[PROPOSAL] bare response / bare request

Drummond Reed drummond.reed at cordance.net
Fri Oct 6 23:34:56 UTC 2006 

Let me play the dumb customer here and say:

* A whole lot of real-world users would love OpenID-enabled bookmarks. 
* A whole lot of websites would love to offer them.
* A whole lot of IdPs would love to provide them.

Translation: it would be really good for adoption.

So if there's a way to design the protocol so that we can have
OpenID-enabled bookmarks, let's choose that way unless everything else
really breaks.

=Drummond (playing OpenID marketer too)

-----Original Message-----
From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Recordon, David
Sent: Friday, October 06, 2006 4:12 PM
To: Kevin Turner; specs at openid.net
Subject: RE: [PROPOSAL] bare response / bare request

Well that is something that if the spec dictates where to place/format a
request nonce, an IdP could recognize and remove it.  I do agree though
that it is getting close to having too many implications.

--David 

-----Original Message-----
From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
Behalf Of Kevin Turner
Sent: Friday, October 06, 2006 3:25 PM
To: specs at openid.net
Subject: Re: [PROPOSAL] bare response / bare request

On Tue, 2006-10-03 at 19:42 -0700, Dick Hardt wrote:
> On 2-Oct-06, at 12:34 PM, Kevin Turner wrote:
> > On Sat, 2006-09-30 at 20:09 -0400, Dick Hardt wrote:
> >> Motivating Use Case
> >> ----------------------------
> >> The IdP would like to allow the user to click a link on the IdP to 
> >> login to an RP. This requires a bare response to be able to be
sent.
> >
> > How will RPs that customarily use a request nonce treat this?
> 
> There will not be a request nonce -- could have the IdP say "none"

Implications of this:

1) RPs must always accept messages without a request nonce.

2) RPs must always accept messages at the same return_to URL.

which also means

3) RPs must never put nonces or (other tokens that will become invalid)
in the return_to, because if they did the IdP would not recognize it as
a nonce and remove it.


Are these things all okay?  I'm not sure if they really break stuff, but
that puts a lot more restrictions on the return_to than I really feel
comfortable with.  And quite possibly takes a lot of the utility out of
request nonces.


_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs

_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs

More information about the specs mailing list