Josh Hoyt wrote: > On 6/8/07, Martin Atkins <[EMAIL PROTECTED]> wrote: >> I figure that you could potentially use the same mechanism as delegation >> to avoid the extra discovery iteration. >> >> The problem, as with delegation, is that you need to duplicate the >> endpoint URL in the source identifier's XRDS document. The canonical >> identifier must also support OpenID, which I believe is something they >> were trying to avoid. > > I'm assuming that by saying it's "like delegation", you mean that the > canonical identifier is discovered from the entered identifier, and > sent to the server, but discovery is never done. > > Let's say that you use "http://mart-atkins.com/" as your identifier, > with a canonical id of "http://inconvenient.example.com/0000001" > > I can set up a URL "http://impersonation.example.com/mart" that points > to an OpenID provider that I control, and give it the same canonical > ID, "http://inconvenient.example.com/0000001". > > Unless we make sure that the canonical ID is intended to be used with > this OpenID server, I can sign in to your account anywhere, since the > canonical ID is used as the database key. > > Were you thinking of a different mechanism? >
I'm assuming that the RP authenticates http://inconvenient.example.com/0000001, not http://impersonation.example.com/mart. Just as with delegation, if I can successfully authenticate as the persistent identifier and the non-persistent identifier points at the persistent one, we can assume that http://impersonation.example.com/mart is "me" as well. _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs