<div dir="ltr"><div>I am very much in favor of OPs normalizing their identifiers. </div><div><br></div>But I daresay that if a user adds ?a=1 to a user identifier, he's not your average joe-blow user and knows exactly what he's doing. Nothing wrong with that. If the user wants to splinter his identity by adding query args, he should be free to do so, just as much as username/password doesn't prevent a user from creating to user accounts. <br>
<br><div class="gmail_quote">On Mon, Sep 8, 2008 at 1:49 PM, Joe Tele <span dir="ltr"><<a href="mailto:pnwtele@yahoo.com">pnwtele@yahoo.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Yes, it has nothing to do with fragments or recycling. It has to do with inconsistencies with how OPs normalize (or not) their user's claimed ids from user supplied indentifiers. Verisign does nothing. These are types of things which could be argued as "features" or "bugs" but in my opinion could result in user base confusion (and RP confusion).<br>
<div class="Ih2E3d"><br>
<br>
--- On Mon, 9/8/08, SitG Admin <<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>> wrote:<br>
<br>
> From: SitG Admin <<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>><br>
> Subject: Re: [OpenID] http and https...again<br>
> To: "Joe Tele" <<a href="mailto:pnwtele@yahoo.com">pnwtele@yahoo.com</a>><br>
> Cc: <a href="mailto:general@openid.net">general@openid.net</a><br>
</div>> Date: Monday, September 8, 2008, 1:38 PM<br>
<div><div></div><div class="Wj3C7c">> ><a href="http://openid.net/pipermail/general/2008-September/005426.html" target="_blank">http://openid.net/pipermail/general/2008-September/005426.html</a><br>
><br>
> I don't know about Verizon, but your reference to a<br>
> user typing in<br>
> this extra information is a clue that this doesn't have<br>
> to do with<br>
> generation fragments (distinguishing between successive<br>
> users with<br>
> the same URI). I'm thinking it's either a user<br>
> identification method<br>
> (such as Sun offers to assert "This is one of our<br>
> employees, but<br>
> we're not saying exactly who.") that tells the OP<br>
> (in this case,<br>
> Verizon) who the user is claiming to be (facilitating the<br>
> login flow)<br>
> without revealing anything meaningful about the user's<br>
> identity to<br>
> the RP, or something weird with how Verizon is resolving<br>
> claimed_id<br>
> (if the URI is different enough to not qualify as the same<br>
> user<br>
> anymore, you'd think Verizon's OP would detect that<br>
> and return an<br>
> error that the user did not exist).<br>
><br>
> Are you getting these "?a=1" variables appended<br>
> by real users, or are<br>
> they just showing up in tests? If the former, I'd<br>
> assume it to be<br>
> there for a reason; if the latter, I'd contact Verizon<br>
> about it.<br>
><br>
> -Shade<br>
<br>
<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br></div>