[OpenID] [LIKELY_SPAM]Re: Combining Google & Yahoo user experience research

Peter Williams pwilliams at rapattoni.com
Tue Oct 21 18:00:07 UTC 2008 

http://www.ietf.org/rfc/rfc3986.txt clearly describes in modern language that the authority component (of hierarchical schemes) can allow the URI issuer to engage in certain forms of namespace delegation (consistent with law #4, I'd say) and that the the generic "authority" can clearly have user at .

Given older HTTP URL scheme definition denies one the use of user@, I want to find modern text that specifically allows it these days.

There must be a modern definition of the "HTTP URL scheme", surely?

If not, we are struggling : as OpenID requires the use of "http" URIs. Presumably, this means those http URIs that are examples of the "HTTP URL scheme".

I don't see why OpenID should restrict itself to HTTP URL scheme semantics, tho, to be honest - any more than  Netscape restricted itself on defined https (https is essentially : the HTTP URL scheme but with x y z differences in how the namespace authority delegation claim was to be practically tested by browsers (by relying on SSL certs))

-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Johnny Bufu
Sent: Tuesday, October 21, 2008 10:31 AM
To: SitG Admin
Cc: general at openid.net
Subject: [LIKELY_SPAM]Re: [OpenID] Combining Google & Yahoo user experience research

On Tue, Oct 21, 2008 at 08:58:13AM -0700, SitG Admin wrote:
> >RPs can, using no more than OpenID 2.0, perform OpenID discovery on
> >http(s)://user at example.com/
>
> I don't think '@' is an allowable character in domain names.

It is not part of the domain name -- the server component (== domain
name) follows it.

Per URI RFCs], the '@' character is reserved in the authority component
exactly for the purpose of delimiting the "userinfo" sub-component. See
section 3.2 about the authority syntax, in both the old [1] (referenced
by HTTP 1.1 and OpenID 2.0) and new [2] (not referenced by HTTP 1.1, as
far as I can tell) URI RFC.

So my suggestion seems to be in line with the intended purpose of URI
syntax for the authority part.

> Also, an
> older version of Internet Explorer used to interpret that as a
> pre-specified login name for authentication and would hold onto those
> values (usually two, i.e. 'username:password@') waiting for a prompt,
> but actually SEND the string AFTER the '@'. This was eventually
> removed because it posed a security problem; phishers would use URL's
> such as 'msn.com/account/login at badsite.com' and IE would simply
> ignore everything preceding the '@'!

I don't think we should really be concerned with old and flawed
implementations, not when designing new stuff anyway.

Johnny

[1] http://www.ietf.org/rfc/rfc2396.txt
[2] http://www.ietf.org/rfc/rfc3986.txt

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list