[security] Validating openid.identity in authenticationresponses

[Dick Hardt]

The RP just needs to resolve the identifier. Our hope is that all the  
RPs will upgrade to 2.0 when it is finalized, then the right thing  
happens.

Agree that some interop would be a "good thing"

-- Dick

On 16-Nov-07, at 11:29 AM, Bradescu, Roxana wrote:

> Well yes and no I think. An RP has to know whether the OpenID  
> entered in
> the login box contains an identifier or not in order to discover the
> correct OP so it is really an RP issue.
>
> If a user just enters x.y.z.com how does the RP know whether x is the
> identifier and y.z.com the OP address or if x.y.z.com is just the OP
> address and the user will provide the identifier to the OP (as per the
> use case David brought up).
>
> Though you are right if the OP controls y.z.com they can do the
> appropriate redirect to x.y.z.com regardless of how the RP interprets
> the OpenID provided. Unfortunately not all OP's support this so as far
> as users go they will have an inconsistent experience.
>
> BTW not all OP's support providing one identifier to the RP but then
> logging into OP with a different identifier (the user "changes their
> mind" case Johnny brought up which makes a lot of sense imo especially
> if say the user just had a typo they were not even aware of).
>
> Maybe the next OpenID interop should really be about user  
> experience...
>
> Roxana Bradescu | VeriSign Innovation
>
>
> -----Original Message-----
> From: Dick Hardt [mailto:dick at sxip.com]
> Sent: Friday, November 16, 2007 11:12 AM
> To: Bradescu, Roxana
> Cc: Johnny Bufu; security at openid.net; david at sixapart.com
> Subject: Re: [security] Validating openid.identity in
> authenticationresponses
>
> Note that it primarily a limit of the OP, in which case the user does
> the same thing all the time as they are using the same OP everywhere.
>
> -- Dick
>
> On 16-Nov-07, at 11:07 AM, Bradescu, Roxana wrote:
>
>> It's unfortunate that users have to know which version of the  
>> protocol
>> sites are running to know what they can type into the login box.
>>
>> Roxana Bradescu | VeriSign Innovation
>>
>>
>> -----Original Message-----
>> From: Johnny Bufu [mailto:johnny at sxip.com]
>> Sent: Friday, November 16, 2007 10:07 AM
>> To: Bradescu, Roxana
>> Cc: david at sixapart.com; Trevor Johns; security at openid.net
>> Subject: Re: [security] Validating openid.identity in
>> authenticationresponses
>>
>>
>> On 16-Nov-07, at 9:39 AM, Bradescu, Roxana wrote:
>>> David, I've noticed the use case you describe doesn't actually work
>>> at a
>>> many RP's. For example if I go to livejournal.com and just put in
>>> just
>>> my IDP pip.verisignlabs.com I get an error.
>>
>> Directed identity is a 2.0 feature, while livejounal seems to be
>> speaking only 1.x.
>>
>>
>> Johnny
>>
>> _______________________________________________
>> security mailing list
>> security at openid.net
>> http://openid.net/mailman/listinfo/security
>>
>>
>
>