[OpenID] Question regarding the OpenID Information Cards 1.0
Johnny Bufu
johnny at sxip.com
Tue Sep 18 01:39:48 UTC 2007
On 4-Sep-07, at 1:05 AM, Johnny Bufu wrote:
>> My question is: how does the RP know that the OP has "authentication
>> authority" over the asserted User URL. In the original protocol,
>> the OP was
>> pointed by an element contained in the HTML document referenced by
>> the
>> identity URL, that is, the owner of the URL delegated the
>> authentication to
>> the OP by defining the address of the OP. However, in the "OpenID
>> Information Cards" this protocol step is absent.
>> What forbids me of creating an OP that asserts any identity URL
>> that I want?
>
> 11.2. Verifying Discovered Information requires that:
>
> "[...] the Relying Party MUST perform discovery on the Claimed
> Identifier in the response to make sure that the OP is authorized to
> make assertions about the Claimed Identifier."
>
> However, I agree the reason given in the first part of the phrase can
> be a bit misleading: besides the case of a request with
> identifier_select, discovery also has to be performed for unsolicited
> responses -- I'll clarify that.
This is how it reads now in spec rev364:
If the Claimed Identifier was not previously discovered
by the Relying Party (the "openid.identity" in the request
was "http://specs.openid.net/auth/2.0/identifier_select" or
a different Identifier, or if the OP is sending an
unsolicited
positive assertion), the Relying Party MUST perform discovery
on the Claimed Identifier in the response to make sure that
the OP is authorized to make assertions about the Claimed
Johnny
More information about the general
mailing list