Paul,<div><br></div><div>I can see where you are coming from, and most people will agree with your suggestion for the rel value (even me). However I think the problem is with the "ground realities" at the moment so to speak. There are two problems with two solutions we have to look at.</div>
<div><br></div><div>1) How to integrate webfinger with the current OpenID 2.0 spec.</div><div>2) How to integrate webfinger with OpenID v.next.</div><div><br></div><div>I am not too worried about case (2). It will happen in the future and there are a lot of competent people around here to sort that out.</div>
<div><br></div><div>My suggestion for looking at webfinger as "normalizing an email like identifier for OpenID" is to allow email like identifiers to work with the existing OpenID 2.0 spec.</div><div><br></div><div>
To make webfinger work with OpenID 2.0 all we need is an addendum to the "normalizing the user supplied identifier" section (7.2) of the 2.0 spec, as explained in my earlier post.</div><div><br></div><div>Also we need to acknowledge that the identifier returned by webfinger is not the claimed id, because their may be redirects.</div>
<div><br></div><div>Also I must acknowledge that I am not an expert on OpenID or webfinger (only a user), and all this is IMHO.</div><div><br></div><div>Santosh</div><div><br><div class="gmail_quote">On Fri, Mar 26, 2010 at 8:33 PM, Paul E. Jones <span dir="ltr"><<a href="mailto:paulej@packetizer.com">paulej@packetizer.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">Santosh,</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">The identifier returned via Webfinger may or may not be the “claimed
ID” since it might be user-entered and not yet normalized. However,
I think a rel value of</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"><a href="http://openid.net/identity" target="_blank">http://openid.net/identity</a></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">would still suffice for both normalized identifiers and those
which are not yet normalized. The value really should be considered “user
provided”, in my view.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">Once the value is retrieved, I think it should be given
treatment just like any other ID entered into the OpenID login box. Should
a person be allowed to enter an email address form and then return a different
email address form in the identity field, thus forcing another Webfinger
lookup? I can see an opportunity for abuse there, so I’d prefer the
disallow it, but I could go with whatever is decided.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">Paul</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt"> Santosh Rajan
[mailto:<a href="mailto:santrajan@gmail.com" target="_blank">santrajan@gmail.com</a>] <br>
<b>Sent:</b> Thursday, March 25, 2010 6:28 AM<br>
<b>To:</b> Paul E. Jones<br>
<b>Cc:</b> <a href="mailto:webfinger@googlegroups.com" target="_blank">webfinger@googlegroups.com</a>; <a href="mailto:openid-specs@lists.openid.net" target="_blank">openid-specs@lists.openid.net</a></span></p><div class="im">
<br>
<b>Subject:</b> Re: WebFinger at Google</div><p></p>
</div>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal">From the OpenID perspective we have to see webfinger as a
part of "normalizing the user supplied identifier". So the
OpenID normalization process would go something like this given a user supplied
identifier. (I will ignore XRI for simplicity)</p><div><div></div><div class="h5">
<div>
<p class="MsoNormal">1) Check to see if the identifier starts with http or https.
If yes proceed as per protocol.</p>
</div>
<div>
<p class="MsoNormal">2) If not check to see if the identifier has an
"@" sign within the identifier. If yes use webfinger to get the
normalized identifier and proceed.</p>
</div>
<div>
<p class="MsoNormal">3) If not add http to the identifier and proceed.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">So really what webfinger returns is the normalized
identifier, it is NOT yet a "claimed id" nor is it a "Local
id".</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">So I am suggesting one of these two rels.</p>
</div>
<div>
<p class="MsoNormal">"openid.normalizedID".</p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">"<a href="http://specs.openid.net/auth/2.0/normalizedID" target="_blank">http://specs.openid.net/auth/2.0/normalizedID</a>".</p>
<div>
<p class="MsoNormal">On Thu, Mar 25, 2010 at 11:02 AM, Paul E. Jones <<a href="mailto:paulej@packetizer.com" target="_blank">paulej@packetizer.com</a>> wrote:</p>
<p class="MsoNormal">Jared,</p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
> It seems weird to return the user's OpenID identifier, when ultimately<br>
> the OP Endpoint URL is what you need if you want to authenticate the<br>
> user. However, I think "<a href="http://specs.openid.net/auth/2.0/server" target="_blank">http://specs.openid.net/auth/2.0/server</a>"<br>
> should have been used for the rel type, as it is actually defined by<br>
> OpenID Authentication 2.0 spec for that purpose.</p>
</div>
<p class="MsoNormal">I don't think it's weird at all to use webfinger to return
one's OpenID<br>
identifier. After all, Webfinger is intended to be a means of discovering<br>
information about a person. Once the identifier is learned, then the OP
can<br>
be discovered based on that ID. Returning the OP URL without the user's<br>
identifier is not as useful, since the OP would not know who is being<br>
authenticated: it would then have to prompt the user for his identity.</p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
> What is really needed is an agreed upon URI for what was the "http://<br>
> <a href="http://specs.openid.net/auth/2.0/signon" target="_blank">specs.openid.net/auth/2.0/signon</a>"
type (which carried the user's<br>
> OpenID URL in XRDS' LocalID element (which is gone from XRD)).</p>
</div>
<p class="MsoNormal">If the rel value is "<a href="http://openid.net/identity" target="_blank">http://openid.net/identity</a>"
and the href value<br>
represents the user's OpenID identifier, then the RP knows what to do with<br>
that. I really think that's what we should try to agree upon.<br>
<br>
This would minimize the additional effort an RP would have to make, just<br>
adding a Webfinger resolution step and making no changes to the OpenID spec.<br>
The RP might want to implement Webfinger, anyway, in order to discover<br>
information about the user, such as his name, picture, or other information<br>
he wants to share with the world.<br>
<br>
Paul<br>
<br>
<br>
_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a></p>
<div>
<div>
<p class="MsoNormal"><a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br clear="all">
<br>
-- <br>
<a href="http://hi.im/santosh" target="_blank">http://hi.im/santosh</a><br>
<br>
</p>
</div>
</div></div></div>
</div>
</div>
</blockquote></div><br><br clear="all"><br>-- <br><a href="http://hi.im/santosh">http://hi.im/santosh</a><br><br><br>
</div>