[OpenID] Directed Identity vs. "what the user typed"

[SitG Admin]

>Stupid question:  Seems to me that the OP can deal with this, assuming
>that it does get the "user" part of the "user at domain.com" URL.

The user types in "user at domain.com" and submits this to the RP 
through their browser; the browser can't perform discovery on an 
E-mail address, so it strips off the 'user@' part and redirects the 
user to 'domain.com' where (presumably) the user will log in to their 
account (OR domain.com will do something appropriate with Directed 
Identity).

Here's the security question: if the user TYPED "user1 at domain.com", 
but is sent away to domain.com and comes back authenticating as 
"user2 at domain.com", who do you treat them as?

And here's a privacy question: if the RP discloses to someone typing 
in "user2" that "user1" has previously logged in at that same RP, 
have you just compromised user1's privacy?

Auto-fill is usually done browser-side, but this can be defeated by 
(partially) randomizing input field names. Stealing the session of 
someone who didn't realize they weren't logged out (or didn't have a 
chance to log themselves out, when someone else with physical access 
to their network pulled the plug) can't be completely addressed 
RP-side, but there are a few cheap tricks we can put in place that 
*might* stop a careless attacker (such as terminating the session if 
a known user suddenly enters another ID; this goes beyond just 
auto-logout for user1 if they ask to be logged in as user2, because 
Directed Identity might send them back as user1 and we're lucky to 
get that *one* clue they might not *be* user1), at least until they 
figure out the right URI to type in and go back to the OP that still 
recognizes them as user1.

Trying to think of ways to improve security in remote homes (where we 
have no physical access, and must assume that attackers do) occupies 
a disproportionate amount of my time for the feeble difference it can 
make, in my opinion.

-Shade