The User-Agent field does not have the right semantics. I hope that field could 
be used, for instance, to notice which Relying Parties are using a particular 
version of Janrain’s Java library for OpenID. It is probably reasonable for 
Bloglines, Google etc to identify themselves in the User-Agent field as they 
probably use proprietary purpose-built clients. Most OpenID RPs will not use 
proprietary clients.

The From field feels more appropriate for this OpenID purpose.

 

 

________________________________

From: John Panzer [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, 17 October 2007 2:36 PM
To: Manger, James H
Cc: specs@openid.net
Subject: Re: [OpenID] identify RP when it gets OpenID URL

 

Wouldn't User-Agent: be equivalent, and have prior art (feed readers such as 
Bloglines identify themselves via User-Agent)?

Manger, James H wrote: 

…

 “The Relying Party MUST include a From HTTP header field in each HTTP request 
made during discovery. The From field holds an email address for the RP (eg 
From: [EMAIL PROTECTED]) [RFC2616]. This enables the discovered information to 
vary based on the RP. The From field is not authenticated so it is not 
appropriate to use for access control.”

 …

 

_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Reply via email to