<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>> "Identifiers distinguished only by the 'http'
vs. 'https' in the<o:p></o:p></p>
<p class=MsoPlainText>> protocol part of the URL (e.g.
'https://foo.bar.com/' vs 'http://<o:p></o:p></p>
<p class=MsoPlainText>> foo.bar.com/") refer to the same identity.
Conforming implementations<o:p></o:p></p>
<p class=MsoPlainText>> must ensure that attackers cannot use an identifier
distinguished only<o:p></o:p></p>
<p class=MsoPlainText>> by the protocol to impersonate a victim."<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>I can type in any of the following in the openid field,
and some but not all are the same "identity" in the current concept
(unless your change is adopted). Your suggestion would address the http/https
URI overloading. It doesn’t address that difference in the HXRI-resolver
form and XRI-resolver form of the same naming authority record.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>http://xri.net/=Drummond<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>https://xri.net/=Drummond<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>=Drummond<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>XRI.net/=Drummond<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>This is not knew. Support for what Im re-saying is at<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>"and the Authentication
i-service would somehow have to make sure that =Drummond and
http://xri.net/=Drummond are actually treated as the same identity, not
separate ones. Maybe this can be done with OpenID delegation.<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>I am not sure if this really
works, it's just an idea. <o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>Markus"
[http://www.oasis-open.org/archives/xri/200704/msg00050.html]<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>----------------------<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>The issue now goes the other way around, post Auth#10,
too. <o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>MyOpenID can be noting that I authorized release of
attributes to return_to=https://peter. In Auth #10+, the return_to is subject
to mandatory discovery, of course. If http://peter (not https...) subsequently
asks for those attributes, it should be treated as a different supplicant. And
Peter (the paranoid pleb) would also argue that if the server cert of
https://peter has changed since the last time this return_to was cited as a
trusted realm endpoint then once again it’s a different supplicant.
Depending on the level of paranoia (and which assurance level of a PKI-based
trust network is in effect), different cert chains supporting the same server
cert can identify a different supplicant too. <o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
</div>
</body>
</html>