[OpenID] Yahoo hijacking?
Allen Tom
atom at yahoo-inc.com
Sat Apr 19 01:17:38 UTC 2008
Hi Max,
Also, because the OpenID Authentication Request is not signed, we really
have no idea if the claimed RP is actually the RP that directed the user
to Yahoo. All we know is that the user does not want to sign into the
RP. Because the user elected to not sign into the RP, we do not want to
send the user back to the site. In fact, we don't even know for sure
where the user came from, as we can't really determine if the
openid.return_to matches the referrer.
Section 10.2 of the OpenID 2.0 spec does not require OPs to send a
negative assertion to the RP.
Allen
Max Metral wrote:
>
> Whoa, I'm not sure if others have noticed this or if I've missed a
> memo, but if I go to Yahoo for an OpenID login, and then change my
> mind and say "I do not want to login", they take me to www.yahoo.com
> <http://www.yahoo.com>!!! What the heck is with that? The user saying
> they don't want to login is not the same as "I'm done using that site,
> please sell me some advertised products on the back of OpenID traffic."
>
>
>
> Should the spec call this out?
>
>
>
> --Max
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080418/6e088690/attachment-0002.htm>
More information about the general
mailing list