<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Santosh,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>While I have no objection to making changes to the OpenID spec
to support Webfinger if that’s what folks want to do, I don’t think
it’s strictly necessary. We could just have a very brief document
that explains how to publish an OpenID identity via Webfinger and how OpenID
RPs might use Webfinger to get the OpenID identifier. These steps happen
before the current OpenID auth procedures start, which means we could keep it
separate and fairly clean.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I’m somewhat in the same position as you. I’ve
implemented OpenID (OP side) and I use it, but I’m not a part of the team
writing or changing specs. I’d be happy to engage with folks to do
that, but not sure who is leading the work.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Paul<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Santosh Rajan
[mailto:santrajan@gmail.com] <br>
<b>Sent:</b> Friday, March 26, 2010 12:29 PM<br>
<b>To:</b> Paul E. Jones<br>
<b>Cc:</b> webfinger@googlegroups.com; openid-specs@lists.openid.net<br>
<b>Subject:</b> Re: WebFinger at Google<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Paul,<o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>I can see where you are coming from, and most people will
agree with your suggestion for the rel value (even me). However I think the
problem is with the "ground realities" at the moment so to speak.
There are two problems with two solutions we have to look at.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>1) How to integrate webfinger with the current OpenID 2.0
spec.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>2) How to integrate webfinger with OpenID v.next.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>I am not too worried about case (2). It will happen in the
future and there are a lot of competent people around here to sort that out.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>My suggestion for looking at webfinger as "normalizing
an email like identifier for OpenID" is to allow email like identifiers to
work with the existing OpenID 2.0 spec.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>To make webfinger work with OpenID 2.0 all we need is an
addendum to the "normalizing the user supplied identifier" section
(7.2) of the 2.0 spec, as explained in my earlier post.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Also we need to acknowledge that the identifier returned by
webfinger is not the claimed id, because their may be redirects.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Also I must acknowledge that I am not an expert on OpenID or
webfinger (only a user), and all this is IMHO.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Santosh<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal>On Fri, Mar 26, 2010 at 8:33 PM, Paul E. Jones <<a
href="mailto:paulej@packetizer.com">paulej@packetizer.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>Santosh,</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>The identifier returned via Webfinger
may or may not be the “claimed ID” since it might be user-entered
and not yet normalized. However, I think a rel value of</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'><a href="http://openid.net/identity"
target="_blank">http://openid.net/identity</a></span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>would still suffice for both normalized
identifiers and those which are not yet normalized. The value really
should be considered “user provided”, in my view.</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>Once the value is retrieved, I think it
should be given treatment just like any other ID entered into the OpenID login
box. Should a person be allowed to enter an email address form and then
return a different email address form in the identity field, thus forcing
another Webfinger lookup? I can see an opportunity for abuse there, so
I’d prefer the disallow it, but I could go with whatever is decided.</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>Paul</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span
style='font-size:10.0pt'>From:</span></b><span style='font-size:10.0pt'>
Santosh Rajan [mailto:<a href="mailto:santrajan@gmail.com" target="_blank">santrajan@gmail.com</a>]
<br>
<b>Sent:</b> Thursday, March 25, 2010 6:28 AM<br>
<b>To:</b> Paul E. Jones<br>
<b>Cc:</b> <a href="mailto:webfinger@googlegroups.com" target="_blank">webfinger@googlegroups.com</a>;
<a href="mailto:openid-specs@lists.openid.net" target="_blank">openid-specs@lists.openid.net</a></span><o:p></o:p></p>
<div>
<p class=MsoNormal><br>
<b>Subject:</b> Re: WebFinger at Google<o:p></o:p></p>
</div>
</div>
</div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>From
the OpenID perspective we have to see webfinger as a part of "normalizing
the user supplied identifier". So the OpenID normalization process
would go something like this given a user supplied identifier. (I will ignore
XRI for simplicity)<o:p></o:p></p>
<div>
<div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>1)
Check to see if the identifier starts with http or https. If yes proceed as per
protocol.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>2)
If not check to see if the identifier has an "@" sign within the
identifier. If yes use webfinger to get the normalized identifier and proceed.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>3)
If not add http to the identifier and proceed.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>So
really what webfinger returns is the normalized identifier, it is NOT yet a
"claimed id" nor is it a "Local id".<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>So
I am suggesting one of these two rels.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>"openid.normalizedID".<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>"<a
href="http://specs.openid.net/auth/2.0/normalizedID" target="_blank">http://specs.openid.net/auth/2.0/normalizedID</a>".<o:p></o:p></p>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On
Thu, Mar 25, 2010 at 11:02 AM, Paul E. Jones <<a
href="mailto:paulej@packetizer.com" target="_blank">paulej@packetizer.com</a>>
wrote:<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Jared,<o:p></o:p></p>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><br>
> It seems weird to return the user's OpenID identifier, when ultimately<br>
> the OP Endpoint URL is what you need if you want to authenticate the<br>
> user. However, I think "<a
href="http://specs.openid.net/auth/2.0/server" target="_blank">http://specs.openid.net/auth/2.0/server</a>"<br>
> should have been used for the rel type, as it is actually defined by<br>
> OpenID Authentication 2.0 spec for that purpose.<o:p></o:p></p>
</div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I
don't think it's weird at all to use webfinger to return one's OpenID<br>
identifier. After all, Webfinger is intended to be a means of discovering<br>
information about a person. Once the identifier is learned, then the OP
can<br>
be discovered based on that ID. Returning the OP URL without the user's<br>
identifier is not as useful, since the OP would not know who is being<br>
authenticated: it would then have to prompt the user for his identity.<o:p></o:p></p>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><br>
> What is really needed is an agreed upon URI for what was the "http://<br>
> <a href="http://specs.openid.net/auth/2.0/signon" target="_blank">specs.openid.net/auth/2.0/signon</a>"
type (which carried the user's<br>
> OpenID URL in XRDS' LocalID element (which is gone from XRD)).<o:p></o:p></p>
</div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>If
the rel value is "<a href="http://openid.net/identity" target="_blank">http://openid.net/identity</a>"
and the href value<br>
represents the user's OpenID identifier, then the RP knows what to do with<br>
that. I really think that's what we should try to agree upon.<br>
<br>
This would minimize the additional effort an RP would have to make, just<br>
adding a Webfinger resolution step and making no changes to the OpenID spec.<br>
The RP might want to implement Webfinger, anyway, in order to discover<br>
information about the user, such as his name, picture, or other information<br>
he wants to share with the world.<br>
<br>
Paul<br>
<br>
<br>
_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><o:p></o:p></p>
<div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><a
href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><o:p></o:p></p>
</div>
</div>
</div>
<p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><br>
<br clear=all>
<br>
-- <br>
<a href="http://hi.im/santosh" target="_blank">http://hi.im/santosh</a><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
<br clear=all>
<br>
-- <br>
<a href="http://hi.im/santosh">http://hi.im/santosh</a><br>
<br>
<o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>