[OpenID] Correlating Identifiers
Peter Williams
pwilliams at rapattoni.com
Fri Nov 7 15:05:16 UTC 2008
Lets recall that the user is in charge of their "discovery" XRDS, not the OP (in the general case).The user controls the "SOA" records (in DNS speak), or the naming context (in X.500 speak), or the X in XRI speak. Unless the XRDS uses a xmldsig in an XRDS extension, there is no equivalent of DNSSEC/PKI-DSP/SAML countermeasures against authority spoofing in those non YADIS access methods.
if op#1 returns some id claim other than identical with that requested, we know that (a) the OP has done successful rp-discovery (b) RP must do discovery (read some XRDS newly resolved by the normalized/redirected response value from OP), (c) realms must eventually match between OP/RP.
In the case of (b), discovery may not return the same XRDS stream as obtained earlier. The reason for this may be simply due to ...the fact that time has passed.
If we say that RP must perform discovery for assertions without clear authority (as you pointed out), and the RP then determines that the OP _originally_ used has/had no authority to speak for that claimed id (under the latest XRDS) ...but some other listed OP does, surely the RP MAY at least now talk to the listed OP?
given section 7 is discovery, and does not include section 8, Id agree with your interpretation - that there is NO obligation on an RP to follow the chain during the followup discovery.
If the value sent back is typed (by discovery) to be an OP-Identifier, however, surely we have the concept of an OP redirect? this could be addressing when BT gets bought out by Telstra; when there is a OP migration...as OP get renamed; if endpoints change; force adoption of a different SSL ciphersuite (per user class); FORCE a run of Nat's relying-party agreement acceptance protocol ...before one can "legally rely" on the assertion?
________________________________________
From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of Manger, James H [James.H.Manger at team.telstra.com]
Sent: Thursday, November 06, 2008 8:49 PM
To: OpenID List
Subject: Re: [OpenID] Correlating Identifiers
Peter,
> if this is the second round of discovery by an RP for a given run, then
> formally we are JUST testing for authority. if the second round does not
> positively confirm the authority of th OP to speak for the namespace, then
> the RP SHOULD simply treat the discovery result as if it were a first
> round discovery ...and thus openid auth starts again.
>
> Is that the concept (stripped of spec language)?
I don't want an RP to trigger a 2nd authentication request/response.
I do want an RP to trigger a 2nd discovery step when necessary.
I hope that is how the spec is implemented.
[Any OP proxying/chaining should not have to involve the RP --
keep it between the user and their 1st OP,
once the RP has issued an authentication request redirect.]
James Manger
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list