[OpenID] Can one use Generic OpenIds

[Johnny Bufu]

On 24-May-07, at 7:49 AM, Peter Watkins wrote:
> Why does section 10.1, as Johnny highlighted in another thread, say
> only that RPs "SHOULD accept and verify assertions about Idenitifers
> for which they have not requested authentication"? It seems to me that
> both this group/role ID model and the "directed identity" model
> rely on the RP accepting whatever the OP returns as openid.claimed_id
> as the user's identifier (subject to double-checking the OP's  
> authority
> via discovery as descibed in 11.2 [thanks again, Johnny]). If the RP
> chooses not to accept a "group id" assertion because the group ID
> isn't an ID that the RP sought to authenticate, then this use case is
> not reliable.

That is a SHOULD and not a MUST because the RP has, in many points of  
the protocol flow, the choice of stopping a transaction for  
security / policy / etc. reasons. This is one such instance.

Doing so does not break conformance (or reliability) with the OpenID  
protocol, it only results in 'denial of service' based on RP policy.  
If however the transaction completes successfully, it does so in a  
consistent way.

> Also, I think this language in 10.1 include language like "and MUST
> perform discovery on identifiers for which they have not requested
> authentication as described in section 11.2" to better highlight
> the RP's responsibility to use post-assertion discovery to prevent
> OPs from forging improper assertions.

10.1 describes what positive assertions are (how OPs should respond).  
The way assertions are consumed by RPs is described in section 11. I  
believe going into details about verification in section 10 would add  
unnecessary complexity and double specify / overlap with the  
verification section.


Johnny