<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
h3
{mso-style-priority:9;
mso-style-link:"Heading 3 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:13.5pt;
font-family:"Times New Roman","serif";
color:black;
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.Heading3Char
{mso-style-name:"Heading 3 Char";
mso-style-priority:9;
mso-style-link:"Heading 3";
font-family:"Cambria","serif";
color:#4F81BD;
font-weight:bold;}
span.info
{mso-style-name:info;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>This is now true.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Using the delegation flow path, the owner can indirectly signal
any URI one wants. It doesn’t need to resolve.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The delegate value coming back can be <a
href="http://?PPDURI=ftp:/user:passwrd@something.com/#me&query">http:///?PPDURI=ftp://user:passwrd@something.com/#me&query</a>=....
If one wants.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'> general-bounces@openid.net
[mailto:general-bounces@openid.net] <b>On Behalf Of </b>Eddy Nigg (StartCom
Ltd.)<br>
<b>Sent:</b> Monday, September 24, 2007 4:06 AM<br>
<b>To:</b> Stephane Bortzmeyer<br>
<b>Cc:</b> OpenID List<br>
<b>Subject:</b> Re: [OpenID]Reconsidering http://openid different from
https://openid<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>The 2.0 Spec draft ( <a
href="http://openid.net/specs/openid-authentication-2_0-12.html">http://openid.net/specs/openid-authentication-2_0-12.html</a>
) speaks about something different:<o:p></o:p></p>
<h3>Abstract<o:p></o:p></h3>
<p class=MsoNormal style='margin-bottom:12.0pt'>OpenID Authentication uses only
standard HTTP(S) requests and responses, so it does not require any special
capabilities of the User-Agent or other client software. OpenID is not tied to
the use of cookies or any other specific mechanism of Relying Party or OpenID
Provider session management. Extensions to User-Agents can simplify the end
user interaction, though are not required to utilize the protocol.<br>
<br>
and throughout the specs:<o:p></o:p></p>
<p class=MsoNormal>Identifier:<o:p></o:p></p>
<p class=MsoNormal style='margin-left:.5in'>An Identifier is either a
"http" or "https" URI, (commonly referred to as a
"URL" within this document), or an <a
href="http://openid.net/specs/openid-authentication-2_0-12.html#XRI_Syntax_2.0">XRI
(<span class=info>Reed, D. and D. McAlpin, “Extensible Resource Identifier
(XRI) Syntax V2.0,” .</span>)</a> [XRI_Syntax_2.0]. This document defines
various kinds of Identifiers, designed for use in different contexts.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<h3>7.2. Normalization<o:p></o:p></h3>
<p class=MsoNormal style='margin-bottom:12.0pt'># Otherwise, the input
SHOULD be treated as an http URL; if it does not include a "http" or
"https" scheme, the Identifier MUST be prefixed with the string <a
href="http://">"http://"</a>. If the URL contains a fragment part, it
MUST be stripped off. See Section 11.5.2 (HTTP and HTTPS URL Identifiers) for
more information. <o:p></o:p></p>
<h3>11.5.2. HTTP and HTTPS URL Identifiers<o:p></o:p></h3>
<p>Relying Parties MUST differentiate between URL Identifiers that have
different schemes. When end user input is processed into a URL, it is processed
into a HTTP URL. If the same end user controls the same URL, differing only by
scheme, and it is desired that the Identifier be the HTTPS URL, <b><u>it is
RECOMMENDED that a redirect be issued from the HTTP URL to the HTTPS URL</u></b>.
Because the HTTP and HTTPS URLs are not equivalent and the Identifier that is
used is the URL after following redirects, there is no foreseen reduction in
security when using this scheme. If an attacker could gain control of the HTTP
URL, it would have no effect on the HTTPS URL, since the HTTP URL is not ever
used as an Identifier except to initiate the discovery process. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal>-- <o:p></o:p></p>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Regards <o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<p class=MsoNormal> <o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Signer: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Eddy Nigg, <a href="http://www.startcom.org">StartCom Ltd.</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Jabber: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Blog: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal><a href="http://blog.startcom.org">Join the Revolution!</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Phone: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>+1.213.341.0390<o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<p class=MsoNormal> <o:p></o:p></p>
</td>
</tr>
</table>
</div>
<p class=MsoNormal><br>
<br>
<br>
Stephane Bortzmeyer wrote: <o:p></o:p></p>
<pre>On Thu, Sep 20, 2007 at 03:55:14PM -0700,<o:p></o:p></pre><pre> Paul C. Bryan <a
href="mailto:email@pbryan.net"><email@pbryan.net></a> wrote <o:p></o:p></pre><pre> a message of 59 lines which said:<o:p></o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>OpenID is built on the HTTP(s) protocol,<o:p></o:p></pre><pre> <o:p></o:p></pre></blockquote>
<pre><o:p> </o:p></pre><pre>Checking the specification, it does not seem so. The specification<o:p></o:p></pre><pre>apparently only says that the identifier has to be resolvable (an URL,<o:p></o:p></pre><pre>not just any URI), which includes <a
href="ftp://">ftp://</a> URLs (and <a href="gopher://">gopher://</a> :-)<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>That's why it would be a bad idea to make a special case for<o:p></o:p></pre><pre>http/https by saying that they must be the same. This would break the<o:p></o:p></pre><pre>simple rule that an identifier is any URL.<o:p></o:p></pre><pre> <o:p></o:p></pre>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</body>
</html>