[OpenID] review of text for validating unsolicited assertions, given an openid2 request about identity=localid
Peter Williams
pwilliams at rapattoni.com
Tue Nov 11 13:36:37 UTC 2008
* The Relying Party MUST accept an authentication response (Positive Assertions)<http://openid.net/specs/openid-authentication-2_0.html#positive_assertions> that is missing the "openid.response_nonce" parameter. It SHOULD implement a method for preventing replay attacks.
* Relying Parties MUST accept authentication responses (Positive Assertions)<http://openid.net/specs/openid-authentication-2_0.html#positive_assertions> that are missing the "openid.op_endpoint" parameter.
I don't know formally now what "accept" means (but it's a MUST). Rewriting should make it clear that 'accept' - in this context - does not absolve the RP of performing follow-up discovery (as required). That discovery may determine that the authentication response is 'not reliable' (post 'accept'ance).
Text such as "It SHOULD implement a method for preventing replay attacks" is arguably bad form in a standard. Its setting a conformance test for specifically local countermeasures, ones that furthermore mandate _preventative_ controls (that are undefined).
Consider "It is recommended that ..." here, as better form.
Its best to keep objective "conforming" tests from technical standards separate from the inherently subjective world of auditing _local_ preventative controls.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081111/672f29cc/attachment-0002.htm>
More information about the general
mailing list