[OpenID] Combining Google & Yahoo user experience research

[Peter Williams]

The text is not well written in this area.

By way of just one criticism, The text implies that

(a) the OP local Identifier is recovered by YADIS (doesn't say what happens when missing) from an XRDS that may be hosted/managed by an OP (or not).
(b) used in openid.identifier request field
(c) is an OP Local Identifier

(d) an OP Local Identifier is.... local to an OP. Its supposed to be an alternative "Identifier" (and thus an http URI, perhaps conforming to the HTTP URL Scheme, or not)

The normal meaning of "local" in security engineering... is that open protocol endpoint do not base their interworking procedures upon it, though either end may apply it, and a protocol message may communicate it (opaquely).


-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Martin Atkins
Sent: Tuesday, October 21, 2008 7:36 PM
To: Allen Tom
Cc: general at openid.net
Subject: Re: [OpenID] Combining Google & Yahoo user experience research

Allen Tom wrote:
> Hi Martin,
>
> The Yahoo OP returns the OpenID URL of the authenticated user in the
> response, so the RP does know who the user is. I believe that this is
> consistent with the OpenID 2.0 spec.
>

The inconsistency I'm referring to is that, at least at the time I
tested it, Yahoo!'s endpoint did not look at the openid.identity request
field and check that the authenticated user is the same as the user
identified by the identity.

In the directed identity case a magic value for openid.identity is sent,
but otherwise a particular user will be identified here who may or may
not be the same user that authenticates.

Other OPs (for example, LiveJournal's) will respond in this situation by
returning an error message along the lines of "You entered the wrong
identifier. Your identifier is ...".


_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general