<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi Max,<br>
<br>
Also, because the OpenID Authentication Request is not signed, we
really have no idea if the claimed RP is actually the RP that directed
the user to Yahoo. All we know is that the user does not want to sign
into the RP. Because the user elected to not sign into the RP, we do
not want to send the user back to the site. In fact, we don't even know
for sure where the user came from, as we can't really determine if the
openid.return_to matches the referrer.<br>
<br>
Section 10.2 of the OpenID 2.0 spec does not require OPs to send a
negative assertion to the RP.<br>
<br>
Allen<br>
<br>
<br>
Max Metral wrote:
<blockquote
cite="mid:E9DD5BE59E84CA4E87AE0E5E6F1B8B12381EA6@sbsrv.AALabs.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="Section1">
<p class="MsoNormal">Whoa, I’m not sure if others have noticed this
or if I’ve
missed a memo, but if I go to Yahoo for an OpenID login, and then
change my
mind and say “I do not want to login”, they take me to <a
moz-do-not-send="true" href="http://www.yahoo.com">www.yahoo.com</a>!!!
What the heck is with that?
The user saying they don’t want to login is not the same as “I’m
done using that site, please sell me some advertised products on the
back of
OpenID traffic.”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Should the spec call this out?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">--Max<o:p></o:p></p>
</div>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
</pre>
</blockquote>
<br>
</body>
</html>