SOS-ja neviem ako som sa k vám dostal neviem o čo sa jedná ,prosím o odhlásenie-dakujem.<br><br><div class="gmail_quote">2009/6/23 <span dir="ltr"><<a href="mailto:general-request@openid.net">general-request@openid.net</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Send general mailing list submissions to<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:general-request@openid.net">general-request@openid.net</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:general-owner@openid.net">general-owner@openid.net</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of general digest..."<br>
<br>Today's Topics:<br>
<br>
1. Re: Delegation leading to new accounts on websites<br>
(George Fletcher)<br>
2. Re: Delegation leading to new accounts on websites<br>
(Andrew Arnott)<br>
3. Re: Delegation leading to new accounts on websites (Allen Tom)<br>
4. Re: Delegation leading to new accounts on websites<br>
(Peter Williams)<br>
<br><br>---------- Správa poslaná ďalej ----------<br>From: George Fletcher <<a href="mailto:gffletch@aol.com">gffletch@aol.com</a>><br>To: Allen Tom <<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>><br>
Date: Tue, 23 Jun 2009 10:27:26 -0400<br>Subject: Re: [OpenID] Delegation leading to new accounts on websites<br>Thanks Allen, good to know.<br>
<br>
I'm assuming for this behavior to work, the user must first have enabled their flickr URL as an OpenID. When I try with a flickr URL that is not yet enabled as an OpenID then I get the "directed identity" behavior. This is the behavior I described in my flow earlier.<br>
<br>
The confusion comes in that the RP MUST do late binding and can NOT assume that the identifier entered by the user is valid for the session. As long as the RP ignores what the user entered if the AuthN request claimed_id does not equal the AuthN response claimed_id there will be no mis-identity issues.<br>
<br>
Thanks,<br>
George<br>
<br>
Allen Tom wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi George,<br>
<br>
If you type in your Flickr Photos URL into the RP's OpenID text box, the Yahoo OP will return your Flickr Photos URL as your OpenID, instead of the the <a href="https://me.yahoo.com/" target="_blank">https://me.yahoo.com/</a><randomstring> identifier in the response.<br>
<br>
However, if you type in "<a href="http://flickr.com" target="_blank">flickr.com</a>", we'll assume directed identity, and we'll display a drop down for you to select which OpenID (the Flickr one, or the machine generated one) in the response.<br>
<br>
Note: you must type in <a href="http://www.flickr.com/photos/gffphotos" target="_blank">http://www.flickr.com/photos/gffphotos</a> and not htttp://<a href="http://flickr.com/photos/gffphotos" target="_blank">flickr.com/photos/gffphotos</a>.<br>
<br>
Hope that helps,<br>
Allen<br>
<br>
<br>
George Fletcher wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
If I understand this correctly...<br>
<br>
1. I enter <a href="http://www.flickr.com/photos/gffphotos" target="_blank">http://www.flickr.com/photos/gffphotos</a> (shameless plug for my photo stream:)<br>
2. The RP normalizes the "user entered identifier" (in this case it's the same URL)<br>
3. The RP does discovery on the "user entered identifier" and the HTML defines the OP as yahoo (no local_id)<br>
4. The RP sends the AuthN request with openid.identity=<a href="http://www.flickr.com/photos/gffphotos" target="_blank">http://www.flickr.com/photos/gffphotos</a><br>
5. Yahoo ignores the openid.identity field and does directed identity<br>
6. Yahoo sends back an openid.claimed_id=<a href="https://me.yahoo.com/" target="_blank">https://me.yahoo.com/</a><randomstring><br>
7. Since the openid.identity value the RP sent does not equal the value the OP returned, the RP does discovery on the <a href="https://me.yahoo.com/" target="_blank">https://me.yahoo.com/</a><randomstring><br>
8. Discovery shows that the yahoo OP is indeed authoritative for the URL<br>
9. The RP has to ignore the value entered by the user (e.g. <a href="http://www.flickr.com/photos/gffphotos" target="_blank">http://www.flickr.com/photos/gffphotos</a>) and just use the value the OP returned (e.g. <a href="https://me.yahoo.com/" target="_blank">https://me.yahoo.com/</a><randomestring>) because there is no way to know whether the returned identifier from yahoo actually maps to the value entered by the user<br>
<br>
The following is also true if I try and delegate my vanity URL to an flickr based OpenID.<br>
<br>
I believe that if the RP sends an identifier for the user that is NOT the directed identity select URL, then the OP should either (A) authenticate only the specified identity or (B) fail the request. Allowing the request to succeed but for an identity totally different than what the user identified to the RP is just confusing.<br>
<br>
Thanks,<br>
George<br>
<br>
P.S. More comments inline<br>
<br>
John Bradley wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
George,<br>
<br>
The combination of directed identity is still a real interop issue because it is not well explained in openID 2.0.<br>
<br>
When the claimed_id (less fragment) or the identity are different in the response from the request the RP must rediscover the openid.claimed_id.<br>
<br>
If delegation was done the openid.identity must match the LocalID in the XRD.<br>
</blockquote>
I don't think this will work in the Yahoo case. The openid.identity value returned by Yahoo is the <a href="https://me.yahoo.com/" target="_blank">https://me.yahoo.com/</a><randomstring>. If I do a discovery on this identifier, it case say that the "LocalID" at Yahoo is the same value, but that doesn't mean it matches to the URL the user entered at the RP. If the XRDS response, somehow ties the directed identity value back to the flickr URL the all the pseudonymous benefits of directed identity are broken.<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
If the RP doesn't do this step anyone with a Yahoo account can log into any openID that is delegated to Yahoo.<br>
</blockquote>
It isn't the discovery of the returned openid.claimed_id value that protects against this case. It's the fact that the RP ignores the value the user entered and even it's associated local_id value and instead just uses the values returned by the OP. It is impossible to associate in anyway the value the user entered with the value the OP returns.<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
Yahoo is following the spec as intended. There is an OSIS test for RPs to check if they are vulnerable to this.<br>
<br>
If the second discovery verifies then 1 can still be used safely as the users identifier.<br>
<br>
I had to sit Johnny Bufu down to explain it to me what they intended when they wrote 2.0.<br>
<br>
I couldn't extract the logic from the spec itself for the delegating to a directed identity flow.<br>
<br>
John B.<br>
<br>
On 22-Jun-09, at 11:45 AM, <a href="mailto:general-request@openid.net" target="_blank">general-request@openid.net</a> <mailto:<a href="mailto:general-request@openid.net" target="_blank">general-request@openid.net</a>> wrote:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Date: Mon, 22 Jun 2009 11:44:03 -0400<br>
From: George Fletcher <<a href="mailto:gffletch@aol.com" target="_blank">gffletch@aol.com</a> <mailto:<a href="mailto:gffletch@aol.com" target="_blank">gffletch@aol.com</a>>><br>
Subject: Re: [OpenID] Delegation leading to new accounts on websites<br>
To: Andrew Arnott <<a href="mailto:andrewarnott@gmail.com" target="_blank">andrewarnott@gmail.com</a> <mailto:<a href="mailto:andrewarnott@gmail.com" target="_blank">andrewarnott@gmail.com</a>>><br>
Cc: "<a href="mailto:general@openid.net" target="_blank">general@openid.net</a> <mailto:<a href="mailto:general@openid.net" target="_blank">general@openid.net</a>>" <<a href="mailto:general@openid.net" target="_blank">general@openid.net</a> <mailto:<a href="mailto:general@openid.net" target="_blank">general@openid.net</a>>><br>
Message-ID: <<a href="mailto:4A3FA6C3.9060305@aol.com" target="_blank">4A3FA6C3.9060305@aol.com</a> <mailto:<a href="mailto:4A3FA6C3.9060305@aol.com" target="_blank">4A3FA6C3.9060305@aol.com</a>>><br>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed<br>
<br>
Isn't one of the underlying issues the fact that there are really 3 identifiers in this scenario?<br>
1. the identifier entered by the user (claimed_id or i-name)<br>
2. the discovered/resolved identifier ("local_id" or "i-number")<br>
3. the identifier returned by the OP<br>
<br>
In the case of OpenID 2.0 protocol flow, the RP has to remember #1 and send #2 as the openid.identity parameter. If the OP does NOT return openid.identity == #2, then the OP has chosen to do directed identity regardless of the request and the RP must throw out #1 and take #3 as the user's identifier.<br>
<br>
This causes some weird user experience issues, but this is what we ran into when implementing OpenID 2.0 Relying Party support.<br>
<br>
Thanks,<br>
George<br>
</blockquote>
<br>
= <br>
</blockquote>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</blockquote>
<br>
<br>
</blockquote>
<br>
<br><br>---------- Správa poslaná ďalej ----------<br>From: Andrew Arnott <<a href="mailto:andrewarnott@gmail.com">andrewarnott@gmail.com</a>><br>To: Tom Edwards <<a href="mailto:t_edwards@btinternet.com">t_edwards@btinternet.com</a>><br>
Date: Tue, 23 Jun 2009 08:59:34 -0700<br>Subject: Re: [OpenID] Delegation leading to new accounts on websites<br>Just a guess that sourceforge probably worked because its OpenID support is old and buggy (no offense, anyone!) and if it only does OpenID 1.x, then RPs in that version did their own delegation management instead of giving the OPs a chance to change it.<div>
<br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">2009/6/23 Tom Edwards <span dir="ltr"><<a href="mailto:t_edwards@btinternet.com" target="_blank">t_edwards@btinternet.com</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
I've tried both delegation URLs on several sites, but the only one that
recognises me as <a href="http://steamreview.org" target="_blank">steamreview.org</a> in either scenario is SourceForge. The
others I tried are:<br>
<ul>
<li><a href="http://getsatisfaction.com" target="_blank">getsatisfaction.com</a></li>
<li><a href="http://pbworks.com" target="_blank">pbworks.com</a></li>
<li><a href="http://wishlistr.com" target="_blank">wishlistr.com</a></li>
<li><a href="http://stackoverflow.com" target="_blank">stackoverflow.com</a></li>
</ul>
These all thought I was <a href="http://flickr.com/blah/" target="_blank">flickr.com/blah/</a> or <a href="http://yahoo.com/blah/" target="_blank">yahoo.com/blah/</a> - I was
only <a href="http://steamreview.org" target="_blank">steamreview.org</a> when delegating to
<a href="http://steamreview.org/openid/" target="_blank"><http://steamreview.org/openid/></a>.<br>
<br>
Yahoo only supports OpenID 2 while my server (PhpMyID) only supports
OpenID 1. Could this be making a difference?<br>
<br>
This process would be a lot more reliable if the <a href="http://openidenabled.com" target="_blank">openidenabled.com</a> test
suite was working.
:-(<div><div></div><div><br>
<br>
Allen Tom wrote:
<blockquote type="cite">
Hi John - <br>
<br>
Your description accurately describes how the Yahoo OP is implemented,
and it is the RP's responsibility to keep track of the user's URL that
was delegated to the OP.<br>
<br>
One possible possible issue is that Flickr itself delegates to Yahoo,
so users are probably better off delegating to their default machine
generated Yahoo OpenID (of the form <a href="https://me.yahoo.com/a/" target="_blank">https://me.yahoo.com/a/</a><random
string>) than to to their Flickr Photos url.<br>
<br>
Tom - can you try delegating your personal URL to your default Yahoo
OpenID? This will eliminate the extra round trip to Flickr, which is
probably causing your problem. The easiest way to find out what your
Yahoo OpenID is to go here:<br>
<br>
<a href="http://openid.yahoo.com/" target="_blank">http://openid.yahoo.com/</a><br>
Click Get Started<br>
Type in your password<br>
and take a look at the identifiers at the bottom of the screen.<br>
<br>
Unfortunately, this doesn't seem to work on GetSatisfaction. :/<br>
Allen<br>
<br>
<br>
<br>
John Bradley wrote:
<blockquote type="cite">George,
<div><br>
</div>
<div>The combination of directed identity is still a real interop
issue because it is not well explained in openID 2.0.</div>
<div><br>
</div>
<div>When the claimed_id (less fragment) or the identity are
different in the response from the request the RP must rediscover the
openid.claimed_id.</div>
<div><br>
</div>
<div>If delegation was done the openid.identity must match the
LocalID in the XRD.</div>
<div><br>
</div>
<div>If the RP doesn't do this step anyone with a Yahoo account can
log into any openID that is delegated to Yahoo.</div>
<div><br>
</div>
<div>Yahoo is following the spec as intended. </div>
<div><br>
</div>
<div>There is an OSIS test for RPs to check if they are vulnerable
to
this.</div>
<div><br>
</div>
<div>If the second discovery verifies then 1 can still be used
safely
as the users identifier.</div>
<div><br>
</div>
<div>I had to sit Johnny Bufu down to explain it to me what they
intended when they wrote 2.0.</div>
<div><br>
</div>
<div>I couldn't extract the logic from the spec itself for the
delegating to a directed identity flow.</div>
<div><br>
</div>
<div>John B.</div>
<div><br>
<div>
<div>On 22-Jun-09, at 11:45 AM, <a href="mailto:general-request@openid.net" target="_blank">general-request@openid.net</a>
wrote:</div>
<br>
<blockquote type="cite"><span style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><span style="font-family: monospace;">Date: Mon, 22
Jun 2009 11:44:03 -0400<br>
From: George Fletcher <<a href="mailto:gffletch@aol.com" target="_blank">gffletch@aol.com</a>><br>
Subject: Re: [OpenID] Delegation leading to new accounts on websites<br>
To: Andrew Arnott <<a href="mailto:andrewarnott@gmail.com" target="_blank">andrewarnott@gmail.com</a>><br>
Cc: "<a href="mailto:general@openid.net" target="_blank">general@openid.net</a>"
<<a href="mailto:general@openid.net" target="_blank">general@openid.net</a>><br>
Message-ID: <<a href="mailto:4A3FA6C3.9060305@aol.com" target="_blank">4A3FA6C3.9060305@aol.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed<br>
<br>
Isn't one of the underlying issues the fact that there are really 3<span> </span><br>
identifiers in this scenario?<br>
1. the identifier entered by the user (claimed_id or i-name)<br>
2. the discovered/resolved identifier ("local_id" or "i-number")<br>
3. the identifier returned by the OP<br>
<br>
In the case of OpenID 2.0 protocol flow, the RP has to remember #1 and<span> </span><br>
send #2 as the openid.identity parameter. If the OP does NOT return<span> </span><br>
openid.identity == #2, then the OP has chosen to do directed identity<span> </span><br>
regardless of the request and the RP must throw out #1 and take #3 as<span> </span><br>
the user's identifier.<br>
<br>
This causes some weird user experience issues, but this is what we ran<span> </span><br>
into when implementing OpenID 2.0 Relying Party support.<br>
<br>
Thanks,<br>
George<br>
</span></span></blockquote>
</div>
<br>
</div>
<pre><hr size="4" width="90%">
_______________________________________________
general mailing list
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a>
</pre>
</blockquote>
<br>
</blockquote>
</div></div></div>
</blockquote></div><br></div>
<br><br>---------- Správa poslaná ďalej ----------<br>From: Allen Tom <<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>><br>To: Tom Edwards <<a href="mailto:t_edwards@btinternet.com">t_edwards@btinternet.com</a>><br>
Date: Tue, 23 Jun 2009 09:16:46 -0700<br>Subject: Re: [OpenID] Delegation leading to new accounts on websites<br>
<div bgcolor="#ffffff" text="#000000">
Tom Edwards wrote:
<blockquote type="cite">
<br>
Yahoo only supports OpenID 2 while my server (PhpMyID) only supports
OpenID 1. Could this be making a difference?<br>
<br>
</blockquote>
Hi Tom,<br>
<br>
I suspect that the fact that you're delegating to an OP that only
supports OpenID 2.0 is probably causing some compatibility problems. <br>
<br>
The Yahoo OP does support delegation, and to the best of our knowledge,
we are correctly implementing the OpenID 2.0 spec with regards to
delegation. That being said, the OpenID 2.0 spec is a bit ambiguous
regarding how
delegation is supposed to work. Hopefully this can be cleared up in
OpenID 2.1.<br>
<br>
If you do need backwards compatibility with OpenID 1.1, as well as
support for OpenID 2.0, then delegating to MyOpenID.com seems to work
pretty well.<br>
<br>
Allen<br>
<br>
<br>
<br>
</div>
<br><br>---------- Správa poslaná ďalej ----------<br>From: Peter Williams <<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>><br>To: "<a href="mailto:general@openid.net">general@openid.net</a>" <<a href="mailto:general@openid.net">general@openid.net</a>><br>
Date: Tue, 23 Jun 2009 09:21:48 -0700<br>Subject: Re: [OpenID] Delegation leading to new accounts on websites<br><br>
We know from the old Bufu rule that the RP is responsible for testing that<br>
<br>
"(identity claim == subscriber.OP.XRD[localID]) is element of user.XRD[localIDset]" ,<br>
<br>
through an act of RP-discovery.<br>
<br>
The RP is ALSO responsible for testing that <a href="http://yahoo.com" target="_blank">yahoo.com</a> has authority to make cross-realm claims (release a authoritative identity claim for the realm of <a href="http://homepw.org" target="_blank">homepw.org</a>, which is outside the asserting parties OP-identifier realm of <a href="http://yahoo.com" target="_blank">yahoo.com</a>).<br>
<br>
But how do I as RP test that Yahoo is so authorized?<br>
<br>
Put in activeDirectory terms that a million Windows MCSEs can understand, how do I test that any one of 10 different UPNs in 10 different domains (<a href="mailto:peter@rapattoni.com">peter@rapattoni.com</a><mailto:<a href="mailto:peter@rapattoni.com">peter@rapattoni.com</a>>, <a href="mailto:peter@homepw.com">peter@homepw.com</a><mailto:<a href="mailto:peter@homepw.com">peter@homepw.com</a>>, ...) is "<a href="http://rapnt.com/pwilliams" target="_blank">rapnt.com/pwilliams</a>"?<br>
<br>
Some synonym service has to be attesting to the cross-realm OP-identifier-bridging - and it cannot be the OP itself. under my RP obligations, I have to be able to authenticate the synonym service, and determine its authoritive for some synonym mesh.<br>
<br>
In the delegation case, checking for LocalID intersections in the delegated-XRD and OP-XRD is not sufficient. One must discover the XRD for the OP identifier underlying the <a href="http://rapattoni.com" target="_blank">rapattoni.com</a> or <a href="http://homepw.org" target="_blank">homepw.org</a> domains that yahoo MAY provide as identity claims. I must ensure OP identifier underlying the claim's domain links back to OP identifier for the assertion domain - <a href="http://myopenid.com" target="_blank">myopenid.com</a> L authorizing the act of outsourcing (and the cross-domain assertion power).<br>
<br>
All we have done of course is obligate the RP to discover/create now a "chain" of XRDs, much like one has chains of authority certs in SSL! But then, what is an XRDS, but a chain of XRD elements? And, in the XRI resolution case, chain formation is done for you, where the particular chaining "route" is discovered in the delegation flow according to the user-controlled priorities and redirects/referalls - user-centric trust fabrics. If the user's vanity-XRD is being servered by an actual XRI server (in walled garden mode), that user gets a synonym-management service, of course. It _overlays_ the user-centric trust fabric of "who is authoritive", even when cooperating with OP identifiers that are perhaps formally registered in the public XRI space.<br>
<br>
________________________________<br>
From: <a href="mailto:general-bounces@openid.net">general-bounces@openid.net</a> [<a href="mailto:general-bounces@openid.net">general-bounces@openid.net</a>] On Behalf Of Allen Tom [<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>]<br>
Sent: Monday, June 22, 2009 10:48 PM<br>
To: John Bradley; <a href="mailto:general@openid.net">general@openid.net</a>; <a href="mailto:t_edwards@btinternet.com">t_edwards@btinternet.com</a>; Andrew Arnott<br>
Subject: Re: [OpenID] Delegation leading to new accounts on websites<br>
<br>
Hi John -<br>
<br>
Your description accurately describes how the Yahoo OP is implemented, and it is the RP's responsibility to keep track of the user's URL that was delegated to the OP.<br>
<br>
One possible possible issue is that Flickr itself delegates to Yahoo, so users are probably better off delegating to their default machine generated Yahoo OpenID (of the form <a href="https://me.yahoo.com/a/" target="_blank">https://me.yahoo.com/a/</a><random string>) than to to their Flickr Photos url.<br>
<br>
Tom - can you try delegating your personal URL to your default Yahoo OpenID? This will eliminate the extra round trip to Flickr, which is probably causing your problem. The easiest way to find out what your Yahoo OpenID is to go here:<br>
<br>
<a href="http://openid.yahoo.com/" target="_blank">http://openid.yahoo.com/</a><br>
Click Get Started<br>
Type in your password<br>
and take a look at the identifiers at the bottom of the screen.<br>
<br>
Unfortunately, this doesn't seem to work on GetSatisfaction. :/<br>
Allen<br>
<br>
<br>
<br>
John Bradley wrote:<br>
George,<br>
<br>
The combination of directed identity is still a real interop issue because it is not well explained in openID 2.0.<br>
<br>
When the claimed_id (less fragment) or the identity are different in the response from the request the RP must rediscover the openid.claimed_id.<br>
<br>
If delegation was done the openid.identity must match the LocalID in the XRD.<br>
<br>
If the RP doesn't do this step anyone with a Yahoo account can log into any openID that is delegated to Yahoo.<br>
<br>
Yahoo is following the spec as intended.<br>
<br>
There is an OSIS test for RPs to check if they are vulnerable to this.<br>
<br>
If the second discovery verifies then 1 can still be used safely as the users identifier.<br>
<br>
I had to sit Johnny Bufu down to explain it to me what they intended when they wrote 2.0.<br>
<br>
I couldn't extract the logic from the spec itself for the delegating to a directed identity flow.<br>
<br>
John B.<br>
<br>
On 22-Jun-09, at 11:45 AM, <a href="mailto:general-request@openid.net">general-request@openid.net</a><mailto:<a href="mailto:general-request@openid.net">general-request@openid.net</a>> wrote:<br>
<br>
Date: Mon, 22 Jun 2009 11:44:03 -0400<br>
From: George Fletcher <<a href="mailto:gffletch@aol.com">gffletch@aol.com</a><mailto:<a href="mailto:gffletch@aol.com">gffletch@aol.com</a>>><br>
Subject: Re: [OpenID] Delegation leading to new accounts on websites<br>
To: Andrew Arnott <<a href="mailto:andrewarnott@gmail.com">andrewarnott@gmail.com</a><mailto:<a href="mailto:andrewarnott@gmail.com">andrewarnott@gmail.com</a>>><br>
Cc: "<a href="mailto:general@openid.net">general@openid.net</a><mailto:<a href="mailto:general@openid.net">general@openid.net</a>>" <<a href="mailto:general@openid.net">general@openid.net</a><mailto:<a href="mailto:general@openid.net">general@openid.net</a>>><br>
Message-ID: <<a href="mailto:4A3FA6C3.9060305@aol.com">4A3FA6C3.9060305@aol.com</a><mailto:<a href="mailto:4A3FA6C3.9060305@aol.com">4A3FA6C3.9060305@aol.com</a>>><br>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed<br>
<br>
Isn't one of the underlying issues the fact that there are really 3<br>
identifiers in this scenario?<br>
1. the identifier entered by the user (claimed_id or i-name)<br>
2. the discovered/resolved identifier ("local_id" or "i-number")<br>
3. the identifier returned by the OP<br>
<br>
In the case of OpenID 2.0 protocol flow, the RP has to remember #1 and<br>
send #2 as the openid.identity parameter. If the OP does NOT return<br>
openid.identity == #2, then the OP has chosen to do directed identity<br>
regardless of the request and the RP must throw out #1 and take #3 as<br>
the user's identifier.<br>
<br>
This causes some weird user experience issues, but this is what we ran<br>
into when implementing OpenID 2.0 Relying Party support.<br>
<br>
Thanks,<br>
George<br>
<br>
<br>
________________________________<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><mailto:<a href="mailto:general@openid.net">general@openid.net</a>><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br>
<br>
<br>
<br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br></blockquote></div><br>