<div>Arrgh! I'm horrible with names. See below for corrected text.</div>
<div> </div>
<div class="gmail_quote">On Wed, May 21, 2008 at 4:03 PM, John Ehn <<a href="mailto:john@extremeswank.com">john@extremeswank.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div>Josh,</div>
<div> </div>
<div>I'm tending to agree with Martin on this one. I guess that statement does, in a roundabout way, implies the Relying Party should do the following:</div>
<div> </div>
<div>* Run discovery against the Claimed Identifier (or use the cached response from a previous discovery), thereby determining the Local Identifier and endpoint URLs</div>
<div>* If a Local Identifier is discovered, compare the Local Identifier with the openid.identity value in the assertion and verify they are the same - if they do not match, then authentication validation MUST fail</div>
<div>* If a Local Identifier is not discovered, compare the Claimed Identifier with the openid.identity value in the assertion and verify they are the same - if they do not match, the Claimed Identifier MUST be ignored, and the value of "openid.identity" MUST be used instead</div>
<div> </div>
<div>I does not state this, though. It is very much open to interpretation.</div>
<div> </div>
<div>Normative text needs to be very specific. If you make a vague statement like "you MUST verify what was received against what you already know", it can be interpreted very differently depending upon who is reading it.</div>
<div> </div>
<div>Honestly, my client implementation did not perform this check until Martin made mention of it on this list. From what Martin states, it appears there several implementations are affected by this issue, which follows that the specification does not read as clearly as it should.</div>
<div> </div>
<div>Therefore, I suggest taking some action to correct the problem. Sweeping this under the carpet will cause more harm than good.</div>
<div> </div>
<div>Thank you,</div>
<div> </div><font color="#888888">
<div>John Ehn</div>
<div><a href="http://extremeswank.com/" target="_blank">extremeswank.com</a></div></font>
<div>
<div></div>
<div class="Wj3C7c">
<div><br> </div>
<div class="gmail_quote">On Wed, May 21, 2008 at 3:20 PM, Josh Hoyt <<a href="mailto:josh@janrain.com" target="_blank">josh@janrain.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div>On Wed, May 14, 2008 at 11:20 AM, Martin Atkins <<a href="mailto:mart@degeneration.co.uk" target="_blank">mart@degeneration.co.uk</a>> wrote:<br>> * The RP, when verifying that the openid.claimed_id URL in the<br>
> assertion is valid, checks only that the openid2.provider value is<br>> correct, and doesn't check that the openid2.local_id value matches<br>> (after removing the fragment part) the openid2.identity URL.<br>
</div>[...]<br>
<div>><br>> Both of the above are currently allowed by the Auth 2.0 spec, but since<br>> doing the above checks doesn't seem to remove any useful possibilities,<br>> I think there ought to be some sort of errata that requires the checks<br>
> I've listed above.<br><br></div>The "Verifying Discovered Information" section[1] of the OpenID 2.0<br>Authentication spec is actually pretty explicit about the fact that<br>the relying party needs to verify this: "If the Claimed Identifier is<br>
included in the assertion, it MUST have been discovered by the Relying<br>Party and the information in the assertion MUST be present in the<br>discovered information." It then goes on to list the information that<br>
must be verified.<br><br>I think this is already covered.<br><br>Josh<br><br><a href="http://openid.net/specs/openid-authentication-2_0.html#verify_disco" target="_blank">http://openid.net/specs/openid-authentication-2_0.html#verify_disco</a><br>
<div>
<div></div>
<div>_______________________________________________<br>specs mailing list<br><a href="mailto:specs@openid.net" target="_blank">specs@openid.net</a><br><a href="http://openid.net/mailman/listinfo/specs" target="_blank">http://openid.net/mailman/listinfo/specs</a><br>
</div></div></blockquote></div><br></div></div></blockquote></div><br>