Regarding dropping the requirement for the openid2.local_id tag, that would only work if the local_id value was guaranteed to be discoverable, which currently is not a requirement. Not strictly.<br><br>If I use an OP that doesn't offer me my own identity page, I might create my own. It would have to have the openid2.provider tag and the openid.local_id tag of course. The local_id value might simple be "someusername", which is something that is meaningful to my OP. It's just a 'local id'. I don't see anywhere in the spec that mandates that it is a discoverable URL in its own right.<br>
<br>Again, it's most common for local_id's to be discoverable, but I don't think any RP would be correct in mandating it. <br><br>But it's early in the morning, so if someone points out an obvious flaw in my thinking.... heh heh, sorry.<br>
<br><div class="gmail_quote">On Sun, Nov 9, 2008 at 10:39 PM, Allen Tom <span dir="ltr"><<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi Martin,<br>
<br>
This is totally bogus, but I uploaded an HTML file to a webserver with<br>
the following broken delegation code:<br>
<br>
<head><br>
<div class="Ih2E3d"><link rel="openid2.provider" href="<a href="https://www.google.com/accounts/o8/ud" target="_blank">https://www.google.com/accounts/o8/ud</a>" /><br>
</div></head><br>
<br>
And I was able to sign into Plaxo using 2 different Google accounts. I<br>
believe that the delegation code delegates to *any* Google Accounts<br>
user. I'm pretty sure that you do the same thing with the Yahoo OP if<br>
you don't remember to also put in the openid2.local_id value (the Yahoo<br>
OpenID that you're delegating to). The difference is that the Yahoo OP<br>
doesn't issue RP-specific OpenIDs, so you can delegate your personal URL<br>
to a single Yahoo OpenID.<br>
<br>
That being said, I don't understand the purpose of needing to set 2<br>
values for delegation, the openid2.provider (The OP endpoint) and the<br>
openid2.local_id, it would seem simplest to just specify the OpenID that<br>
you're delegating to, and let the RP perform discovery to figure out the<br>
OP endpoint. It also seems broken that that user needs to know the OP<br>
endpoint of the OpenID that's being delegated to.<br>
<br>
Hopefully delegation can also be cleaned up in OpenID 2.1<br>
<font color="#888888"><br>
Allen<br>
</font><div><div></div><div class="Wj3C7c"><br>
<br>
Martin Atkins wrote:<br>
> Allen Tom wrote:<br>
>> How does someone delegate their OpenID URL to Google?<br>
>><br>
>> Putting following into the <head> section of the OpenID page:<br>
>><br>
>> <link rel="openid2.provider"<br>
>> href="<a href="https://www.google.com/accounts/o8/ud" target="_blank">https://www.google.com/accounts/o8/ud</a>" /><br>
>><br>
>> seems to allow *any* user with a Google account to sign in with the<br>
>> delegated OpenID.<br>
>><br>
><br>
> I'm not sure I'm completely understanding the situation you're<br>
> describing, but unless the openid.identity in the returned assertion<br>
> matches the value of openid2.local_id discovered from<br>
> openid.claimed_id, the RP should fail because the delegation is invalid.<br>
><br>
> If you just put in the openid2.provider value and no openid2.local_id,<br>
> then you're effectively giving Google's OP carte blanche to make<br>
> assertions about that identifier, though I'm not sure why they would<br>
> make assertions about URLs outside of their own domain.<br>
><br>
><br>
><br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br>