HTML-Based Discovery with OP Identifiers
Johnny Bufu
johnny at sxip.com
Fri Dec 29 00:53:19 UTC 2006
On 28-Dec-06, at 3:47 PM, David Recordon wrote:
> Sitting here in Seattle with Drummond and looking through the
> spec. Section
> 7.3.3 says:
> HTML-based discovery MUST be supported by Relying Parties. HTML-
> based discovery is only usable for discovery of Claimed Identifiers.
> OP Identifiers must be XRIs or URLs that support XRDS discovery.
>
> That is a bit confusing to parse so we were looking at re-wording
> it. Issue
> is "Claimed Identifier" is defined as possibly being a "User-Supplied
> Identifier" which in turn can be an "OP Identifier" thus making this
> paragraph fall apart.
To clarify it, how about we remove the Claimed Identifier term from
the paragraph above, and only specify that HTML discovery cannot use
OP Identifiers.
> This then brought up the question of why can't
> HTML-Based Discovery be used for OP Identifiers?
Because the verification of the discovered information would be
incomplete.
In the case of an URL Identifier, the claimed id is the final URL.
Now, if the discovered information obtained from that final URL only
contains a pointer to the OP, basically anyone with an account at
that OP would be able to claim s/he owns the URL -- when verifying
the discovered information, there's would be no delegate / local-id
to be checked and matched.
If we want to allow OP identifiers to be used with HTML discovery, we
need to re-examine what the claimed id is when using URLs, which
would be a major change in the spec. So, unless there's an easy
solution which I'm overlooking, I'd say lets keep it as it is.
Johnny
More information about the specs
mailing list