<!doctype html public "-//W3C//DTD W3 HTML//EN">
<html><head><style type="text/css"><!--
blockquote, dl, ul, ol, li { padding-top: 0 ; padding-bottom: 0 }
--></style><title>Re: [OpenID] Claimed Identifiers and Query String
Paramete</title></head><body>
<div>>No, heavens no! To consider the user-supplied
identifier their identity opens up huge security holes.</div>
<div><br></div>
<div>Yet that was my expectation, after looking at version 1.</div>
<div><br></div>
<div>>And as in the case of directed identity,</div>
<div><br></div>
<div>Yes, that was one of the terms! Thanks!</div>
<div><br></div>
<div>>the user who types in "<a
href="http://yahoo.com">yahoo.com</a>" has not revealed anything
about their "real identity" to the RP before the OP asserts
some "anonymous" URL to the RP.</div>
<div><br></div>
<div>Exactly the problem, if I want to discourage "anonymous"
URI's; and I can track this sort of thing by looking for multiple
entries in the database that all share the same typed-in URI, enabling
me to identify URL's that are being used for Directed Identity, and
mark them to be filtered before getting to the Consumer process. This
lets me explain things to the user *before* making them go through
their authentication with Yahoo! or whoever (and whoever may be using
one-time passwords, which would *really* annoy the user).</div>
<div><br></div>
<div>>You certainly don't want to consider "<a
href="http://yahoo.com">yahoo.com</a>" as the user's "real"
identity URL in this case or else all Yahoo users will share one
account on your RP.</div>
<div><br></div>
<div>If that were the *only* URL that I was using, yes ;)</div>
<div><br></div>
<div>>You really must use the OP's "use this instead"
URL. You'll never get the fragment if you ignore the OP's
assertion,</div>
<div><br></div>
<div>I assure you that I'm not ignoring it. I'm just using a standard
that suits my inadequate understanding by adding sanity checks and
erring in favor of not recognizing the same user when they switch
OP's. I figured this approach would give me time to improve my
understanding, and I wouldn't need to worry about things until I found
more than one entry with the same "use this instead" URL and
2 radically different "typed-in" URL's.</div>
<div><br></div>
<div>As described in my first reply to Joe Tele, the idea is to look
for (a hash of) the typed-in ("claimed") ID *and* the
Directed ("final") ID, requiring a match on *both* of those
strings to proceed. I designed mine this way because I didn't
understand what was going on with Directed Identity well enough to be
*certain* there weren't any risks in relying on just the Directed
identifier.</div>
<div><br></div>
<div>-Shade</div>
</body>
</html>