More questions about openid.ax.update_url
Johnny Bufu
johnny at sxip.com
Wed Oct 17 19:36:39 UTC 2007
On 17-Oct-07, at 2:42 AM, James Henstridge wrote:
> The next one is not so much a question as an observation: As an
> identity URL may change its delegation over time (possibly without the
> underlying OP's knowledge), it is possible that an RP will receive
> updates from an OP that is not authoritative for the claimed ID.
>
> So in addition to checking the signature on the unsolicited OpenID
> response, an RP must perform discovery on the claimed ID to verify
> that the OP is correct. I could imagine an RP missing this step when
> implementing the spec.
Checking the signature and discovered information are requirements in
the core OpenID protocol.
See 11. Verifying Assertions :
http://openid.net/specs/openid-authentication-2_0-12.html#verification
Johnny
More information about the specs
mailing list