The CanonicalID Approach
Drummond Reed
drummond.reed at cordance.net
Fri Jun 8 23:28:23 UTC 2007
>> http://openid.aol.com/daveman692 - reassignable
>> http://openid.aol.com/daveman692#1234 - persistent
>>
>> If an XRDS for the reassignable identifier asserts the persistent
>> identifier
>> as a Canonical ID, a second round trip is not required because the
>> client
>> can verify that http://openid.aol.com/ is authoritative for both
>> daveman692
>> and daveman692#1234.
>
>Johnny Bufu wrote:
>
>Because in the case of URLs delegation is decoupled from the
>identifiers, I don't think that verifying only the authority part
>will suffice.
>
>I could have the XRDS at:
>
> http://openid.aol.com/johnny692
>
>assert the cannonical ID:
>
> http://openid.aol.com/daveman692#1234
>
>.. but have http://openid.aol.com/johnny692 delegate to my own OP
>running in my basement, which is configured to issue assertions with
>the above canonical id. Checking only the authority section would
>render such assertions valid.
>
>Unless I'm missing something, I believe we should mandate a stricter
>verification, on the full URL without the fragment. (Whoever controls
>the URL without the fragment, also controls the URL with any fragments.)
Good point. I agree.
=Drummond
More information about the specs
mailing list