[OpenID] Question from a beginner about the attribute "RPSIG"

Andrew Arnott andrewarnott at gmail.com
Tue Apr 28 18:09:14 UTC 2009


Hi,

You're correct: openid.rpsig is not in the specs.  This must be an
implementation-specific parameter added by an RP, probably to help skip the
discovery step when the OP returns the message by allowing the RP to verify
that the OP hasn't tampered with the return_to URL.  No way to know for sure
without cracking open the code of the RP that is crafting the parameter. (or
a developer on this list who happens to be familiar with that code).

IMO, this implementation-specific parameter should *not* be using the
'openid.' prefix to its parameter name.  That should be considered a
reserved prefix for official parameters, since now if a future version of
the openid spec were to add an openid.rpsig parameter to the protocol there
would be a conflict.

DotNetOpenAuth adds some RP-specific parameters as well, but it uses its own
"dnoa." prefix for parameter names to avoid this problem.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Tue, Apr 28, 2009 at 10:55 AM, PepitoGrillo <sengirpaladin at hotmail.com>wrote:

>
> Good day to everyone
>
> I have already signed in the mailing list
>
> I am studying OpenID and investigating how it works using some Wireshark
> captures I have made
> I have seen this attribute, rpsig (openid.rpsig), in many requests and
> answers; but it does not appear in the OpenID Specifications (I have
> searched for it with no result in them...)
> I know about the attribute sig (openid.sig) and I know how it works, but
> the
> attribute rpsig is a mistery for me...
>
> Would you mind explaining me what does it sign and who signs it?
> I believe the signer is the Relying Party, but there is no field which says
> which attributes are signed, so I am a bit confused about this attribute
>
> Thanks in advance and have a nice day ! (^_^)
> --
> View this message in context:
> http://www.nabble.com/Question-from-a-beginner-about-the-attribute-%22RPSIG%22-tp23253484p23253484.html
> Sent from the OpenID - General mailing list archive at Nabble.com.
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090428/bd712b94/attachment.htm>


More information about the general mailing list