Shade, why make the user add #secure to their URI, Shade? Why not just have them prefix their identifier with "https://" like every other RP? People are already pretty used to checking for https:// to make them feel secure in my experience, even if they don't know what it actually menas, but that's ok.<div>
<br></div><div>Santosh, RPs are supposed to accept #3 as the user's identifier. While internally they normalize that to include an http:// prefix during authentication, they can remove it again before displaying it as their login name to the user.<br clear="all">
--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Sun, Apr 26, 2009 at 1:30 AM, SitG Admin <span dir="ltr"><<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
3) <a href="http://santosh.rajan.myopenid.com" target="_blank">santosh.rajan.myopenid.com</a><br>
4) <a href="http://santosh.rajan.myopenid.com" target="_blank">http://santosh.rajan.myopenid.com</a><br>
5) <a href="http://myopenid.com/santoshrajan" target="_blank">http://myopenid.com/santoshrajan</a><br>
<br>
Now (1) and (2) are not practical so we will eliminate that. (3) is the best<br>
option as I see it. I know you will say that there is no difference between<br>
(3) and (4). But if you are an average user it makes a huge difference.<br>
</blockquote>
<br></div>
While it is true that 3 will default to 4 (and it would be nice if users had a way to specify 6, i.e. httpS), this is primarily for discovery and internal distinction - since users cannot be known as 3 (because it is not a legal URI), there is no risk of confusing an entry for 4 with an entry for 3, and RP's can trivially omit the 'http://' before users' ID's, so that, to the average user, they DO show up as 3; they need never know they are being treated any differently. (This is most apparent in the case of XRI, where the user's unique Identity might be '=!F83.62B1.44F.2813' even when '=drummond' is what appears to users.)<br>
<br>
When you see actions attributed to OpenID users at some RP's site, there might be a little "Secure" logo/label to show off that the user took THAT action when authenticated over SSL.<br>
<br>
One of the #options I had planned was to use HTTPS instead of HTTP where the user added '#secure' to their URI; this wouldn't help with attackers hijacking DNS, but it would help the user to not accidentally go to the wrong server. (I said 'help', not 'ensure'; users would still be responsible for listening to their browser's warnings about bad certificates, and probably still ignore them.)<div class="im">
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
So the puzzle is why wasn't (3) chosen as the Openid instead of (4) and (5)<br>
</blockquote>
<br></div>
Because browsers need to know where they're looking for the resource; HTTP is merely one protocol, others can be launched through the browser (FTP and TELNET come to mind).<div><div></div><div class="h5"><br>
<br>
-Shade<br>
_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@openid.net" target="_blank">specs@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/specs" target="_blank">http://openid.net/mailman/listinfo/specs</a><br>
</div></div></blockquote></div><br></div>