[OpenID] Question regarding the OpenID Information Cards 1.0
Peter Williams
pwilliams at rapattoni.com
Mon Sep 3 16:20:56 UTC 2007
We went through this issue, last week. This is what I took away:-
There is a step 5. The RP must identity the OP(s) associated with the
Claimed_Identity, as published by the user in her/her HTML/XRDS file.
There is a step 6. The OP must first check the realm controls, published
by the RP in its XRDS file, before considering giving a positive
check_authentication answer
There is a step 7. The RP must check that the OP who issue a
check_authentication response is "valid" - by linking the OP's SSL cert
to the URL selected in 5. Validity should mean doing full PKI checking
of the server's cert chain, and sending any client cert chain (and TLS
extensions) as required by the SSL cipher-suite.
I also took away an implied control: if a id_res response message has an
claim for the URL of the OP, it MUST NOT be used to substitute step 5.
Now reconsider your very important issue, given those extra steps.
.
My question is: how does the RP know that the OP has "authentication
authority" over the asserted User URL. In the original protocol, the OP
was pointed by an element contained in the HTML document referenced by
the identity URL, that is, the owner of the URL delegated the
authentication to the OP by defining the address of the OP. However, in
the "OpenID Information Cards" this protocol step is absent.
What forbids me of creating an OP that asserts any identity URL that I
want?
Thanks.
Pedro Felix
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070903/6ac8fc50/attachment-0002.htm>
More information about the general
mailing list