[OpenID] Claimed Identifiers and Query String Parameters

[SitG Admin]

>I don't undersand your distinction between claimed Id and final ID. 
>In the case of https://me.yahoo.com/ my understanding is that URL is 
>not the claimed id.  The claimed id will be returned in the positive 
>assertion.

My understanding of what Yahoo! has done is limited, but the basic 
objection my mind gave to the logic was when, in transition from v1 
to v2, we started losing track of what the user originally entered. I 
use (and insist on) cookies to keep track of the user so this can be 
remembered, because it just seems wrong to me that the user can type 
in a value that is critical to identifying them, and then we forget 
what that was by the time we have the new value that we're now being 
told is their *real* identity.

My understanding now seems incorrect in light of what Martin Atkins said:

>The specification distinguishes between an OpenID Identifier and an 
>"OP Identifier"; http://me.yahoo.com/ is the latter. As the spec 
>describes, when the user enters an OP identifier the user's 
>identifier temporarily becomes a magic value given in the spec and 
>is later set to be the identifier provided by the OP in the positive 
>assertion.

The trick here is this - how do we ascertain when the user has 
entered a string into the single field we provide them with, that 
they have just entered an "OP Identifier" instead of their OpenID 
Identifier?

My expectation is that the value entered will BE their OpenID 
Identifier (or URI), and I can keep track of them this way even if 
their OP later (in the process) says "Actually, use *this* instead." 
(an anonymity trick, but one that shouldn't work since the user only 
gets to that point after explicitly admitting its original URI to our 
RP!)

-Shade