[OpenID] http and https...again
Andrew Arnott
andrewarnott at gmail.com
Mon Sep 8 21:28:04 UTC 2008
I am very much in favor of OPs normalizing their identifiers.
But I daresay that if a user adds ?a=1 to a user identifier, he's not your
average joe-blow user and knows exactly what he's doing. Nothing wrong with
that. If the user wants to splinter his identity by adding query args, he
should be free to do so, just as much as username/password doesn't prevent a
user from creating to user accounts.
On Mon, Sep 8, 2008 at 1:49 PM, Joe Tele <pnwtele at yahoo.com> wrote:
> Yes, it has nothing to do with fragments or recycling. It has to do with
> inconsistencies with how OPs normalize (or not) their user's claimed ids
> from user supplied indentifiers. Verisign does nothing. These are types of
> things which could be argued as "features" or "bugs" but in my opinion could
> result in user base confusion (and RP confusion).
>
>
> --- On Mon, 9/8/08, SitG Admin <sysadmin at shadowsinthegarden.com> wrote:
>
> > From: SitG Admin <sysadmin at shadowsinthegarden.com>
> > Subject: Re: [OpenID] http and https...again
> > To: "Joe Tele" <pnwtele at yahoo.com>
> > Cc: general at openid.net
> > Date: Monday, September 8, 2008, 1:38 PM
> > >http://openid.net/pipermail/general/2008-September/005426.html
> >
> > I don't know about Verizon, but your reference to a
> > user typing in
> > this extra information is a clue that this doesn't have
> > to do with
> > generation fragments (distinguishing between successive
> > users with
> > the same URI). I'm thinking it's either a user
> > identification method
> > (such as Sun offers to assert "This is one of our
> > employees, but
> > we're not saying exactly who.") that tells the OP
> > (in this case,
> > Verizon) who the user is claiming to be (facilitating the
> > login flow)
> > without revealing anything meaningful about the user's
> > identity to
> > the RP, or something weird with how Verizon is resolving
> > claimed_id
> > (if the URI is different enough to not qualify as the same
> > user
> > anymore, you'd think Verizon's OP would detect that
> > and return an
> > error that the user did not exist).
> >
> > Are you getting these "?a=1" variables appended
> > by real users, or are
> > they just showing up in tests? If the former, I'd
> > assume it to be
> > there for a reason; if the latter, I'd contact Verizon
> > about it.
> >
> > -Shade
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080908/9fd627c8/attachment-0002.htm>
More information about the general
mailing list