[OpenID] Calling OpenID 2.0 editors (was RE:Problems withOpenID and TAG httpRange-14)
John Panzer
jpanzer at acm.org
Thu Mar 6 04:59:47 UTC 2008
Peter Williams wrote:
> ...
> In the common case, the OP agent will have zero knowledge of that
> claimed openid value (given it is not yet provisioned) - and will be
> unable to make a positive assertion about something it has no
> authority to speak about. In the worst case, the claimed openid
> resulting from making an semantic leap about 301s will happenstance
> match an already provisioned case pertaining to another party.
Um, 301s don't happen by happenstance. Someone (whoever controls the
starting URL) set up the 301 redirect, and set it up to point at the
final URL.
I don't see any security difference between a 301 redirect and OpenID
delegation. Surely in either case an RP can make the inference that
both URLs are controlled by the user in the current browser session.
More information about the general
mailing list