[OpenID] Combining Google & Yahoo user experience research

Johnny Bufu johnny.bufu at gmail.com
Tue Oct 21 17:30:53 UTC 2008


On Tue, Oct 21, 2008 at 08:58:13AM -0700, SitG Admin wrote:
> >RPs can, using no more than OpenID 2.0, perform OpenID discovery on
> >http(s)://user at example.com/
> 
> I don't think '@' is an allowable character in domain names. 

It is not part of the domain name -- the server component (== domain
name) follows it.

Per URI RFCs], the '@' character is reserved in the authority component
exactly for the purpose of delimiting the "userinfo" sub-component. See
section 3.2 about the authority syntax, in both the old [1] (referenced
by HTTP 1.1 and OpenID 2.0) and new [2] (not referenced by HTTP 1.1, as
far as I can tell) URI RFC.

So my suggestion seems to be in line with the intended purpose of URI
syntax for the authority part.

> Also, an 
> older version of Internet Explorer used to interpret that as a 
> pre-specified login name for authentication and would hold onto those 
> values (usually two, i.e. 'username:password@') waiting for a prompt, 
> but actually SEND the string AFTER the '@'. This was eventually 
> removed because it posed a security problem; phishers would use URL's 
> such as 'msn.com/account/login at badsite.com' and IE would simply 
> ignore everything preceding the '@'!

I don't think we should really be concerned with old and flawed
implementations, not when designing new stuff anyway.

Johnny

[1] http://www.ietf.org/rfc/rfc2396.txt
[2] http://www.ietf.org/rfc/rfc3986.txt




More information about the general mailing list