[OpenID] Multiple Domains and State

[Nate Klingenstein]

Peter,

> A realm of *.com is only bad practice if one is equating openid  
> realms with cn wildcards in ssl server certs, or more formal per  
> recipient tokens enforced with crypto ad attribute matching logics.  
> As openid has little mainstream practice, its hard to say what is  
> good or bad.the jury has not even been called, let along sat to  
> hear the evidence.

I don't agree(and neither does the spec, explicitly calling this  
"dangerous").  It's not analogous to wildcarded certs because those  
are confirmed by possession of a corresponding private key.  There is  
no such confirmation in a bearer assertion like an OpenID response.

> If we look at openid realms, it not obvious that the construct is  
> an authorization control - guarding what rps may accept....
> Rather realm seems to being used (and who knows with openid!) the  
> 'notice of intended scope' by rp to user, in the law#4 sense,  
> enabling the user to then give notice of the limits to which the  
> notice of an expectation of privacy is being waived. In xacml  
> speak, its a obligation passing.

The intended scope of the assertion should be congruent with the set  
of RP's that will accept it, right?  The return URL/realm is included  
to allow the RP to protect itself from spoofing.

Sure, there's no way to stop an RP from accepting whatever they  
want.  If you want to be spoofed, as an OP, I can't prevent it.  I'd  
hope that most RP's intending to be spoofed will put other controls  
in place, such as a trust fabric.

Take care,
Nate.