[OpenID] Confirming XRD CanonicalIDs
Steven Churchill
steven.churchill at ootao.com
Fri Apr 25 16:15:40 UTC 2008
Dan,
XRI CanonicalID verification closes a security vulnerability caused by the
XRI Resolver's traversal of a polyarchical edge introduced by the XRI Ref
construct.
There's an online article at
http://dev.inames.net/wiki/XRI_CanonicalID_Verification that gives live
examples of this polyarchical edge in action. There is a discussion there
about performing CanonicalID verifcation "by hand" until the 2.0-compliant
resolvers are available. (One is now available at beta.xri.net.)
There's also a pointer to a more in-depth article on the XRI Polyarchy which
describes the vulnerability in detail and how CanonicalID verification
closes it.
~ Steve
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Dan Ragle
Sent: Thursday, April 24, 2008 12:06 PM
To: general at openid.net
Subject: [OpenID] Confirming XRD CanonicalIDs
In the specs I read:
"The Relying Party MUST confirm that the provider of the XRD
that contains the <CanonicalID> element is authoritative for
that Canonical ID and that this XRDS document is authoritative
for the OpenID Service Element. Relying Parties should either
do this manually or ensure that their resolver does this."
If possible, could someone provide or point me to some lightweight
documentation that elaborates on this, i.e., discusses how such a
confirmation would be manually performed? And does the proxy resolver
at xri.net in fact do this already?
Thanks!
Dan Ragle
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list