On 6/8/07, Martin Atkins <[EMAIL PROTECTED]> wrote: > I figure that you could potentially use the same mechanism as delegation > to avoid the extra discovery iteration. > > The problem, as with delegation, is that you need to duplicate the > endpoint URL in the source identifier's XRDS document. The canonical > identifier must also support OpenID, which I believe is something they > were trying to avoid.
I'm assuming that by saying it's "like delegation", you mean that the canonical identifier is discovered from the entered identifier, and sent to the server, but discovery is never done. Let's say that you use "http://mart-atkins.com/" as your identifier, with a canonical id of "http://inconvenient.example.com/0000001" I can set up a URL "http://impersonation.example.com/mart" that points to an OpenID provider that I control, and give it the same canonical ID, "http://inconvenient.example.com/0000001". Unless we make sure that the canonical ID is intended to be used with this OpenID server, I can sign in to your account anywhere, since the canonical ID is used as the database key. Were you thinking of a different mechanism? Josh _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs