[OpenID] Proposal for email address in URL path as a valid OpenID

Breno de Medeiros breno at google.com
Thu May 7 01:03:21 UTC 2009 

The site http://code.google.com/p/webfinger/wiki/WebFingerProtocol
already explains how this gets safely encoded. See the example.

On Wed, May 6, 2009 at 5:55 PM, SitG Admin
<sysadmin at shadowsinthegarden.com> wrote:
>> Additionally, while username@ is allowed before the domain, the @
>> character is not allowed as part of the URL path.
>
> But it automatically gets translated (into %##) if necessary, right? I've
> seen websites accept the '@' symbol when submitted as form input through
> GET; even when the URL is a blind request from no previous page or
> previously established session.
>
> Doing this seems easier than telling users to type in their E-mail address,
> except with a different symbol suddenly being substituted for '@'.
>
> As for the trust issues - I don't like the idea of RP's sending fake "users"
> to large SP's, asking for the XRD file corresponding to a given address, and
> learning from the response (or lack thereof) whether the E-mail address in
> question *existed*. But without that, how would SP's know whether to forward
> the "user" to the OP associated with that address? (Assume non-webmail SP's,
> where the existing authentication is not saved in form traditional browsers
> would understand.)
>
> I have a vague idea of security through burying RP's in an avalanche of
> needles (naming various OP's for nonexistent addresses, in proportions drawn
> from real users, not worrying about "users" who weren't real in the first
> place trying to authenticate with an OP they had no account at), but it
> doesn't fail gracefully for ordinary users who make a typo on their address,
> and the proportions would enable RP's to map out demographics for that SP's
> users without even knowing any real addresses, and the data would probably
> have to stay consistent from request to request to be believable, requiring
> obscene data storage capabilities at the SP.
>
> -Shade
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)

More information about the general mailing list