[OpenID] Delegation leading to new accounts on websites

John Bradley john.bradley at wingaa.com
Fri Jul 10 22:02:15 UTC 2009 

The spec is quite specific http: , https: URI or XRI.

I suspect that RPs that support XRI will be more forgiving.  Other  
libs may be using underlying libraries that are validating them as URL.

If that assumption had not been built into the spec any string would  
have been appropriate.

Some of those same assumptions break IRI as openID.

John B.
On 10-Jul-09, at 5:49 PM, John Panzer wrote:

> (What practical constraint does this impose on OPs -- which comes  
> down to asking, what strings would cause an exception when processed  
> by the set of existing RP libraries?  Is urn:isbn:0-486-27557-4  
> okay, for example?)
>
> On Fri, Jul 10, 2009 at 1:57 PM, Andrew Arnott  
> <andrewarnott at gmail.com> wrote:
> Johnny,
>
> I agree that RPs should treat them as opaque strings, but due to the  
> constraints in the spec, I can name at least a couple of .NET openid  
> libraries that would choke on openid.local_id values if they were  
> not XRIs or URIs.  I'm for loosening this up, but in the meantime,  
> OPs should please conform to this constraint to avoid breaking RPs.
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the  
> death your right to say it." - S. G. Tallentyre
>
>
> 2009/7/10 Johnny Bufu <johnny.bufu at gmail.com>
>
> > On Tue, Jul 7, 2009 at 4:03 PM, Johnny Bufu  
> <johnny.bufu at gmail.com> wrote:
> > > Doesn't even have to be a URI even; what matters is that the OP  
> issues
> > > it, so they (can) have full control/authority over it if that's a
> > > concern for them.
>
> On Thu, Jul 09, 2009 at 01:20:07PM -0700, Breno de Medeiros wrote:
> > It does need to be an URI (at least for OpenID). See the spec  
> definition of
> > identifiers.
>
> That part was overspecified, mostly for keeping the spec simpler by
> having all identifiers be a subclass of URI and at the expense of some
> flexibility for the OPs (if they choose to be strict about this).
>
> But from a practical / protocol point of view, the OPs are the only  
> ones
> that produce (issue) and consume (recognize/authenticate) delegate
> identifiers, while the rest of the parties involved pass around and
> compare them as opaque strings.
>
>
> Johnny
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>

More information about the general mailing list