danda at videntity.org
Wed Sep 14 19:04:30 PDT 2005
>>It is NOT clear whether the claimed identity, the canonical identity URL,
>>or the delegate identity URL should be considered by consumers to be the
>>unique individual. I'd argue for claimed identity, but others may
>I second this. Claimed identity is what the user uses for login, and can choose to use, and probably has choosen on purpose.
I'm not so sure. See below.
>We discussed already how the logged in users should be displayed, and apart from possible self-chooseable additional username
>and avatar, the OpenID-Identity-URL must be shown. There also I'd like to see the claimed identity, just the way I entered it in
>the login field. (when a link is used for the identity, the href may or should point to the canonical URL - at least the
>protocoll is necessary)
>Since this is an issue many projects will face, I'd recommend adding it to the spec:
>a) to display the OpenID identity exactly as typed in by the user (perhaps even including given case of domain names)
>b) to use exactly this as identification ('primary key') in the database
It seems cleaner to me to use the canonical identity as primary key.
That way, you allow the user to enter eg:
"http://sally.people.com/" the first time and then just
"sally.people.com" the second time, and they both point to the same record.
You could still display ( or even store ) whatever the user entered as a
>c) to allow consumers to handle cases where a canonicalisation of an known identity and the claimed identity would be equal, but
>the noncanonical version isn't, to propose the user the known version as suggestion
Seems like a redundant step ( from the user's viewpoint ).
>d) to encourage consumers who use the OpenID identity for their own profile managemant (e.g. the first login automatically
>creates a local user, for local settings etc) to support changing or adding multiple identities to the same profile. (of course
>only if the users can provide a sucessful claim for both identities)
While nice, this seems optional, and outside the scope of the spec.
>PS: it could be sensible to put a warning sign for consumers in the spec that the OpenID identity is user-entered data and may
>contain escape codes (sql/html injection) and should be treated with some care. This should be repeated in the documentation of
>OpenID-libraries, since it affects the whole client code.
I second that.
More information about the yadis