Johnny Bufu wrote: > > We did look at this (with Drummond) in December. The bottom line is > that it can't be done easily - a mechanism similar to XRI's canonical > ID verification would have to be employed, to confirm that the i- > number actually 'belongs' to the URL on which discovery was > initiated. (Otherwise anyone could put any i-number in their URL- > based XRDS files.) >
Indeed, CanonicalID verification would be necessary, but it's already necessary if you want to accept XRI-based logins anyway. Last time we were talking about this CanonicalID verification for XRI was not yet specified. Is it now specified somewhere? _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
