[Code] How to use association secret to sign additional data?

[Andrew Arnott]

2010/3/8 Benedikt Schröfel <b.schroefel at gmx.net>

> And a little question on the Attribute Exchange 1.0:
>
> Which parts of the attributes the RP receives from the provider are signed?
> Would it be possible to change them after the provider has send? (I would
> like to move the userdata, such as nickname, email etc. from the provider to
> the user side, so the data will be filled in at the user side during the
> redirect to the RP).
> If the attributes are signed then I will forget about this idea ;)
>

Last I checked openid4j didn't sign any of the AX extension.  But the key
point to remember is that any OP may have its own policies for whether to
sign AX, and *which parts* of AX to sign.  Also, just because it's signed
doesn't means it's reliable.  You have to trust the OP and understand from
the trusted OP that that data has been verified.  For example, you may trust
Google's OP, and Google may sign AX data, but if Google didn't verify the
information it got from me that it is now forwarding to your RP via AX, then
all that signing does nothing for verifying the data is good.  (in
particular, Google currently only sends verified data).

Anyway, you as an RP must determine which OPs you trust, which parts of AX
you trust, and then you must verify that those trustable parts of AX are
actually included in the signature of the OpenID assertion at the RP.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-code/attachments/20100308/796053a9/attachment.htm>