On 8-Jun-07, at 3:04 PM, Drummond Reed wrote: > http://openid.aol.com/daveman692 - reassignable > http://openid.aol.com/daveman692#1234 - persistent > > If an XRDS for the reassignable identifier asserts the persistent > identifier > as a Canonical ID, a second round trip is not required because the > client > can verify that http://openid.aol.com/ is authoritative for both > daveman692 > and daveman692#1234.
Because in the case of URLs delegation is decoupled from the identifiers, I don't think that verifying only the authority part will suffice. I could have the XRDS at: http://openid.aol.com/johnny692 assert the cannonical ID: http://openid.aol.com/daveman692#1234 .. but have http://openid.aol.com/johnny692 delegate to my own OP running in my basement, which is configured to issue assertions with the above canonical id. Checking only the authority section would render such assertions valid. Unless I'm missing something, I believe we should mandate a stricter verification, on the full URL without the fragment. (Whoever controls the URL without the fragment, also controls the URL with any fragments.) Johnny _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs