On Mon, Mar 22, 2010 at 7:59 PM, Paul E. Jones <span dir="ltr"><<a href="mailto:paulej@packetizer.com">paulej@packetizer.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">John,</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">Why introduce acct: in OpenID? What benefit does that
provide us?</span></p></div></div></blockquote><div><br></div><div>I'm not yet advocating for it, just saying that it's an open question. But I think there is a benefit; see below:</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div lang="EN-US" link="blue" vlink="purple"><div>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">My thinking was that the RP would essentially do this:</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">1) Prompt the user for his identity</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">2) If it is an http(s) URL, go to step 6</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">3) If it is an e-mail ID looking thing, try to retrieve the XRD
document for acct:user@hostname</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">4) Finding a link relation that indicates it is an OpenID ID, go
to 6 (Note, if there is more than one, the RP might want to prompt to ask the
user to select)</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">5) Apparently, nothing worked: report an error to the user</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">6) With the OpenID in hand, go through the normal procedures to
authenticate the user as per the OpenID 2.0 spec<span class="Apple-style-span" style="color: rgb(0, 0, 0); font-size: small; "> </span></span></p></div></div></blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div lang="EN-US" link="blue" vlink="purple"><div>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p></div></div></blockquote><div>Note that this means the user would not be logged in as <a href="mailto:bob@gmail.com">bob@gmail.com</a>, but instead as <a href="https://www.google.com/profiles/3234234234234234">https://www.google.com/profiles/3234234234234234</a>. (Since step 6 doesn't know anything about steps 1-5.) I think this has obvious usability issues.</div>
<div><br></div><div>Note that the OP cannot return <a href="mailto:acct%3Abob@gmail.com">acct:bob@gmail.com</a> as the claimed_id because the claimed_id has to be an openid, and under this proposal <a href="mailto:acct%3Abob@gmail.com">acct:bob@gmail.com</a> isn't an OpenID. So the RP _might_ be able to retain both the entered (pre-normalized) identifier and the final claimed_id, and display the former to the user and the user's friends, but it seems complicated and unwieldy.</div>
<div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div lang="EN-US" link="blue" vlink="purple"><div>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">This keeps OpenID and Webfinger distinct with really no dependency
on each other, except that one would need to advertise his/her OpenID ID via
their webfinger account.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">Paul</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt"> John Panzer
[mailto:<a href="mailto:jpanzer@google.com" target="_blank">jpanzer@google.com</a>] <br>
<b>Sent:</b> Monday, March 22, 2010 10:12 PM<br>
<b>To:</b> Chris Messina<br>
<b>Cc:</b> Paul E. Jones; Dirk Balfanz; <a href="mailto:webfinger@googlegroups.com" target="_blank">webfinger@googlegroups.com</a>;
<a href="mailto:openid-specs@lists.openid.net" target="_blank">openid-specs@lists.openid.net</a></span></p><div><div></div><div class="h5"><br>
<b>Subject:</b> Re: WebFinger at Google</div></div><p></p>
</div>
</div><div><div></div><div class="h5">
<p class="MsoNormal"> </p>
<p class="MsoNormal">On Mon, Mar 22, 2010 at 5:56 PM, Chris Messina <<a href="mailto:chris.messina@gmail.com" target="_blank">chris.messina@gmail.com</a>> wrote:</p>
<div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal">On Mon, Mar 22, 2010 at 5:01 PM, Paul E. Jones <<a href="mailto:paulej@packetizer.com" target="_blank">paulej@packetizer.com</a>>
wrote:</p>
</div>
<div>
<div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.5pt;color:#1F497D">I would vote for the proposed rel
value. One could use “me”, but the whole webfinger acct: XRD
document is about “me”. So, I think we need something
specific for OpenID.</span></p>
</div>
</div>
</blockquote>
</div>
<div>
<p class="MsoNormal">I can go either way here, like I said. Inventing "<a href="http://openid.net/identity" target="_blank">http://openid.net/identity</a>"
seems arbitrary, and not tied to existing practice. That's my biggest concern
about it; but it's just a URI which has no semantic meaning... so it's not a
deal breaker for me. I just think it'll be harder to get people to take it
seriously if it doesn't look like anything else.</p>
</div>
<div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">You and Chris Messina both raised
concerns about the e-mail style: should RPs remember the email ID or the OpenID
value? </span></p>
</div>
</div>
</blockquote>
</div>
<div>
<p class="MsoNormal">RPs can of course remember what the user first entered into
the box, but unless the OP returns the same identifier as an email address of
the user, it shouldn't be trusted. </p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">I think that would be OK, as long as RPs that start with an
acct: URI will also accept an acct: URI returned from the OP (probably the same
one).</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">It does raise the question of whether, if the user starts
with an HTTP: URI, RPs can be expected to support a claimed ID with scheme
acct:. Side issue.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">After all, that's the whole thrust of the relationship
that's being created: the *relying party* relies on the *identity provider* for
some user — it doesn't matter what gets entered into the RP's site (they
could just as easily offer a NASCAR array of buttons) — what SHOULD
matter to the RP is what the OP returns after the user has presumably
authenticated.</p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Historically, the problem is that the simple OpenID 1.0
lightweight delegation model (put a link on your webpage) got effectively
broken in 2.0 because 2.0 OPs started reporting the IDs that they knew about
rather than the one the user was actually claiming. The spec did not help
with this.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">Can we get all OpenID RPs to accept an
email form?</span></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
<div>
<p class="MsoNormal">Yes. However, we need to specify exactly how this should
work and then go about building support into the OpenID libraries. As it is,
you can use an email-style identifier in OpenID flows (<a href="http://chris" target="_blank">http://chris</a>@<a href="http://yahoo.com" target="_blank">yahoo.com</a>
is a valid URL) — but it doesn't work reliably or consistently.</p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">It'd going to be horribly inconsistent as many OPs don't
even see the "chris" part of that identifier or pay any attention if
they do (today). Changing to (implicit) acct: solves this.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<div>
<p class="MsoNormal"> <span style="font-size:11.5pt;color:#1F497D"> </span></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.5pt;color:#1F497D">What concerns me, though, is maintaining
one value vs. the other. We <i>should expect</i> the RPs to remember only
the OpenID identifier, since that is the identifier used by OpenID. The
email form is merely used to map to the OpenID identifier. What happens
when a user changes his OP? If the email form is maintained, then the
user could still be able to log in. However, if only the OpenID ID is
stored, the user would need to update that somehow. But, this is not
really a webfinger issue, but a “managing OpenID identities”
problem. Still, if users get used to entering email IDs, then it might
become an issue for Webfinger.</span></p>
</div>
</div>
</blockquote>
</div>
<div>
<p class="MsoNormal">Changing OPs is essentially out of scope. It's no different
than if a user changes her email address today.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Sites should build in appropriate account recovery
mechanisms as needed, which may include linking more than one OpenID or email
address to a given account.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">We can't force people to manage their online accounts more
sensibly, or build in that level of policy into the protocol (for example,
someone's account might be shut down for abuse — but we can't specify
what abuse is, or what to do about it).</p>
</div>
<div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">Do we allow more than one OpenID for a
user acct:? I prefer to have a 1:1 mapping, otherwise it only delays
logging in. It would force OPs to ask which of several identities a user
would like to use. Perhaps there are arguments for allowing more than one?
Would we use a <properties> element to indicate a priority or indicate
which ID is active or inactive?</span></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
<div>
<p class="MsoNormal">RPs should allow users to associate multiple identifiers to
their account, especially to aid in account recovery; this practice is up to
the RPs to implement, however.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">And, to illustrate this problem more acutely, here is what
my WebFinger address returns:</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"><a href="http://webfinger.org/lookup/chris.messina@gmail.com" target="_blank">http://webfinger.org/lookup/chris.messina@gmail.com</a></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">I can't imagine an RP asking me which of these accounts I
want to use for signing in...</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"><span style="color:#888888">Chris</span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">Paul</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt"> John
Panzer [mailto:<a href="mailto:jpanzer@google.com" target="_blank">jpanzer@google.com</a>]
<br>
<b>Sent:</b> Monday, March 22, 2010 4:58 PM<br>
<b>To:</b> Dirk Balfanz<br>
<b>Cc:</b> Paul E. Jones; <a href="mailto:openid-specs@lists.openid.net" target="_blank">openid-specs@lists.openid.net</a>; <a href="mailto:webfinger@googlegroups.com" target="_blank">webfinger@googlegroups.com</a></span></p>
<div>
<p class="MsoNormal"><br>
<b>Subject:</b> Re: WebFinger at Google</p>
</div>
</div>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal">So
the distinction appears to be in the (conceptual) relations between:</p>
<div>
<div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">TODAY:</p>
</div>
<div>
<p class="MsoNormal"><a href="mailto:acct%3Abob@gmail.com" target="_blank">acct:bob@gmail.com</a> maps
with rel=<a href="http://specs.openid.net/auth/2.0/provider" target="_blank">http://specs.openid.net/auth/2.0/provider</a>
to <a href="http://www.google.com/profiles/3922823829347234234" target="_blank">http://www.google.com/profiles/3922823829347234234</a></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">=="My
OpenID provider is this OpenID over there" -- this does read weirdly.</p>
</div>
<div>
<p class="MsoNormal"><br>
PROPOSED:</p>
</div>
<div>
<p class="MsoNormal"><a href="mailto:acct%3Abob@gmail.com" target="_blank">acct:bob@gmail.com</a> maps
with rel=<a href="http://openid.net/identity" target="_blank">http://openid.net/identity</a>
to <a href="http://www.google.com/profiles/3922823829347234234" target="_blank">http://www.google.com/profiles/3922823829347234234</a></p>
</div>
<div>
<p class="MsoNormal"><br>
=="My OpenID identity is this OpenID over there" -- reads okay, but
wouldn't rel="me" be the same?</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">REJECTED:</p>
</div>
<div>
<div>
<p class="MsoNormal"><a href="mailto:acct%3Abob@gmail.com" target="_blank">acct:bob@gmail.com</a> maps
with rel=<a href="http://specs.openid.auth/2.0/server" target="_blank">http://specs.openid.auth/2.0/server</a> </p>
</div>
<div>
<p class="MsoNormal">to <a href="http://www.google.com/profiles/3922823829347234234" target="_blank">http://www.google.com/profiles/3922823829347234234</a></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">=="My
OpenID provider server is this URL over there" -- would make sense if you
say that an acct: URI _is_ an OpenID.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Seems
to me that the last one would make sense iff an acct: URI could be considered
an OpenID in and of itself, and not otherwise. And the middle one could
make sense in that scenario, but would be a bit indirect and unnecessary.
</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Thus,
my questions :)</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">I'm
purposely using the ugly default Google profile URLs to make a point, of
course.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">On
Mon, Mar 22, 2010 at 9:01 AM, Dirk Balfanz <<a href="mailto:balfanz@google.com" target="_blank">balfanz@google.com</a>>
wrote:</p>
<p class="MsoNormal" style="margin-bottom:12.0pt"> </p>
<div>
<div>
<div>
<p class="MsoNormal">On
Fri, Mar 19, 2010 at 10:17 AM, Paul E. Jones <<a href="mailto:paulej@packetizer.com" target="_blank">paulej@packetizer.com</a>>
wrote:</p>
<div>
<div>
<p class="MsoNormal">Folks,</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Google
appears to have Webfinger enabled on some accounts, at least. You can see
it with this:</p>
<p class="MsoNormal">curl
<a href="http://gmail.com/.well-known/host-meta" target="_blank">http://gmail.com/.well-known/host-meta</a></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">That
returns this:</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><?xml version='1.0'
encoding='UTF-8'?></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><!-- NOTE: this host-meta end-point
is a pre-alpha work in progress. Don't rely on it. --></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><!-- Please follow the
list at <a href="http://groups.google.com/group/webfinger" target="_blank">http://groups.google.com/group/webfinger</a>
--></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""><XRD xmlns='<a href="http://docs.oasis-open.org/ns/xri/xrd-1.0" target="_blank">http://docs.oasis-open.org/ns/xri/xrd-1.0</a>'
</span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New"">
xmlns:hm='<a href="http://host-meta.net/xrd/1.0" target="_blank">http://host-meta.net/xrd/1.0</a>'></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""> <hm:Host xmlns='<a href="http://host-meta.net/xrd/1.0" target="_blank">http://host-meta.net/xrd/1.0</a>'><a href="http://gmail.com" target="_blank">gmail.com</a></hm:Host></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""> <Link rel='lrdd' </span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New"">
template='http<span style="color:#00B050">://<a href="http://www.google.com/s2/webfinger/?q=%7Buri%7D" target="_blank">www.google.com/s2/webfinger/?q={uri}</a></span>'></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New"">
<Title>Resource Descriptor</Title></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""> </Link></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Courier New""></XRD></span></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Now,
querying the LRDD URL like this:</p>
<p class="MsoNormal">curl
<a href="http://www.google.com/s2/webfinger/?q=acct" target="_blank">http://www.google.com/s2/webfinger/?q=acct</a>:<user>@<a href="http://gmail.com" target="_blank">gmail.com</a></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">will
return an XRD document, one of whose members is this:</p>
<p class="MsoNormal"><Link
rel='<a href="http://specs.openid.net/auth/2.0/provider" target="_blank">http://specs.openid.net/auth/2.0/provider</a>'
href='<a href="http://www.google.com/profiles/" target="_blank">http://www.google.com/profiles/</a><user>'/></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">The
href value might vary, but that’s what it returned for my account.
What concerns me is the link relation value: <a href="http://specs.openid.net/auth/2.0/provider" target="_blank">http://specs.openid.net/auth/2.0/provider</a></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Where
did that come from? The 2.0 spec defined two possible values:</p>
<p class="MsoNormal"><a href="http://specs.openid.net/auth/2.0/server" target="_blank">http://specs.openid.net/auth/2.0/server</a></p>
<p class="MsoNormal"><a href="http://specs.openid.net/auth/2.0/signon" target="_blank">http://specs.openid.net/auth/2.0/signon</a></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">However,
I cannot find the one Google is using defined anywhere, though I did see it
referenced here:</p>
<p class="MsoNormal"><a href="http://code.google.com/p/webfinger/source/browse/wiki/CommonLinkRelations.wiki?spec=svn22&r=22" target="_blank">http://code.google.com/p/webfinger/source/browse/wiki/CommonLinkRelations.wiki?spec=svn22&r=22</a></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Is
this an error? If not, can somebody point me to the correct
documentation?</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">If
it is an error, what should the value be?</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I
had assumed that the most logical choice was <a href="http://specs.openid.net/auth/2.0/signon" target="_blank">http://specs.openid.net/auth/2.0/signon</a>,
which is what I configured my server to return. </p>
</div>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
<div>
<p class="MsoNormal">"signon"
points to the actual OpenID endpoint (the URL that RPs send their association
requests to, that they redirect the users to, etc.) The claimed id for which
signon identifies the OpenID endpoint is the URI on which discovery is
performed. So "signon" wouldn't work for two reasons:</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">(1) <a href="http://www.google.com/profiles/" target="_blank">http://www.google.com/profiles/</a><user>
is not Google's OpenID endpoint</p>
</div>
<div>
<p class="MsoNormal">(2)
acct:<user>@<a href="http://gmail.com" target="_blank">gmail.com</a>
(which is what you're performing discovery on) is not a valid OpenID</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"><a href="http://www.google.com/profiles/" target="_blank">http://www.google.com/profiles/</a><user>
is, in fact, the user's OpenID (aka "claimed id", but as I mentioned,
_not_ Google's OpenID endpoint). The OpenID 2.0 spec doesn't specify a link
relation that means "this is my OpenID", so that's what the
"provider" link relation is supposed to convey. It's not part of any
standard (since webfinger itself hasn't been formalized yet). </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Does
this make sense? </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">In
a related note, I _would_ like to be able to put "signon" links in
webfinger XRDs, and make OpenID handle acct:URI (which it necessarily would
have to, at that point), but that won't happen until we have a new version of
OpenID.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Dirk.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal">I
made that assumption based on looking at all of the XRDS examples in the OpenID
2.0 spec.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Paul</p>
<p class="MsoNormal"> </p>
</div>
</div>
<p class="MsoNormal"> </p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a></p>
</blockquote>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a></p>
</div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a></p>
</blockquote>
</div>
</div>
</div>
<p class="MsoNormal"><br>
<br clear="all">
</p>
<div>
<div>
<p class="MsoNormal"><br>
-- <br>
Chris Messina<br>
Open Web Advocate, Google<br>
<br>
Personal: <a href="http://factoryjoe.com" target="_blank">http://factoryjoe.com</a><br>
Follow me on Buzz: <a href="http://buzz.google.com/chrismessina" target="_blank">http://buzz.google.com/chrismessina</a>
<br>
...or Twitter: <a href="http://twitter.com/chrismessina" target="_blank">http://twitter.com/chrismessina</a>
<br>
<br>
This email is: [ ] shareable [X] ask first [ ]
private</p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"> </p>
</div></div></div>
</div>
</div>
</blockquote></div><br>