<div>
                    Hi --
                </div><div><br></div><div>I'm using python-openid for my RP and Google Marketplace wanted to make sure this implementation is not vulnerable to spoofed, non-signed attributes such as email addresses.</div><div><br></div><div>See: <a href="http://googlecode.blogspot.com/2011/05/security-advisory-to-websites-using.html">http://googlecode.blogspot.com/2011/05/security-advisory-to-websites-using.html</a></div><div><br></div><div>Looking at the python-openid code, it seems that the default requires that only signed attributes are allowed to passed in the response.</div><div><br></div><div>See: <a href="https://github.com/openid/python-openid/blob/master/openid/extensions/ax.py">https://github.com/openid/python-openid/blob/master/openid/extensions/ax.py</a></div><div><br></div><div>Can anyone confirm that it is true that python-openid checks that the attribute is signed by the correct corresponding IDP?</div><div><br></div><div>Thanks,</div><div>Mike</div>
                <div></div>