[OpenID] Conformance and Interop
Allen Tom
openid at allentom.com
Mon May 14 07:44:46 UTC 2007
Hi Paul,
There definitely needs to be more work on conformance testing and
especially for automated tools for RPs and OPs.
Large OPs implicitly bless an RP if they choose to honor Auth Requests
originating from that RP. Since so many RPs are choosing to roll their
own OpenID implementation, there are certainly many flawed RPs with
gaping security holes out in the wild. It would certainly be great if
there was a documented mechanism for an OP preform an automated sanity
check on an unknown RP before servicing Auth Requests for that RP.
Likewise, RPs have a lot to lose from trusting unknown OPs. For
instance, a spammer could set up their own spam OP to create millions of
accounts on the RP for spam purposes.
Allen
> It would be very useful to have a good FAQ addressing this issue and,
> in due course, agreed and documented best practice plus some form of
> assurance process. If this was backed by hard evidence of
> interoperability so much the better.
\
More information about the general
mailing list