Review of Proposed Implementer’s Draft of OpenID 2.0 to OpenID Connect Migration Specification

Tue Oct 7 05:22:58 UTC 2014

No. 

Perhaps we can add a descriptive note in the Final but there is no normative change. 

Nat

On Sat, 4 Oct 2014 23:33:48 +0000
Mike Jones <Michael.Jones at microsoft.com> wrote:

> Nat, should this comment result in an editorial correction to the
> draft before it’s republished?
> 
> From: Torsten Lodderstedt [mailto:torsten at lodderstedt.net]
> Sent: Saturday, October 04, 2014 8:12 AM
> To: Nat Sakimura
> Cc: Mike Jones; specs at lists.openid.net
> Subject: Re: Review of Proposed Implementer’s Draft of OpenID 2.0 to
> OpenID Connect Migration Specification
> 
> Hi Nat,
> Am 24.09.2014 15:49, schrieb Nat Sakimura:
> 
> ...
> 
> 
> "There could be an attack by a malicious RP to obtain the user’s PPID
> for another RP to perform identity correlation. To mitigate the risk,
> the OP MUST verify that the realm and RP’s Redirect URI matches as
> per Section 9.2 of OpenID 2.0 [OpenID.2.0]."
> 
> I'm not sure what this means. Does it mean the RP's XRDS document
> must contain the RP’s Redirect URI (a OAuth/OIDC redirect_uri)? If
> so, is the RP supposed to use a certain service Type or
> "http://specs.openid.net/auth/2.0/return_to"<http://specs.openid.net/auth/2.0/return_to>?
> 
> Example:
> <Service xmlns="xri://$xrd*($v*2.0)">
>   <Type>http://specs.openid.net/auth/2.0/return_to</Type>
>   <URI>http://consumer.example.com/return</URI>
> </Service>
> 
> It just means that openid2_realm MUST be (roughly) a substring of
> OpenID Connect/OAuth's Redirect URI. No XRDS is involved. Exact rule
> of the matching is given in Section 9.2 of OpenID 2.0.
> 
> It's probably nitpicking, but the OIDC redirect_uri must be matched
> using the rules given in Section 9.2 of OpenID 2.0 instead of the
> OpenId 2.0 return_to URI, correct?
> 
> best regards,
> Torsten.
> 

-- 
Nat Sakimura (n-sakimura at nri.co.jp)
Nomura Research Institute, Ltd. 

本メールに含まれる情報は機密情報であり、宛先に記載されている方のみに送信
することを意図しております。意図された受取人以外の方によるこれらの情報の
開示、複製、再配布や転送など一切の利用が禁止されています。誤って本メール
を受信された場合は、申し訳ございませんが、送信者までお知らせいただき、受
信されたメールを削除していただきますようお願い致します。 PLEASE READ:
The information contained in this e-mail is confidential and intended
for the named recipient(s) only. If you are not an intended recipient
of this e-mail, you are hereby notified that any review, dissemination,
distribution or duplication of this message is strictly prohibited. If
you have received this message in error, please notify the sender
immediately and delete your copy from your system.