Auth 2.0 spec errata regarding delegation vs. directed identity

Josh Hoyt josh at
Wed May 21 19:20:17 UTC 2008

On Wed, May 14, 2008 at 11:20 AM, Martin Atkins <mart at> wrote:
>  * The RP, when verifying that the openid.claimed_id URL in the
> assertion is valid, checks only that the openid2.provider value is
> correct, and doesn't check that the openid2.local_id value matches
> (after removing the fragment part) the openid2.identity URL.
> Both of the above are currently allowed by the Auth 2.0 spec, but since
> doing the above checks doesn't seem to remove any useful possibilities,
> I think there ought to be some sort of errata that requires the checks
> I've listed above.

The "Verifying Discovered Information" section[1] of the OpenID 2.0
Authentication spec is actually pretty explicit about the fact that
the relying party needs to verify this: "If the Claimed Identifier is
included in the assertion, it MUST have been discovered by the Relying
Party and the information in the assertion MUST be present in the
discovered information." It then goes on to list the information that
must be verified.

I think this is already covered.


More information about the specs mailing list