Please clarify 2.0 TOC 14 -- Re: RFC: Final outstanding issues with the OpenID 2.0 Authentication specification

Boris Erdmann boris.erdmann at googlemail.com
Thu May 24 13:33:33 UTC 2007


Kevin,

thanks for commenting on that. But no, openid.realm is not an URL,
it's a pattern (see 2.0-11, 9.2 Realms). The spec currently doesn't
tell how to derive "the" XRDS URL from openid.realm. So the question
remains, where to publish that document?


Other uses?
Well, I'm running an OP in germany, and the phishing issue is quite a
show stopper over here. So I am trying to change that. After some
posts to these lists and a lengthy talk between Dmitry and me last
week, there is at least consensus between us two, that the protocol
as-is offers little to no help for user agents to get a grip on it.

Now, letting user agents detect RPs or OPs based on guesswork isn't
exactly helpful to the phishing topic (imo).

Unfortunately (and that may be my fault, failing *how* to say it) my
suggestions didn't go down particularly well here.

So, letting UAs detect an RP by its XRDS document would just be a
start, though I'm still of the opinion that detecting an OP is much
more important and that it cannot be done robustly by joining in at
the RP -- mostly, because the protocol defines no constraints for
continuity regarding the RP-OP transition (which in the short-run
would be wrong anyway, I think).


OTOH, talking to the responsible mozilla (sub)project lead, gets me to
the conclusion (which may be wrong) that they still dont't have too
many ideas about how a user agent could support OpenID in detail.

So, I'm hoping to be not too obtrusive repeating this very same issue
over and over, but I think it's still valid.


regards
-- Boris


On 5/23/07, Kevin Turner <kevin at janrain.com> wrote:
> On Fri, 2007-05-18 at 22:21 +0200, Boris Erdmann wrote:
> > http://openid.net/specs/openid-authentication-2_0-11.html#anchor34
> >
> > Should the document be placed under
> > http://relyingparty.com/ or http://relyingparty.com/return_to_url?
> > or does it have to be link rel'ed in every page?
>
> For the proposed check against realm forgery, you'll want to make sure
> it's available at the URL given in the openid.realm parameter of your
> checkid request.  Josh is currently writing up the details on that.
>
> For other uses, I think the answer is "it depends"; what are those uses?
> Publishing it at return_to_url doesn't seem to be very useful, because
> it's the return_to url that the seeker would be trying to discover.
> That would be the equivalent of a sign saying "you are here" and nothing
> more.



More information about the specs mailing list