<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; "><BR><DIV><DIV>On Jan 4, 2008, at 6:29 PM, Trevor Johns wrote:</DIV><BR class="Apple-interchange-newline"><BLOCKQUOTE type="cite"><P style="margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px"><BR></P> <BLOCKQUOTE type="cite"><P style="margin: 0.0px 0.0px 0.0px 10.0px"><FONT face="Helvetica" size="3" style="font: 12.0px Helvetica">You can always go out and use DNSSEC.</FONT></P> </BLOCKQUOTE><P style="margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px"><BR></P> <P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Helvetica" size="3" style="font: 12.0px Helvetica">That would certainly be a solution. However, isn't DNSSEC not yet widely deployed?</FONT></P></BLOCKQUOTE><DIV><BR class="khtml-block-placeholder"></DIV>bingo, the world hasn't seen the need for it</DIV><DIV><BR><BLOCKQUOTE type="cite"> <P style="margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px"><BR></P> <BLOCKQUOTE type="cite"><P style="margin: 0.0px 0.0px 0.0px 10.0px"><FONT face="Helvetica" size="3" style="font: 12.0px Helvetica">Isn't this just a lookup of email address -> openid/url that is then handled as a normal openid login?</FONT></P> </BLOCKQUOTE><P style="margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px"><BR></P> <P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Helvetica" size="3" style="font: 12.0px Helvetica">I'm not sure I understand your question. But yes, based on my understanding that's basically correct.</FONT></P> <P style="margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px"><BR></P> <P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Helvetica" size="3" style="font: 12.0px Helvetica">What I was discussing was whether the email address -> URL phase is treated as delegation (in which case the email address is used as the user's claimed identifier) or as a redirect (in which case, the URL will be used as the user's claimed identifier).</FONT></P> <P style="margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px"><BR></P> <P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Helvetica" size="3" style="font: 12.0px Helvetica">The first case (email address is the claimed identifier) is definitely preferable. However, like traditional OpenID delegation, care must be taken to make sure that a malicious user isn't able to modify the delegation pointer.</FONT></P> </BLOCKQUOTE></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>The identifier should be the URL that you get by looking up the email address through DNS. Then it is just a convient shortcut and requires very little extension to existing libraries.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Artur</DIV><DIV><BR class="khtml-block-placeholder"></DIV><BR></BODY></HTML>