<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Ah, you mean the culture of the internet/web to let interworking
happen with any old crap that satisfies the 80% interworking rule? Hmm. I
used to rail against that too. Then, I got converted.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The biggest point is that user _<i>vanity</i>_ services (in
UCI/Openid culture) are not controlled by anyone except the user. I could not
care less if the user uses textedit on a template or applies a wizard on a website
to help build that XRDS file, so long as the user then copies the result onto his
vanity website(s) as a file. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The point is not editing (and obvious usability) but that the ENTIRE
content must be “under the control” of the user, and is NOT
controlled by any OP (or RP, or SP). Of course, the OP may well have its own
XRDS for its “subscribers”, associated with the subscriber’s
identity page. But that’s up to the user to address, when considering the
OP’s terms of service, and whether or not the user chooses to delegate or
not to that OP.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If the user want to have its hard-crafted “VANITY” XRDS
file copied on 10 different free ISP vanity websites (because one of them might
invoke its terms of service tomorrow and interfere with the user’s distribution
if the user’s (openid-signed) metadata, so be it.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>This control issue is an important part of the openid model. (I really
don’t know if it is or is not a part of the culture of OAUTH.) The number
of folks who will apply full power UCI will be as small as the f#olks who
bother with anonymity, but they CAN, by architecture and culture. The nature of
openid discovery today supports that world. I would not want to lose it as specs
get updated, or protocols (hopefully) merge.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Eran Hammer-Lahav
[mailto:eran@hueniverse.com] <br>
<b>Sent:</b> Thursday, January 08, 2009 9:58 AM<br>
<b>To:</b> Andrew Arnott; Peter Williams<br>
<b>Cc:</b> general@openid.net List<br>
<b>Subject:</b> RE: [OpenID] HTML-Based Discovery incompatibilities<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>This problem gets worse because people have been educated by
irresponsible browser vendors to expect broken HTML to simply work.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>EHL<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
general-bounces@openid.net [mailto:general-bounces@openid.net] <b>On Behalf Of </b>Andrew
Arnott<br>
<b>Sent:</b> Thursday, January 08, 2009 9:38 AM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> general@openid.net List<br>
<b>Subject:</b> Re: [OpenID] HTML-Based Discovery incompatibilities<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Peter,<o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>I'd say what you're missing is that not all HTML is
well-formed XML. If I shot all HTML that dotnetopenid downloaded through
an XML parser, dotnetopenid code would look wonderful and perfect... and only
20% of HTML pages with OpenID tags would even be discoverable because the HTML
in the other 80% is not well-formed.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br clear=all>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<o:p></o:p></p>
<div>
<p class=MsoNormal>On Thu, Jan 8, 2009 at 9:05 AM, Peter Williams <<a
href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p><span style='font-size:11.0pt;color:#1F497D'>I'm missing something (big,
obviously).</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>If DotNetOpenID can delegate to
the platform for https, why cannot it delegate to the platform for XML:
just treat the HTML as an XML stream, and build a DOM tree using .NET
libraries?</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p><b><span style='font-size:10.0pt'>From:</span></b><span style='font-size:
10.0pt'> <a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>
[mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>]
<b>On Behalf Of </b>Andrew Arnott<br>
<b>Sent:</b> Thursday, January 08, 2009 8:56 AM<br>
<b>To:</b> Chris Messina<br>
<b>Cc:</b> <a href="mailto:general@openid.net" target="_blank">general@openid.net</a>
List<br>
<b>Subject:</b> Re: [OpenID] HTML-Based Discovery incompatibilities</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p> <o:p></o:p></p>
<div>
<p>Chris,<o:p></o:p></p>
</div>
<div>
<p> <o:p></o:p></p>
</div>
<div>
<p>While you bring up a good issue, and it is a problem with the libraries, I
would be against building this into the OpenID spec because this is just
following the HTML spec, as you point out. There are many more rules in
HTML that a good RP discovery library should follow (like ignoring commented
out HTML tags, javascript, etc.), and these rules don't belong in the OpenID
spec either, IMO.<o:p></o:p></p>
</div>
<div>
<p> <o:p></o:p></p>
</div>
<div>
<p>FWIW, dotnetopenid is one library that can handle both formats you listed.
But I do not claim that it has a full browser-quality HTML parser.
Just like every library, I imagine, I had to choose how much time to
invest in HTML discovery. Unless there's a decent open-source HTML parser
available for C#, I don't think any C# openid library will ever have
"perfect" html discovery by the HTML spec anyway.<o:p></o:p></p>
</div>
<p style='margin-bottom:12.0pt'><br clear=all>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<o:p></o:p></p>
<div>
<p>On Thu, Jan 8, 2009 at 12:58 AM, Chris Messina <<a
href="mailto:chris.messina@gmail.com" target="_blank">chris.messina@gmail.com</a>>
wrote:<o:p></o:p></p>
<p>I just read over SS 7.3.3 on HTML-Based Discovery [1], and considering my experience
today trying to re-delegate my OpenID, I've discovered that this section needs
to updated a clarified.<br>
<br>
It turns out that relying parties are not parsing HTML rel values in a standard
way. That is, if there is more than one rel value provided for a link, some RPs
fail, whereas others work fine.<br>
<br>
In other words, this:<br>
<br>
<link rel="<span style='background:#FFFF33'>openid2.provider
openid.server</span>" href="<a href="http://factoryjoe.com/blog/"
target="_blank">http://factoryjoe.com/blog/</a>" /><br>
<link rel="<span style='background:#FFFF33'>openid2.local_id
openid.delegate</span>" href="<a href="http://factoryjoe.com/blog/"
target="_blank">http://factoryjoe.com/blog/</a>" /><br>
<br>
is not the same as this:<br>
<br>
<link rel="<span style='background:#FFFF33'>openid2.provider</span>"
href="<a href="http://factoryjoe.com/blog/?openid_server=1" target="_blank">http://factoryjoe.com/blog/?openid_server=1</a>"
/><br>
<link rel="<span style='background:#FFFF33'>openid2.local_id</span>"
href="<a href="http://factoryjoe.com/blog/author/factoryjoe/"
target="_blank">http://factoryjoe.com/blog/author/factoryjoe/</a>" /><br>
<link rel="<span style='background:#FFFF33'>openid.server</span>"
href="<a href="http://factoryjoe.com/blog/?openid_server=1" target="_blank">http://factoryjoe.com/blog/?openid_server=1</a>"
/><br>
<link rel="<span style='background:#FFFF33'>openid.delegate</span>"
href="<a href="http://factoryjoe.com/blog/author/factoryjoe/"
target="_blank">http://factoryjoe.com/blog/author/factoryjoe/</a>" /><br>
<br>
It's my understanding that the rel attribute should be able to contain several
values.<o:p></o:p></p>
<div>
<p> <o:p></o:p></p>
</div>
<div>
<p>But I can tell you that IntenseDebate, for example, failed when delegation
was setup using the former code. It only worked when I broke out the two links
into four.<o:p></o:p></p>
</div>
<div>
<p> <o:p></o:p></p>
</div>
<div>
<p>I'm not sure if this is an issue with the libraries or what, but I'd like to
know if other people have experienced this problem, and if we can improve the
language in the spec to make sure that people understand that they need to look
for the presence of an element in a rel value -- not that the *entire* value is
one element.<o:p></o:p></p>
<div>
<p> <o:p></o:p></p>
</div>
<div>
<p style='margin-bottom:12.0pt'>Chris<br>
<br>
[1] <a
href="http://openid.net/specs/openid-authentication-2_0.html#html_disco"
target="_blank">http://openid.net/specs/openid-authentication-2_0.html#html_disco</a><br>
<br>
-- <br>
Chris Messina<br>
Citizen-Participant &<br>
Open Web Advocate-at-Large<br>
<br>
<a href="http://factoryjoe.com" target="_blank">factoryjoe.com</a> # <a
href="http://diso-project.org" target="_blank">diso-project.org</a><br>
<a href="http://citizenagency.com" target="_blank">citizenagency.com</a> # <a
href="http://vidoop.com" target="_blank">vidoop.com</a><br>
This email is: [ ] bloggable [X] ask first [ ]
private<o:p></o:p></p>
</div>
</div>
<p style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><o:p></o:p></p>
</div>
<p> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</body>
</html>