<html>
<body>
<br>
<blockquote type=cite class=cite cite=""><font size=3>the legitimate user
may well accidentally sign in with the compromised identity
</font></blockquote><br><br>
I might be missing something here. <br><br>
(I'm neither stating nor implying any opinion in this message.<br>
Just trying to understand.)<br><br>
We seem to be determined to <br>
-- allow entry of an identity URL without the scheme and<br>
-- distinguish an identity URL in http from <br>
an otherwise-the-same identity
URL in https<br>
-- set up a way for this to work transparently for the
user<br><br>
Thereby, we are (let's not deny it)<br>
encouraging folks to enter their identity URL without the
scheme,<br>
regardless of the scheme.<br><br>
So: <br>
Please correct me if i am wrong:<br><br>
Our legitimate user did not <br>
accidentally <br>
sign in with the compromised identity URL;<br><br>
she simply behaved as we have encouraged her to behave.<br><br>
Cordially, Joaquin<br><br>
--- complete paragraph from original message ---<br>
<blockquote type=cite class=cite cite=""><font size=3>Notice that the
resulting URL is different in the latter case. The attacker must
compromise somewhereelse.com in order to "steal" that
identifier. It sucks that example.com has been compromised, but that
isn't the identifier that all RPs know the legitimate user as
anyway. The worst that can happen as far as mistaken identity goes
is if the compromise is persistent, the legitimate user may well
accidentally sign in with the compromised identity expecting the redirect
to happen, which isn't as bad as a loss of the user's primary
identifier.</font></blockquote></body>
</html>