Few comments on Draft 11

Josh Hoyt josh at janrain.com
Fri Nov 10 18:08:37 UTC 2006


On 11/10/06, Prasanta Behera <pbehera at yahoo-inc.com> wrote:
> #1: Section 10.1
> > Value: Comma-separated list of signed fields. Note: This entry consists of
> the fields without the "openid." prefix that the signature covers. This list
>
> > MUST contain at least "return_to" and "response_nonce", and if present in
> the response, "disco_id" and "identity". For example,
>
> > "identity,disco_id,return_to,response_nonce".
>
> It should be "if present in the response, "disco_id" and/or "identity   … "
> since identity is a optional field.

As of draft 11, disco_id is present if, and only if, identity is
present, so I think the wording is OK. Maybe that relationship should
be emphasized elsewhere.

> #2: Section 11.3
>
> >If the Claimed Identifier was not present in the request ("openid.identity"
> was "http://openid.net/identifier_select/2.0"), the Relying
> Party MUST perform discovery on the Identifier in the response to make sure
> that the IdP is authorized to make assertions about the Identifier.
>
> Why RP needs to do a discovery again on the identifier asserted by the IDP
> when the IDP asserted it? (or may be I mis-read it)

The relying party must do discovery to determine that the IdP that
made the assertion is authoritative for that identifier.

For example, if a reponse comes back from "http://rogue-idp.com/" for
"http://openid.yahoo.com/joshhoyt", the relying party will know not to
accept it after performing discovery on
"http://openid.yahoo.com/joshhoyt".

Does that clear it up?

Josh



More information about the specs mailing list