If it is not, implementations MUST add a zero byte at the front of the string. There are two methods for indirect communication: HTTP redirects and HTML form submission.
This means that the left-most bit of the two's complement representation MUST be zero.
Discovery is the process where the Relying Party uses the Identifier to look up ("discover") the necessary information for initiating requests.
The Relying Party MUST confirm that the provider of the XRD that contains the element is authoritative for that Canonical ID and that this XRDS document is authoritative for the Open ID Service Element.
element is to assert a persistent identifier that will never be reassigned, thus preventing the possibility of an XRI being ("taken over") by a new registrant.
All messages that are sent as HTTP requests (GET or POST) MUST contain the following fields: Arbitrary precision integers MUST be encoded as big-endian signed two's complement binary strings.
When a message is sent as a POST, Open ID parameters MUST only be sent in, and extracted from, the POST body.
The redirect URL is the URL of the receiver with the Open ID Authentication message appended to the query string, as specified in Section 4.1.2 In the case of a malformed request, or one that contains invalid arguments, the Open ID Provider MUST redirect the User-Agent to the "openid.return_to" URL value if the value is present and it is a valid URL.
All indirect messages arrive as HTTP requests, and so contain the required fields listed in Section 4.1.2 Data can be transferred by issuing a 302, 303, or 307 HTTP Redirect to the end user's User-Agent.
This means an end user can prove their Identity to a Relying Party without having to leave their current Web page. Other characters that would not be valid in the HTML document or that cannot be represented in the document's character encoding MUST be escaped using the percent-encoding (%xx) mechanism described in [RFC3986] section, these discovery tags are not the same as in previous versions of the protocol.
Open ID Authentication uses only standard HTTP(S) requests and responses, so it does not require any special capabilities of the User-Agent or other client software. While the same data is conveyed, the names have changed which allows a Relying Party to determine the protocol version being used.
An end user can freely choose which Open ID Provider to use, and can preserve their Identifier if they switch Open ID Providers. The host of the HTML document MAY be different from the end user's OP's host.
While nothing in the protocol requires Java Script or modern browsers, the authentication scheme plays nicely with "AJAX"-style setups. The "openid2.provider" and "openid2.local_id" URLs MUST NOT include entities other than "&", "<", ">", and """.
The initiator of the communication chooses which method of indirect communication is appropriate depending on capabilities, message size, or other external factors.