The CanonicalID Approach
Josh Hoyt
josh at janrain.com
Fri Jun 8 21:12:13 UTC 2007
On 6/8/07, Martin Atkins <mart at degeneration.co.uk> wrote:
> I figure that you could potentially use the same mechanism as delegation
> to avoid the extra discovery iteration.
>
> The problem, as with delegation, is that you need to duplicate the
> endpoint URL in the source identifier's XRDS document. The canonical
> identifier must also support OpenID, which I believe is something they
> were trying to avoid.
I'm assuming that by saying it's "like delegation", you mean that the
canonical identifier is discovered from the entered identifier, and
sent to the server, but discovery is never done.
Let's say that you use "http://mart-atkins.com/" as your identifier,
with a canonical id of "http://inconvenient.example.com/0000001"
I can set up a URL "http://impersonation.example.com/mart" that points
to an OpenID provider that I control, and give it the same canonical
ID, "http://inconvenient.example.com/0000001".
Unless we make sure that the canonical ID is intended to be used with
this OpenID server, I can sign in to your account anywhere, since the
canonical ID is used as the database key.
Were you thinking of a different mechanism?
Josh
More information about the specs
mailing list