<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="&#1;" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv=Content-Type content="text/html; charset=us-ascii">

<meta name=Generator content="Microsoft Word 12 (filtered medium)">

<style>

<!--

 /* Font Definitions */

 @font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:Tahoma;

        panose-1:2 11 6 4 3 5 4 4 2 4;}

 /* Style Definitions */

 p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman","serif";}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:purple;

        text-decoration:underline;}

span.EmailStyle17

        {mso-style-type:personal-reply;

        font-family:"Calibri","sans-serif";

        color:#1F497D;}

.MsoChpDefault

        {mso-style-type:export-only;}

@page Section1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.Section1

        {page:Section1;}

-->

</style>

<!--[if gte mso 9]><xml>

 <o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

 <o:shapelayout v:ext="edit">

  <o:idmap v:ext="edit" data="1" />

 </o:shapelayout></xml><![endif]-->

</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";

color:#1F497D'>Santosh,<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";

color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";

color:#1F497D'>The identifier returned via Webfinger may or may not be the &#8220;claimed

ID&#8221; since it might be user-entered and not yet normalized.&nbsp; However,

I think a rel value of<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";

color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";

color:#1F497D'>http://openid.net/identity<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";

color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";

color:#1F497D'>would still suffice for both normalized identifiers and those

which are not yet normalized.&nbsp; The value really should be considered &#8220;user

provided&#8221;, in my view.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";

color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";

color:#1F497D'>Once the value is retrieved, I think it should be given

treatment just like any other ID entered into the OpenID login box.&nbsp; Should

a person be allowed to enter an email address form and then return a different

email address form in the identity field, thus forcing another Webfinger

lookup?&nbsp; I can see an opportunity for abuse there, so I&#8217;d prefer the

disallow it, but I could go with whatever is decided.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";

color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";

color:#1F497D'>Paul<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";

color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>

<div>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span

style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Santosh Rajan

[mailto:santrajan@gmail.com] <br>

<b>Sent:</b> Thursday, March 25, 2010 6:28 AM<br>

<b>To:</b> Paul E. Jones<br>

<b>Cc:</b> webfinger@googlegroups.com; openid-specs@lists.openid.net<br>

<b>Subject:</b> Re: WebFinger at Google<o:p></o:p></span></p>

</div>

</div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<p class=MsoNormal>From the OpenID perspective we have to see webfinger as a

part of &quot;normalizing &nbsp;the user supplied identifier&quot;. So the

OpenID normalization process would go something like this given a user supplied

identifier. (I will ignore XRI for simplicity)<o:p></o:p></p>

<div>

<p class=MsoNormal>1) Check to see if the identifier starts with http or https.

If yes proceed as per protocol.<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>2) If not check to see if the identifier has an

&quot;@&quot; sign within the identifier. If yes use webfinger to get the

normalized identifier and proceed.<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>3) If not add http to the identifier and proceed.<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

</div>

<div>

<p class=MsoNormal>So really what webfinger returns is the normalized

identifier, it is NOT yet a &quot;claimed id&quot; nor is it a &quot;Local

id&quot;.<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

</div>

<div>

<p class=MsoNormal>So I am suggesting one of these two rels.<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>&quot;openid.normalizedID&quot;.<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal style='margin-bottom:12.0pt'>&quot;<a

href="http://specs.openid.net/auth/2.0/normalizedID">http://specs.openid.net/auth/2.0/normalizedID</a>&quot;.<o:p></o:p></p>

<div>

<p class=MsoNormal>On Thu, Mar 25, 2010 at 11:02 AM, Paul E. Jones &lt;<a

href="mailto:paulej@packetizer.com">paulej@packetizer.com</a>&gt; wrote:<o:p></o:p></p>

<p class=MsoNormal>Jared,<o:p></o:p></p>

<div>

<p class=MsoNormal style='margin-bottom:12.0pt'><br>

&gt; It seems weird to return the user's OpenID identifier, when ultimately<br>

&gt; the OP Endpoint URL is what you need if you want to authenticate the<br>

&gt; user. &nbsp;However, I think &quot;<a

href="http://specs.openid.net/auth/2.0/server" target="_blank">http://specs.openid.net/auth/2.0/server</a>&quot;<br>

&gt; should have been used for the rel type, as it is actually defined by<br>

&gt; OpenID Authentication 2.0 spec for that purpose.<o:p></o:p></p>

</div>

<p class=MsoNormal>I don't think it's weird at all to use webfinger to return

one's OpenID<br>

identifier. &nbsp;After all, Webfinger is intended to be a means of discovering<br>

information about a person. &nbsp;Once the identifier is learned, then the OP

can<br>

be discovered based on that ID. &nbsp;Returning the OP URL without the user's<br>

identifier is not as useful, since the OP would not know who is being<br>

authenticated: it would then have to prompt the user for his identity.<o:p></o:p></p>

<div>

<p class=MsoNormal style='margin-bottom:12.0pt'><br>

&gt; What is really needed is an agreed upon URI for what was the &quot;http://<br>

&gt; <a href="http://specs.openid.net/auth/2.0/signon" target="_blank">specs.openid.net/auth/2.0/signon</a>&quot;

type (which carried the user's<br>

&gt; OpenID URL in XRDS' LocalID element (which is gone from XRD)).<o:p></o:p></p>

</div>

<p class=MsoNormal>If the rel value is &quot;<a

href="http://openid.net/identity" target="_blank">http://openid.net/identity</a>&quot;

and the href value<br>

represents the user's OpenID identifier, then the RP knows what to do with<br>

that. &nbsp;I really think that's what we should try to agree upon.<br>

<br>

This would minimize the additional effort an RP would have to make, just<br>

adding a Webfinger resolution step and making no changes to the OpenID spec.<br>

The RP might want to implement Webfinger, anyway, in order to discover<br>

information about the user, such as his name, picture, or other information<br>

he wants to share with the world.<br>

<br>

Paul<br>

<br>

<br>

_______________________________________________<br>

specs mailing list<br>

<a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><o:p></o:p></p>

<div>

<div>

<p class=MsoNormal><a

href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><o:p></o:p></p>

</div>

</div>

</div>

<p class=MsoNormal style='margin-bottom:12.0pt'><br>

<br clear=all>

<br>

-- <br>

<a href="http://hi.im/santosh">http://hi.im/santosh</a><br>

<br>

<o:p></o:p></p>

</div>

</div>

</div>

</body>

</html>