Realm spoofing spec patch
Josh Hoyt
josh at janrain.com
Tue May 29 18:18:37 UTC 2007
Allen,
On 5/29/07, Allen Tom <openid at allentom.com> wrote:
> From an implementation perspective, it might make sense for the OP to
> verify the RP during the association request, so that the association
> handle is only returned after the RP has been verified.
Were you concerned about implementation complexity or the time it
could take to do discovery while the user is waiting?
At association time, the provider does not know who the relying party
is. Are you proposing that the realm be included in the association
request? In that case we'd have to include the discovery URL, in the
case of a wildcard realm.
I see two potential problems:
1. If the discovery happens during the association request, a
single-threaded relying party might not respond to the
verification request. This wouldn't come up too frequently in
production, but it would raise the bar for example and prototype
code.
2. If the form of a return_to URL changes (and the relying party
updates the discovery information to match) it would be good if
the provider could attempt verification again, so that a valid
request could complete successfully.
(2) requires the same flow as the proposed implementation
(verification during the course of the request), and so I think it's
simpler to just leave it in-band. I suppose that the specification
could remain silent on *when* to perform the verification, since it
doesn't really matter from a security perspective, which would leave
both channels open, as long as the pertinent information was added to
the association request.
Josh
More information about the specs
mailing list