[OpenID] RP duties
pwilliams at rapattoni.com
Mon Apr 6 23:24:24 UTC 2009
Let's turn from "does an RP maintain or not maintain account recovery capabilities" to request monitoring.
Should an RP that detects that an given openid is being submitted to its login page more than, say, 5 times in 60s be responsible for stifling the flow of discovery and openid auth requests? Or, is it the IDP (or vanity site, or discovery point) that does such monitoring/stifling ...in the openid model?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the general