On 10-Oct-06, at 2:08 PM, Drummond Reed wrote: >>>> On 10/10/06, Dick Hardt wrote: >>>> [openid.rpuserid is the identifier] that the user gave the RP? >>> >>> Josh Hoyt wrote: >>> For URL identifiers, it is the supplied identifer, normalized, after >>> following redirects. In essence, it's the user's chosen identifier. >>> >>> For XRI identifers, it's the canonical ID (i-number). >> >> Dick Hardt wrote: >> >> This comment led me to want to make sure I understand the >> requirements of XRI. >> >> Q: why would the RP not want the i-name to come back rather then the >> i-number? >> >> The i-number can be derived from the i-name. The i-name is what is >> user visible. The IdP will make sure the i-name the user is >> presenting resolves to the i-number the user has presented in the >> past. >> >> Am I missing something? > > Since the RP has to do discovery on the i-name, the RP already has the > i-number (CanonicalID). Further, as explained in previous threads, the > CanonicalID is the primary key the RP wants to store for the user, > not the > i-name, because the i-number is forever while the i-name could change. > > The RP is also motivated to send the i-number to the IdP for the > same reason > that the RP is motivated to send the delegate URL (if available): to > increase performance by saving the IdP from having to re-resolve > the i-name > (in the XRI case) or original URL (in the URL case).
Won't the IdP will still have to resolve the i-name? The IdP can't trust the RP, or know that the i-name and i-number are really linked unless it checks itself. > > Lastly, in the case where the identifier-the-RP-stores and the > identifier-the-IdP-stores are different, if the RP has already > discovered > the latter, then the RP can be stateless by sending both to the > IdP, knowing > it will receive both back in the response. Then the RP is trusting the IdP will send back a correct mapping. > If the RP can only send one > identifier to the IdP, it's stuck with a dilemma: > > * If the RP sends the identifier-the-RP-stores, then it forces the > IdP to > redo discovery, slowing performance. It would seem to me that the IdP still has to do discovery as it can't trust what the RP did, or that the RP even did it. Summary: sending both parameters does not save anything as both RP and IdP need to resolve the user presented Identifier to who is authoritative for it. This discussion has me wondering about XRI resolution though. Given that multiple i-names can resolve to the same i-number, just as multiple domain names can resolve to the same IP address, and that the i-name is the identifier the user sees, it would seem tht the i- name is what should be stored by the RP, otherwise there is no difference between using any of the i-names that resolve to the same i-number, or is that the idea? _______________________________________________ specs mailing list firstname.lastname@example.org http://openid.net/mailman/listinfo/specs