On 12/13/06, <b class="gmail_sendername">Martin Atkins</b> <<a href="mailto:mart@degeneration.co.uk">mart@degeneration.co.uk</a>> wrote:<div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Rabbit wrote:<br>> On 12/13/06, Daniel E. Renfer <<a href="mailto:Duck@kronkltd.net">Duck@kronkltd.net</a>> wrote:<br>>> First off, the problem with using localhost as your identity is the RP<br>>> and OP have to be able to resolve 'localhost' to be the same IP
<br>>> address.<br><br>While I guess you could in theory dream up another system where this<br>isn't the case, the OpenID protocol as currently specified requires the<br>RP to retrieve the identifier URL, and thus the identifier URL must be
<br>accessible to the RP.<br><br></blockquote></div><br>I think it would really be *bad* for OpenID if it were possible to use localhost as your identity. It's the equivalent of saying "I am me". It provides no useful information and does not provide any identity.
<br><br>Imagine trying to get into a club and the bouncer is checking IDs. If everyone just says to him "I am me" and he lets them in, what's the point of checking IDs in the first place? The benefit of OpenID comes from the site that's authenticating you being able to be sure that you own a certain URL. *Everyone* owns their localhost, so it's a no-brainer. Like Daniel said - if you want to use your own machine to serve your identity, attach a dynamic domain name to it.
<br><br>If you enable "localhost" to be a valid OpenID, it will either a) immediately become useless as it becomes universally banned because of spammers using "localhost" to authenticate themselves, or b) open the door for spammers to render OpenID completely useless.
<br><br>Jeremy<br>