[OpenID] Question from a beginner about the attribute "RPSIG"

Christian SENGIR Busquiel Sanz sengirpaladin at hotmail.com
Tue Apr 28 18:20:09 UTC 2009


Hello

Thank you for your fast reply

So you are saying that, the RP, has its own parameter so it can check if  the OP has messed up the "return_to" parameter ?
As you say, "rpsig" is not in the specifications . . .
But it keeps me intrigued...
Does anyone have seen the same parameter, please ?
Thank you

From: andrewarnott at gmail.com
Date: Tue, 28 Apr 2009 11:09:14 -0700
Subject: Re: [OpenID] Question from a beginner about the attribute "RPSIG"
To: sengirpaladin at hotmail.com
CC: general at openid.net

Hi,

You're correct: openid.rpsig is not in the specs.  This must be an implementation-specific parameter added by an RP, probably to help skip the discovery step when the OP returns the message by allowing the RP to verify that the OP hasn't tampered with the return_to URL.  No way to know for sure without cracking open the code of the RP that is crafting the parameter. (or a developer on this list who happens to be familiar with that code).



IMO, this implementation-specific parameter should not be using the 'openid.' prefix to its parameter name.  That should be considered a reserved prefix for official parameters, since now if a future version of the openid spec were to add an openid.rpsig parameter to the protocol there would be a conflict.  



DotNetOpenAuth adds some RP-specific parameters as well, but it uses its own "dnoa." prefix for parameter names to avoid this problem.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire





On Tue, Apr 28, 2009 at 10:55 AM, PepitoGrillo <sengirpaladin at hotmail.com> wrote:




Good day to everyone



I have already signed in the mailing list



I am studying OpenID and investigating how it works using some Wireshark

captures I have made

I have seen this attribute, rpsig (openid.rpsig), in many requests and

answers; but it does not appear in the OpenID Specifications (I have

searched for it with no result in them...)

I know about the attribute sig (openid.sig) and I know how it works, but the

attribute rpsig is a mistery for me...



Would you mind explaining me what does it sign and who signs it?

I believe the signer is the Relying Party, but there is no field which says

which attributes are signed, so I am a bit confused about this attribute



Thanks in advance and have a nice day ! (^_^)

--

View this message in context: http://www.nabble.com/Question-from-a-beginner-about-the-attribute-%22RPSIG%22-tp23253484p23253484.html



Sent from the OpenID - General mailing list archive at Nabble.com.



_______________________________________________

general mailing list

general at openid.net

http://openid.net/mailman/listinfo/general



_________________________________________________________________
Drag n’ drop—Get easy photo sharing with Windows Live™ Photos.

http://www.microsoft.com/windows/windowslive/products/photos.aspx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090428/0c3f093e/attachment.htm>


More information about the general mailing list