[OpenID] OpenID as an attack relay
simon at simonwillison.net
Tue Mar 20 10:52:30 UTC 2007
On 3/20/07, Lukas Rosenstock <lukas.rosenstock at identity20.eu> wrote:
> The example you have given could maybe prevented by not allowing query
> parameters in an identity URL. Current identities look like
> "username.provider.com" or "provider.com/username", in rare cases
> "provider.com/users/username.htm", it would't hurt to make query
> parameters invalid in an identity URL.
That feels very strange to me. We're moving from "an OpenID is a URL"
to "an OpenID is a URL that must conform to these specific
I agree that OpenID's that contain query strings are likely to be
rare, but I'm also certain that someone could come up with an
interesting use of OpenID in the future for which query strings were
More information about the general