<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
h1
{margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:0in;
page-break-after:avoid;
font-size:16.0pt;
font-family:Arial;}
h2
{margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:0in;
page-break-after:avoid;
font-size:14.0pt;
font-family:Arial;
font-style:italic;}
h3
{margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:0in;
page-break-after:avoid;
font-size:12.0pt;
font-family:Arial;}
h4
{margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:0in;
page-break-after:avoid;
font-size:10.0pt;
font-family:"Times New Roman";
font-style:italic;}
p.MsoHeader, li.MsoHeader, div.MsoHeader
{margin:0in;
margin-bottom:.0001pt;
border:none;
padding:0in;
font-size:10.0pt;
font-family:Arial;}
p.MsoFooter, li.MsoFooter, div.MsoFooter
{margin:0in;
margin-bottom:.0001pt;
border:none;
padding:0in;
font-size:10.0pt;
font-family:Arial;}
p.MsoTitle, li.MsoTitle, div.MsoTitle
{margin-top:0in;
margin-right:0in;
margin-bottom:9.0pt;
margin-left:0in;
text-align:center;
font-size:16.0pt;
font-family:Arial;
font-weight:bold;}
p.MsoBodyText, li.MsoBodyText, div.MsoBodyText
{margin-top:0in;
margin-right:0in;
margin-bottom:6.0pt;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
p.MsoSubtitle, li.MsoSubtitle, div.MsoSubtitle
{margin-top:0in;
margin-right:0in;
margin-bottom:.25in;
margin-left:0in;
text-align:center;
font-size:12.0pt;
font-family:Arial;}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
p.Quote, li.Quote, div.Quote
{margin-top:0in;
margin-right:.5in;
margin-bottom:6.0pt;
margin-left:.5in;
font-size:12.0pt;
font-family:"Times New Roman";
font-style:italic;}
p.Wiki, li.Wiki, div.Wiki
{margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.Graphic, li.Graphic, div.Graphic
{margin-top:0in;
margin-right:0in;
margin-bottom:6.0pt;
margin-left:0in;
text-align:center;
font-size:10.0pt;
font-family:Arial;
font-style:italic;}
span.EmailStyle26
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
/* Page Definitions */
@page
{mso-endnote-separator:url("cid:header.htm\@01C90DA7.741284C0") es;
mso-endnote-continuation-separator:url("cid:header.htm\@01C90DA7.741284C0") ecs;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:372312136;
mso-list-template-ids:-1321334130;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=blue>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>+1 to RPs using the normalized Claimed
Identifier returned by the OP as their persistent key. As SitG says, this is
the only way to realistically deal with the OpenID recycling problem –
for the Claimed Identifier to have a fragment if it’s a URL or for it to
be an i-number if its an XRI.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>=Drummond <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> general-bounces@openid.net
[mailto:general-bounces@openid.net] <b><span style='font-weight:bold'>On Behalf
Of </span></b>Andrew Arnott<br>
<b><span style='font-weight:bold'>Sent:</span></b> Wednesday, September 03,
2008 8:53 AM<br>
<b><span style='font-weight:bold'>To:</span></b> SitG Admin<br>
<b><span style='font-weight:bold'>Cc:</span></b> general@openid.net<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [OpenID] Claimed
Identifiers and Query String Parameters</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>SitG said: make a hash of each claimed ID *and* final ID (since Yahoo
will declare a different actual ID) for lookup.<br>
<br>
SitG, I'm concerned about your terminology here. The Claimed Identifier
is the canonical identifier, and the only ID that Yahoo! or any other OP
asserts/declares. I don't know what this final ID is that you're talking
about, or what this "different actual ID" is either. But there
are a few IDs defined in the OpenID spec:<o:p></o:p></span></font></p>
<ul type=disc>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>User-supplied identifier: the actual string
entered by the user, which may just be "<a href="http://yahoo.com">yahoo.com</a>"<o:p></o:p></span></font></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>Normalized identifier (7.2): applying some set
rules to the user-supplied identifier, including adding scheme and
following redirects, this may be: "<a href="http://www.yahoo.com">http://www.yahoo.com</a>"<o:p></o:p></span></font></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>Claimed Identifier: This is typically the
normalized identifier if it is a URI. But the OP may add a #fragment
to it in the assertion in which case <i><span style='font-style:italic'>that</span></i>
is the Claimed Identifier. And in the case of an XRI, the i-number
is the claimedId.<o:p></o:p></span></font></li>
</ul>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>On Wed, Sep 3, 2008 at 8:28 AM, SitG Admin <<a
href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>>
wrote:<o:p></o:p></span></font></p>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>>We are using the
claimed identifier as a key in our database to<br>
>identify credentials for a user.<o:p></o:p></span></font></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Ouch. This will make things confusing (and potentially a security<br>
risk) in the case of, for example, <a href="https://me.yahoo.com/"
target="_blank">https://me.yahoo.com/</a> - I've been<br>
worrying over the same problem recently, and recommend borrowing an<br>
idea from MemCache: make a hash of each claimed ID *and* final ID<br>
(since Yahoo will declare a different actual ID) for lookup. This<br>
won't matter for collisions because you're just using the hash to<br>
save time that would otherwise be spent searching all those long text<br>
fields; if you get 5 results, you just check 5 entries^1 (with two<br>
fields apiece) for the full text. You can put a check in regular<br>
maintenance for lots of users with the same claimed ID but different<br>
final ID to detect users who are doing that kind of system.<br>
<br>
^1) If you get five HUNDRED results, it might be time to use a longer hash :)<o:p></o:p></span></font></p>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'><br>
>However, it seems that some sites have virtually infinite number of<br>
>claimed identifiers for the same OP Local Id.<o:p></o:p></span></font></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>I remember this headache. OpenID follows the URL standard, so the<br>
user can vary capitalization when they type in their URI, and since<br>
this *may* be a different page on the server hosting their Identity,<br>
it's important to preserve case-sensitivity in keeping track of their<br>
identifier!<br>
<br>
I'm experimentally using this method for a sanity check: lower-case<br>
the claimed ID, lower-case the final ID, look for the claimed ID *in*<br>
the final ID, and if there's no match, worry. (The exact definition<br>
of "worry" is, in my case, is to complain and then promptly die -<br>
you'd probably want yours to be more sophisticated.)<br>
<br>
There was a thread last month (from the 3rd to the 5th) about "URI<br>
normalization and capitalization", I recommend that you look in the<br>
list archives and read that too.<br>
<br>
-Shade<o:p></o:p></span></font></p>
<div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><o:p></o:p></span></font></p>
</div>
</div>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</div>
</div>
</body>
</html>