<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I give you the clever idea part. <div><br></div><div>It is just that we have enough interop issues with the existing spec. </div><div>I can see all sorts of unanticipated behaviors with RPs if an OP tried this.</div><div><br></div><div>I feel so conservative, I must be getting old:)</div><div><br></div><div>John Bradley<br><div><div>On 24-Mar-09, at 9:43 AM, John Panzer wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>Just to be clear, this was more of a thought experiment; the new XRD spec is clearly the right long term way to go <taps foot impatiently>. (This might, possibly, be a somewhat useful short term transitional hack in moving from XRDS to XRD_new, but I'm not even going to advocate for that.)<br><br>John Bradley wrote:<br><blockquote type="cite">John Panzer is correct that a site could dynamically generate a XRDS based on the user part of the URI authority segment. Lots of things are possible but that doesn't necessarily make them good ideas:)<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I don't want to start a philosophical debate over the equivalence or lack there of between <a href="http://jbradley@ve7jtb.com">http://jbradley@ve7jtb.com</a> vs <a href="mailto:jbradley@ve7jtb.com">mailto:jbradley@ve7jtb.com</a>.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">But some (W3C) will say treating them as equivalent jeopardizes the integrity of the web and perhaps the space time continuum it self. Again not my argument:)<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">In the new XRD spec and specifically LRDD <a href="http://tools.ietf.org/html/draft-hammer-discovery-02">http://tools.ietf.org/html/draft-hammer-discovery-02</a> and site meta <a href="http://tools.ietf.org/html/draft-nottingham-site-meta-01">http://tools.ietf.org/html/draft-nottingham-site-meta-01</a> there will be a way to use a mailto: URI directly in discovery if individual protocols decide they want to.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">We are sidestepping the philosophical questions of equivalence and cross scheme authority. If a client lib (openID ) performs LEDD on <a href="http://ve7jtb.com">http://ve7jtb.com</a> and finds a template for the mailto: scheme that translates it into a <a href="https://">https://</a> URI the protocol would be free to use the discovered XRD from our point of view.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">A number of Google and Yahoo people are contributing to the new specs. They are not done yet but Will Norris all ready has sample code for testing. The specs will be done ASAP but there are still signing and other trust model issues that need to be finalized. People should have a look at the above specs if they haven't already. You will be seeing more of them in the future.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Regards<br></blockquote><blockquote type="cite">John Bradley<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">On 24-Mar-09, at 5:06 AM, <a href="mailto:general-request@openid.net">general-request@openid.net</a> wrote:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><blockquote type="cite">Date: Mon, 23 Mar 2009 22:33:03 -0700<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">From: Andrew Arnott <<a href="mailto:andrewarnott@gmail.com">andrewarnott@gmail.com</a>><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Subject: Re: [OpenID] Directed Identity vs. "what the user typed"<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">To: John Panzer <<a href="mailto:jpanzer@acm.org">jpanzer@acm.org</a>><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Cc: Martin Atkins <<a href="mailto:mart@degeneration.co.uk">mart@degeneration.co.uk</a>>, <a href="mailto:general@openid.net">general@openid.net</a><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Message-ID:<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> <<a href="mailto:216e54900903232233l2366388bgaef244cfc89214c9@mail.gmail.com">216e54900903232233l2366388bgaef244cfc89214c9@mail.gmail.com</a>><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Content-Type: text/plain; charset="iso-8859-1"<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Hi John,<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Your idea for a dynamic XRDS at the OP that manages to pass a parameter to<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">the OP endpoint is very interesting. It sounds like it might work. :)<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">If the OP were to send an assertion that included a user component in the<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">claimed identifier that was actually significant, I would fear that most RPs<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">would ignore it and thereby allow identity spoofing. Perhaps OpenID 2.1 can<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">clarify this.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">-- <br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Andrew Arnott<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">"I [may] not agree with what you have to say, but I'll defend to the death<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">your right to say it." - Voltaire<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">2009/3/23 John Panzer <<a href="mailto:jpanzer@acm.org">jpanzer@acm.org</a>><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">On Mon, Mar 23, 2009 at 10:10 PM, Andrew Arnott <<a href="mailto:andrewarnott@gmail.com">andrewarnott@gmail.com</a>><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">wrote:<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">The user part is never sent to the OP, regardless of the RP's<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">implementation. Discovery is performed with an HTTP GET on either<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="mailto:user@domain.com">user@domain.com</a> or domain.com.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Not clear on whether OpenID normalization requires stripping the user@<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">part, but notionally <a href="mailto:user@domain.com">user@domain.com</a>/ is a valid URI and could be used<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">for discovery.<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Discovery results in the OP endpoint URI and<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">an identifier_select claimed identifier. The RP then redirects the user,<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">not to domain.com, but to the OP endpoint, which could be anywhere, and<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">certainly does NOT include the user@ portion because the redirect is<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">determined by the OP's advertised OP endpoint via their XRDS document.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">The XRDS document could be generated dynamically based on the $USER<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">variable, thus incorporating the data as an argument to the OP<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">endpoint. This would of course rule out a static XRDS file.<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">So the OP never sees user1@ or user2@. The RP has no way to correlate<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">user1@ to a user account or a claimed identifier on the OP, and the RP<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">never<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">sees user2@ because the claimed identifier is not in the form of an<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">email<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">address. :)<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">What stops the OP from sending back a URI <a href="http://user2@example.org/?">http://user2@example.org/?</a><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">I am not advocating for any of this, just pushing the boundaries a bit.<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">On Mon, Mar 23, 2009 at 6:26 PM, John Panzer <<a href="mailto:jpanzer@acm.org">jpanzer@acm.org</a>> wrote:<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">On Mon, Mar 23, 2009 at 11:06 AM, SitG Admin<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>> wrote:<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Of course, a user can also enter some other email address in the same<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">domain and have it quietly switch on him when he logs in.<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Stupid question: Seems to me that the OP can deal with this, assuming<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">that it does get the "user" part of the "<a href="mailto:user@domain.com">user@domain.com</a>" URL.<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">According to the HTTP spec, it should, and at least JSP frameworks<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">were able to pick up on this last time I checked. (It's equivalent to<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">HTTP Basic auth, but without sending a password, which gives you an<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">empty password.) This could be used for pre-filling forms, or for<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">selecting the "right" identity from a set already pre-authenticated at<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">the OP, or just for warning the user "you said X, about to change that<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">to Y, click OK to continue".<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">_______________________________________________<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">general mailing list<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="mailto:general@openid.net">general@openid.net</a><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">-------------- next part --------------<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">An HTML attachment was scrubbed...<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">URL: <<a href="http://openid.net/pipermail/general/attachments/20090323/405b4ad9/attachment-0001.htm">http://openid.net/pipermail/general/attachments/20090323/405b4ad9/attachment-0001.htm</a>> <br></blockquote></blockquote><blockquote type="cite"><br></blockquote><br></div></blockquote></div><br></div></body></html>