<div class="gmail_quote">2010/3/8 Benedikt Schröfel <span dir="ltr"><<a href="mailto:b.schroefel@gmx.net">b.schroefel@gmx.net</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
And a little question on the Attribute Exchange 1.0:<br>
<br>
Which parts of the attributes the RP receives from the provider are signed? Would it be possible to change them after the provider has send? (I would like to move the userdata, such as nickname, email etc. from the provider to the user side, so the data will be filled in at the user side during the redirect to the RP).<br>
If the attributes are signed then I will forget about this idea ;)<br></blockquote><div></div></div><br><div>Last I checked openid4j didn't sign any of the AX extension. But the key point to remember is that any OP may have its own policies for whether to sign AX, and <i>which parts</i> of AX to sign. Also, just because it's signed doesn't means it's reliable. You have to trust the OP and understand from the trusted OP that that data has been verified. For example, you may trust Google's OP, and Google may sign AX data, but if Google didn't verify the information it got from me that it is now forwarding to your RP via AX, then all that signing does nothing for verifying the data is good. (in particular, Google currently only sends verified data).</div>
<div><br></div><div>Anyway, you as an RP must determine which OPs you trust, which parts of AX you trust, and then you must verify that those trustable parts of AX are actually included in the signature of the OpenID assertion at the RP.</div>