The User-Agent field does not have the right semantics. I hope that field could 
be used, for instance, to notice which Relying Parties are using a particular 
version of Janrain’s Java library for OpenID. It is probably reasonable for 
Bloglines, Google etc to identify themselves in the User-Agent field as they 
probably use proprietary purpose-built clients. Most OpenID RPs will not use 
proprietary clients.

The From field feels more appropriate for this OpenID purpose.




From: John Panzer [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, 17 October 2007 2:36 PM
To: Manger, James H
Subject: Re: [OpenID] identify RP when it gets OpenID URL


Wouldn't User-Agent: be equivalent, and have prior art (feed readers such as 
Bloglines identify themselves via User-Agent)?

Manger, James H wrote: 


 “The Relying Party MUST include a From HTTP header field in each HTTP request 
made during discovery. The From field holds an email address for the RP (eg 
From: [EMAIL PROTECTED]) [RFC2616]. This enables the discovered information to 
vary based on the RP. The From field is not authenticated so it is not 
appropriate to use for access control.”



specs mailing list

Reply via email to