Yes the site could do discovery on the identifier and get a landing page. However that would be self asserted and different from the verified URL for the openID.
It may be better but will be a different trust model. That also applies to other relationships discovered in the XRD. Anyone could point to my blog or Flickr in there XRD, however that proves nothing. You could have trusted XRD with verified services but that is probably out of scope. The security of openID is based on discovery and proof of control of the discovered resource. That is what makes it different from SAML or WS-Fed. When we start messing with the underlying model, we need to be careful that the assumptions people have built on top of that model still hold or we create security problems. If the meaning of a openID identifier changes then we need to be carful that developers understand all of the implications. John B. On 2010-05-13, at 11:44 AM, SitG Admin wrote: >> The notion that you can place the openID in a blog comment and have someone >> click on it to get to the commenter's blog or info page will fade further >> into the past. I think that with the major sites not providing web >> viewable landing pages for the majority of openID, the horse has left the >> barn on that one already. > > WIth a little bit of extra work (blog software requesting Homepage > attribute), it could autofill that field as the user preferred (their OP's > site, by default?). > > -Shade _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
