL (barring change of syntax)
regardess of whether XRI or HTTP resolution was applied.
I see you are back to "compliance is king" : "security models must
comply".
You back to saying: its non conforming therefore its wrong. OpenID
architects are saying: its intentionally non-conforming (if it indeed is
such), and any protocol has the right to be operated in non-conforming
modes. Half the US govt uses its FIPS 140-1 compliant security servers
for net crypto [intentionally] in non-conforming mode! Being
"non-conforming" (but interoperable) is built into the very waiver
regulations and into the very protocol design.
> In this specific use case do you still think that OpenID is behaving
> correctly?
>
> Thanks,
>
> --
> Noah Slater <http://bytesexual.org/>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
More information about the general
mailing list