[OpenID] Calling OpenID 2.0 editors(wasRE:ProblemswithOpenIDand TAG httpRange-14)
Peter Williams
pwilliams at rapattoni.com
Thu Mar 13 00:46:24 UTC 2008
"really don't care about the type of redirects HTTP follows. The primary
key must be based on the URL that the meta-data is returned from for
security reasons.
Changing this part of the openID 2.0 spec would break the security model
for URLs."
Until the "security model for URLs" is written up properly and
completely to the standard of a peer-reviewed academic paper in a major
journal, we are just not really ready for prime time.
I'm not saying anything is wrong: I'm saying that the well briefed
technical reader should not need to be doing any "reading into" the spec
to have a clear, authoritative declarative statement of the "security
model for URLs".
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Drummond Reed
Sent: Wednesday, March 12, 2008 4:22 PM
To: general at openid.net
Subject: Re: [OpenID] Calling OpenID 2.0
editors(wasRE:ProblemswithOpenIDand TAG httpRange-14)
RE the whole subject of OpenID identifiers, John Bradley has posted the
following blog entry:
http://thread-safe.livejournal.com/9907.html
It's a good read not just about the evolution of the different options
but also about the security implications.
=Drummond
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080312/ed0a86c1/attachment-0002.htm>
More information about the general
mailing list