<html>
<body>
<font size=3><br>
<blockquote type=cite class=cite cite="">the legitimate user may well
accidentally sign in with the compromised identity </blockquote><br><br>
I might be missing something here. <br><br>
(I'm neither stating nor implying any opinion in this message.<br>
Just trying to understand.)<br><br>
We seem to be determined to <br>
-- allow entry of an identity URL without the scheme and<br>
-- distinguish an identity URL in http from <br>
an otherwise-the-same identity
URL in https<br>
-- set up a way for this to work transparently for the
user<br><br>
Thereby, we are (let's not deny it)<br>
encouraging folks to enter their identity URL without the
scheme,<br>
regardless of the scheme.<br><br>
So: <br>
Please correct me if i am wrong:<br><br>
Our legitimate user did not <br>
accidentally <br>
sign in with the compromised identity URL;<br><br>
she simply behaved as we have encouraged her to behave.<br><br>
Cordially, Joaquin<br><br>
--- complete paragraph from original message ---<br>
<blockquote type=cite class=cite cite="">Notice that the resulting URL is
different in the latter case. The attacker must compromise
somewhereelse.com in order to "steal" that identifier. It sucks
that example.com has been compromised, but that isn't the identifier that
all RPs know the legitimate user as anyway. The worst that can
happen as far as mistaken identity goes is if the compromise is
persistent, the legitimate user may well accidentally sign in with the
compromised identity expecting the redirect to happen, which isn't as bad
as a loss of the user's primary identifier.</font></blockquote></body>
</html>