Consolidated Delegate Proposal

Dick Hardt dick at sxip.com
Tue Oct 17 21:01:52 UTC 2006


On 17-Oct-06, at 11:15 AM, Josh Hoyt wrote:

> On 10/17/06, Dick Hardt <dick at sxip.com> wrote:
>> > It is, and must be, the relying party's responsibility to ensure  
>> that
>> > the information in the response matches what is discovered. This is
>> > true regardless when portable identifiers are used and when they  
>> are
>> > not. It is true for all of the proposed delegation mechanisms.  
>> It is
>> > really one of the fundamental elements of OpenID.
>> >
>> > A response from an IdP is meaningless until it is compared with the
>> > discovered information for the identifier in question.
>>
>> If the RP is needing to make sure they match, then what is the point
>> in sending both since the RP is figuring them out anyway?
>
> 1. IdP is not required to do discovery (more importantly, if an IdP
> gets it wrong or is tricked, it is not treated as the authority on the
> discovered information)

I was not clear, what is the point in the IdP sending both if the RP  
is needing to make sure that they match?

>
> 2. It is explicit what is going on from an implementation and
> specification perspective

And I see the opposite. What the RP sends the IdP is just a hint.  
What the IdP sends the RP is authoritative.
I see having two parameters as implying more meaning then is really  
there.
Did you read what I wrote? Was there something you did not  
understand? Perhaps you can point out what you disagree about what I  
wrote?

> It seems like this discussion is no longer constructive. It's a pretty
> subtle issue, but I have not seen any new insight in a while. I think
> we need to come up with a decision making strategy that we can live
> with, and get the decision made.

Well, I don't find that being constructive!





More information about the specs mailing list