<html><head><base href="x-msg://1581/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Host-meta doesn't provide the OP.<div><br></div><div>It provides a mapping from some identifier to a XRD for that identifier.</div><div><br></div><div>It is the target XRD for the user that specifies the OP.</div><div><br></div><div>Link link-headders can also provide the location of the XRD if you are using HTTP or another protocol that supports them.</div><div><br></div><div>host-meta is an additional way to map identifiers to XRD for things like email, or in cases where the site cant or just doesn't want to use link-headders. </div><div><br></div><div>Link-headder is the replacement for the X-XRDS-Location custom header we were using in Yadis.</div><div><br></div><div>John B.<br><div><div>On 2009-10-26, at 8:28 PM, Manger, James H wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div lang="EN-AU" link="blue" vlink="purple"><div class="Section1"><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Dirk,<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">I don’t think your IBM example is a very convincing argument for host-meta to take precedence over an actual OpenID URI. Listing an OP in host-meta may be a bit easier for an IBM IT admin than preventing links to OPs from other URIs — but the latter is quite feasible (rules in the page editing tool; filter in web server; validator on page changes; background script to look in the file system for this specific situation…). Even a non-technical corporate policy saying staff must not specify another OP goes some way to meeting the objective.<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">It is probably more convenient for host-meta to be able to provide a default OP, which can be overwritten for some special URIs. Most OpenID URIs on a host don’t specify an OP so they fallback to host-meta, but a few can use a different OP (for non-humans, for contractors, for testing, for migrating to a new OP implementation, for staff with a different hardware login token…).<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><b><span lang="FR" style="font-family: Arial, sans-serif; color: rgb(31, 73, 125); ">James Manger</span></b><span style="color: rgb(31, 73, 125); "><span class="Apple-converted-space"> </span><br><a href="mailto:James.H.Manger@team.telstra.com" style="color: blue; text-decoration: underline; "><span lang="FR" style="font-size: 10pt; font-family: Arial, sans-serif; ">James.H.Manger@team.telstra.com</span></a><span class="Apple-converted-space"> </span><br></span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(31, 73, 125); ">Identity and security team</span><span style="color: rgb(31, 73, 125); "><span class="Apple-converted-space"> </span></span><span style="font-size: 10pt; font-family: Tahoma, sans-serif; color: rgb(31, 73, 125); ">—</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(31, 73, 125); "><span class="Apple-converted-space"> </span>Chief Technology Office</span><span style="color: rgb(31, 73, 125); "><span class="Apple-converted-space"> </span></span><span style="font-size: 10pt; font-family: Tahoma, sans-serif; color: rgb(31, 73, 125); ">—</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(31, 73, 125); "><span class="Apple-converted-space"> </span>Telstra</span><span style="color: rgb(31, 73, 125); "><o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="border-right-style: none; border-bottom-style: none; border-left-style: none; border-width: initial; border-color: initial; border-top-style: solid; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding-top: 3pt; padding-right: 0cm; padding-bottom: 0cm; padding-left: 0cm; "><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><b><span lang="EN-US" style="font-size: 10pt; font-family: Tahoma, sans-serif; ">From:</span></b><span lang="EN-US" style="font-size: 10pt; font-family: Tahoma, sans-serif; "><span class="Apple-converted-space"> </span><a href="mailto:openid-general-bounces@lists.openid.net" style="color: blue; text-decoration: underline; ">openid-general-bounces@lists.openid.net</a><span class="Apple-converted-space"> </span>[mailto:openid-general-bounces@lists.openid.net]<span class="Apple-converted-space"> </span><b>On Behalf Of<span class="Apple-converted-space"> </span></b>Dirk Balfanz<br><b>Sent:</b><span class="Apple-converted-space"> </span>Tuesday, 27 October 2009 7:51 AM<br><b>To:</b><span class="Apple-converted-space"> </span>Peter Williams<br><b>Cc:</b><span class="Apple-converted-space"> </span><a href="mailto:general@openid.net" style="color: blue; text-decoration: underline; ">general@openid.net</a><br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [OpenID] user centric delegation vs portability: LRDD : competing threats: the consumer's fear hypothesis<o:p></o:p></span></div></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="color: rgb(31, 73, 125); ">…</span>If you have your own domain, you can pick (and change) your identity provider. But if you're one of 300,000 IBM employees, there are certain things you can't pick about your work account - you can't pick your email provider, you can't pick your calendaring software, and you can't presumably pick your identity provider - professionals at IBM who get paid to worry about this stuff will pick one for you that they are reasonably sure will not, say, put into jeopardy the 401k accounts of the combined IBM workforce (because, hypothetically speaking, IBM uses OpenID to log their employees into<span class="Apple-converted-space"> </span><a href="http://fidelity.com" style="color: blue; text-decoration: underline; ">fidelity.com</a>). <o:p></o:p></div></div><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; ">We need a single sign-on solution for the Web that works both for Blogger/Facebook/consumer use case as well as the IBM use case.<o:p></o:p></div></div><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><br>Dirk.<o:p></o:p></div></div></div>_______________________________________________<br>general mailing list<br><a href="mailto:general@lists.openid.net" style="color: blue; text-decoration: underline; ">general@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-general" style="color: blue; text-decoration: underline; ">http://lists.openid.net/mailman/listinfo/openid-general</a><br></div></span></blockquote></div><br></div></body></html>