[OpenID] Multiple Domains and State
Peter Williams
pwilliams at rapattoni.com
Thu Apr 24 18:18:14 UTC 2008
The intended scope of the assertion should be congruent with the set
of RP's that will accept it, right? The return URL/realm is included
to allow the RP to protect itself from spoofing.
Now, there we have the issue. And, I dont know, and I typically overengineer (or over reverse engineer, in this case) The spec has litte security rationale, and one can only guess at the intention of most of its controls, guaged against classical techniques and terminology. I don't want to presume and over control, here. If realms are an anti spoofing mechanism, then fine. If they are an intended recipient control, then fine. If they are a "thou shalt not proxy, except via rp to rp exchange through ax" then fine. If they are a law4 legal signal under uci doctrine, the fine!
>From the spec as written, its really hard to write down the formal claims for each of the protocol elements (particularly in the ares of discovery and realms). For me, im left guessing about intent, correctness and then effectivness. I suspect this is all cultural and part of the desire to viral dispersion : going alongisde the practice that is no ref implementation by choice, no compliance testing or criteria by choice, and anti-commercialism.
Sure, there's no way to stop an RP from accepting whatever they
want. If you want to be spoofed, as an OP, I can't prevent it. I'd
hope that most RP's intending to be spoofed will put other controls
in place, such as a trust fabric.
Take care,
Nate.
More information about the general
mailing list