[OpenID] Delegation leading to new accounts on websites
Johnny Bufu
johnny.bufu at gmail.com
Fri Jul 10 18:40:50 UTC 2009
> On Tue, Jul 7, 2009 at 4:03 PM, Johnny Bufu <johnny.bufu at gmail.com> wrote:
> > Doesn't even have to be a URI even; what matters is that the OP issues
> > it, so they (can) have full control/authority over it if that's a
> > concern for them.
On Thu, Jul 09, 2009 at 01:20:07PM -0700, Breno de Medeiros wrote:
> It does need to be an URI (at least for OpenID). See the spec definition of
> identifiers.
That part was overspecified, mostly for keeping the spec simpler by
having all identifiers be a subclass of URI and at the expense of some
flexibility for the OPs (if they choose to be strict about this).
But from a practical / protocol point of view, the OPs are the only ones
that produce (issue) and consume (recognize/authenticate) delegate
identifiers, while the rest of the parties involved pass around and
compare them as opaque strings.
Johnny
More information about the general
mailing list