[OpenID] Problems with delegation and directed identity OPs
Peter Williams
pwilliams at rapattoni.com
Mon Nov 10 15:13:29 UTC 2008
Suggestions for rewriting. Use or abuse the suggestion, as appropriate.
http://openid.net/specs/openid-authentication-2_0.html
section 7.3.1
I cannot tell from the writing of openid auth2.0 finalized spec if, upon discovery relating to an OP-Identifier, claimedid and localid MUST be absent in the XRDS response. I thus cannot tell if the RP now knows, from that absence, that the discovery authority is making the implicit (but formal) statement that the User entered value has type = OP Identifier.
As the RP cannot type the identifier by itself (by normative means), yet it must populate the openid auth request appropriate to the type, only this critical discovery signal apparently exists ....to instruct the RP on how to behave as an auth initiator (if it initiates).
The problem in the writing is mostly in the last sentence, which does not clearly indicate that the RP treatment about "what the user entered" (as either an OP Identifier or otherwise) MUST be determined from the discovery result. As written, it allows the RP to make its own determination about the type ...of "what the user entered"
The writing is also not well-written more generally when addressing the case where discovered information is used to validate an unsolicited assertion - where there is no "user entered" data prior to discovery initiation.
Finally, the writing does not address what happens during validation of an unsolicited assertion, when the discovery agent indicates that the identifier is an Op Identifier type. In my interpretation, which others do not like, the RP SHALL perform openid auth. The RP SHALL perform as many rounds of openid auth against one or more OP until (i) the RP determines that a solicited assertion was received, or (ii) followup discovery about an unsolicited assertion indicates the identifier claim is of type other than an OP Identifier.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081110/893830a4/attachment-0001.htm>
More information about the general
mailing list