[OpenID] Simple Registration Extension 1.1 draft 1

Jack jack at jackpot.uk.net
Tue Sep 11 13:51:25 UTC 2007 

1. In S3, it says:
    "All of the following request fields are OPTIONAL, though at least
    one of "openid.sreg.required" or "openid.sreg.optional" MUST be
    specified in the request."

I believe that is inaccurate. As far as I can see, if either of
"openid.sreg.required" and "openid.sreg.optional" are present, then the
".sreg" part is going to depend on the namespace mapping that is defined
by the "openid.ns.something" parameter. And so the part called
"openid.ns.sreg" _IS_ required, although it might actually be
"openid.ns.something" - the other parts cannot be evaluated without the
namespace declaration.

Of course, it might be that the namespace declaration is somehow taken
for granted (or defaulted); but certainly myopenid.com seems not to do
that, and ignores requests for extension data that are not accompanied
by a namespace declaration.

Actually I would say that amounted to a malformed request, and an error
should be returned. Certainly that is what would happen in XML.

2. In S4 it says:
    "The behavior in the case of missing required fields or extra,
    unrequested fields is up to the Consumer."

This presumably also applies to missing optional fields. So it seems
that, as far as the protocol is concerned, optional and required fields
are equivalent. In both cases, if the OP cannot supply the requested
data, he should still go ahead and sign an assertion. And even if
required data is omitted, the RP may choose to accept the login.
Therefore it's not necessary to define two fields (except, possibly, for
backward compatibility with 1.0).

3. In S4 it DOESN'T say that the namespace declaration must be included
in the signed data returned by the OP, but DOES require the inclusion
the namespace label ("sreg") in the name of the signed registration
field. This seems perverse. I'm not sure I can see the point of signing
registration fields; but if there is a good reason for signing them,
then signing the label without even requiring the presence of the
declaration in the message, signed or otherwise, must be a mistake.

Myopenid.com does include the namespace declaration, and does sign it.

Is there a requirement that the namespace label in the response should
have the same value as it had in the request? That is, should an RP be
prepared for the label to have changed? No such requirement is expressed
in the spec, but I suspect that some RP's might be rather surprised if
this were to happen.

-- 
Jack.

More information about the general mailing list