Well yes and no I think. An RP has to know whether the OpenID entered in the login box contains an identifier or not in order to discover the correct OP so it is really an RP issue.
If a user just enters x.y.z.com how does the RP know whether x is the identifier and y.z.com the OP address or if x.y.z.com is just the OP address and the user will provide the identifier to the OP (as per the use case David brought up). Though you are right if the OP controls y.z.com they can do the appropriate redirect to x.y.z.com regardless of how the RP interprets the OpenID provided. Unfortunately not all OP's support this so as far as users go they will have an inconsistent experience. BTW not all OP's support providing one identifier to the RP but then logging into OP with a different identifier (the user "changes their mind" case Johnny brought up which makes a lot of sense imo especially if say the user just had a typo they were not even aware of). Maybe the next OpenID interop should really be about user experience... Roxana Bradescu | VeriSign Innovation -----Original Message----- From: Dick Hardt [mailto:[EMAIL PROTECTED] Sent: Friday, November 16, 2007 11:12 AM To: Bradescu, Roxana Cc: Johnny Bufu; [email protected]; [EMAIL PROTECTED] Subject: Re: [security] Validating openid.identity in authenticationresponses Note that it primarily a limit of the OP, in which case the user does the same thing all the time as they are using the same OP everywhere. -- Dick On 16-Nov-07, at 11:07 AM, Bradescu, Roxana wrote: > It's unfortunate that users have to know which version of the protocol > sites are running to know what they can type into the login box. > > Roxana Bradescu | VeriSign Innovation > > > -----Original Message----- > From: Johnny Bufu [mailto:[EMAIL PROTECTED] > Sent: Friday, November 16, 2007 10:07 AM > To: Bradescu, Roxana > Cc: [EMAIL PROTECTED]; Trevor Johns; [email protected] > Subject: Re: [security] Validating openid.identity in > authenticationresponses > > > On 16-Nov-07, at 9:39 AM, Bradescu, Roxana wrote: >> David, I've noticed the use case you describe doesn't actually work >> at a >> many RP's. For example if I go to livejournal.com and just put in >> just >> my IDP pip.verisignlabs.com I get an error. > > Directed identity is a 2.0 feature, while livejounal seems to be > speaking only 1.x. > > > Johnny > > _______________________________________________ > security mailing list > [email protected] > http://openid.net/mailman/listinfo/security > > _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
