<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If you think about it, in a refined OpenID Auth spec, it would
be more useful to have the RP send the user input to the OP, rather than the
normalized, redirected, or delegated values.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Assuming one is in “please confirm” the id in question is “registered”
with some third-party validation/naming authority, one has to (a) invoke directed
identity (so user can select their id at the OP, to mitigate the correlations…)
(b) ask to REPERFORM the discovery step the RP already did (c) ask OP to “do extra
confirmation” process X, for id class * (where Y = rfc822 registered email boxes,
for example) (d) ask OP to release either its own evaluation result …or just proxy
back the validation/naming authorities answer.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
general-bounces@openid.net [mailto:general-bounces@openid.net] <b>On Behalf Of </b>Andrew
Arnott<br>
<b>Sent:</b> Wednesday, October 29, 2008 7:45 AM<br>
<b>To:</b> david@sixapart.com<br>
<b>Cc:</b> OpenID List<br>
<b>Subject:</b> [LIKELY_SPAM]Re: [OpenID] OpenID based on email addresses...
Just Works!<o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>This method does use directed
identity, but as such it does <span class=apple-style-span><i>not</i></span> provide
the email address in the openid.identity field and it would be contrary to the
spec to do so. Perhaps though you were suggesting that a future version
support this? (I would be in favor of investigating this as well). <o:p></o:p></p>
<div>
<p class=MsoNormal>On Wed, Oct 29, 2008 at 7:20 AM, David Recordon <<a
href="mailto:drecordon@sixapart.com">drecordon@sixapart.com</a>> wrote:<o:p></o:p></p>
<div>
<p class=MsoNormal>I'm a fan of this method, basically doing the directed
identity flow and passing the user input (<a href="mailto:daveman692@yahoo.com"
target="_blank">daveman692@yahoo.com</a>) in as openid.identity in the request.<o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>--David<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<div>
<div>
<div>
<p class=MsoNormal>On Oct 28, 2008, at 9:14 AM, Andrew Arnott wrote:<o:p></o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<div>
<div>
<p class=MsoNormal>I was going through the logs of <a
href="http://nerdbank.org/RP/login.aspx" target="_blank">my test RP</a> and
was surprised to see what looked like the efforts of someone who didn't
understand how OpenID worked. One of the attempts included just using a
Yahoo! email address. Guess what?! It worked.<o:p></o:p></p>
<div>
<p class=MsoNormal><br>
It worked because (at least in .NET), the URL may validly include a user@
portion, as has been discussed on this list recently. It's just quietly
dropped. That left "<a href="http://yahoo.com" target="_blank">http://yahoo.com</a>"
as the identifier to perform discovery on, which of course worked. To the
user, the experience is nearly perfect. They see Yahoo where they must
log in, choose an identifier, and then return to the RP. The only
weirdness is that although the Claimed Identifier will always be right, if for
prettiness' sake the RP were to display the user-supplied-identifier as the
user originally typed it in that it might not match who actually logged into
Yahoo. <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>For instance, I can type in <a
href="mailto:yourname@yahoo.com" target="_blank">yourname@yahoo.com</a> and
completely log in, even though that's not my email address. The claimed
ID is mine, and that's what really matters, but it's a little quirky (from the
end user's perspective) that I can type in anyone's yahoo email address and it
just works. As a new user I may think that I managed to log in as someone
else. <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Again, I know <i>why </i>all this works based on the spec
and my implementation of it; I just didn't expect that email discovery would
come without at least some work (perhaps to trim off the username@ part).
So I was pleasantly surprised.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><br>
Anyway, something to think about.<o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class=MsoNormal>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><o:p></o:p></p>
</div>
</blockquote>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>