<div dir="ltr"><div class="gmail_extra">Thanks Markus, </div><div class="gmail_extra"><br></div><div class="gmail_extra">I created tickets based on these comments. </div><div class="gmail_extra"><br></div><div class="gmail_extra">
This particular one is: <a href="https://bitbucket.org/openid/connect/issue/950/migration-te-4-xri-portion-needs-change-by">https://bitbucket.org/openid/connect/issue/950/migration-te-4-xri-portion-needs-change-by</a></div>
<div class="gmail_extra"><br></div><div class="gmail_extra">For the relying party, I think it would be relatively straight forward to strip xri:// from openid2_id if they stored XRI as pure CanonicalID and causes less confusion than trying to figure out the type of openid2_id by sniffing if it starts from "=" or "!" or "@" etc. </div>
<div class="gmail_extra"><br></div><div class="gmail_extra">This comment thus seem to imply that we should add some text in section 7, e.g., adding: </div><div class="gmail_extra"><br></div><div class="gmail_extra">If the OpenID 2.0 Identifier starts with xri://<a href="http://xri.net/">xri.net/</a> then the relying party MUST extract the Canonical XRI by stripping "xri://<a href="http://xri.net/">xri.net/</a>" from the beginning of the OpenID 2.0 Identifier. </div>
<div class="gmail_extra"><br></div><div class="gmail_extra">What do you think? </div><div class="gmail_extra"><br></div><div class="gmail_extra">Nat</div><div class="gmail_extra"><br><div class="gmail_quote">2014-08-23 21:36 GMT+09:00 Markus Sabadello <span dir="ltr"><<a href="mailto:markus.sabadello@gmail.com" target="_blank">markus.sabadello@gmail.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><p>In section 4:</p><p>"For XRI, OpenID 2.0 Identifier MUST be created as <a href="https://xri.net/" target="_blank">https://xri.net/</a> concatenated with the user’s verified XRI without the xri:// scheme. "<br>
</p><p>The problem with this I think is that in OpenID 2.0, for an XRI the Claimed Identifier is the pure CanonicalID (I-Number), without https:// or xri:// scheme. For example, an RP might have <b>=!91F2.8153.F600.AE24</b> as the Claimed Identifier (openid2_id) for a user in its database.<br>
</p>So I think in section 4, we should either not say anything specific at all about XRI, or say something like this:<br><br>"For XRI, OpenID 2.0 Identifier MUST be the content of the <CanonicalID> element, as specified in [OpenID.2.0]"<br>
<br></div><div>Then an example ID Token would be:<br><pre>{
"iss": "?? not sure",
"sub": "?? not sure",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
"openid2_id": "<b>=!91F2.8153.F600.AE24</b>"
}</pre>But then I can see that obtaining an "iss" as described in sections 2 and 6 won't work.</div></blockquote></div><br><br><br clear="all"><div><br></div>-- <br>Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br>
<a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div>
</div></div>