[OpenID] OP Endpoint URL (was: guid openid delegate)

Peter Williams pwilliams at rapattoni.com
Thu Sep 13 18:59:43 UTC 2007 

> > A3. the definition would ideally become unhooked from both solicited
> > auth and discovery, allowing for its formal involvement in
> unsolicited
> > auth. In unsolicited auth, there is no User-Supplied Identifier, of
> > course, and its not discovery which determine a final value for the
> OP
> > Endpoint URL.
> 
> Yes, it is: 11.2 Verifying Discovered Information:
> 
> "...  the Relying Party MUST perform discovery on the Claimed
> Identifier in the response to make sure that the OP is authorized to
> make assertions about the Claimed Identifier."
> Johnny

Ok. We are fighting over verbs now. You are properly focused on whether
the originator is authorized to be a source for the Claimed_Identity
assertion in the id_res (solicited or otherwise) - and note that one
must ...do an authorization check (where mandatory http/https/xri-based
discovery is a mandatory and critical element of the discovery scheme).
I was focused on "determining" (as opposed to validating authorization
of...) a string from a name->addr lookup function.

Just beware that these very precise (and mostly implicit) definitions of
discovery are unusual - and are not apparent from an early reading of
the definitions, merely (yet they are CRITICAL for understanding the
security model). Ideally, the definitions would form the reader's
vocabulary for understanding the text, including the security controls.
For years of course, the term discovery has generally been used in
locating services - rather than performing a critical
authorization/reification function.

I think I've said before: it's the protocol design's use of secure name
server theory (discovery as a means of checking authority to speak
signed assertions) which excites me most of all - about this whole
initiative.

If we can get the web community can go with this scheme, we will have
resurrected the original (pre-PKI) X.509/X.500 model in which the
(confirmed by signature) presence or nay of a cert in a user's directory
entry, as controlled by a security domain distinct from the directory
management organization, was the control on whether a signed assertion
issued by a directory node responsible for some naming context had - in
a fully distributed worldwide directory -- the authority to speak
authoritatively for attributes in that directory entry.

Hmm. Not sure how much of that will be comprehensible - generally. Let's
see.

More information about the general mailing list