[OpenID] review of text for validating unsolicited assertions, given an openid2 request about identity=localid

Andrew Arnott andrewarnott at gmail.com
Wed Nov 12 04:02:20 UTC 2008 

Peter,

You've been posting to a lot of threads yourself around unsolicited
assertions.  You're not alone in believing that the language around
unsolicited assertions in the OpenID 2.0 spec is unclear.  But I must say
I'm not with you on that one.

In implementing OpenID 2.0 in DotNetOpenId, I found that unsolicited
assertions support to the RP side was a natural fallout of implementing the
whole spec.  I didn't have to do anything special at all to support them.
The OP side left me to be just a bit creative: the only thing I had to
decide on my own for lack of a spec was to have the user initiate the
assertion while logged into the OP by typing in the RP's realm URL so that
RP discovery could do the work of figuring out where the return_to was that
the unsolicited assertion should be sent.  Also, of the many return_to URLs
that might be listed in an RP's XRDS file, the OP just selects the first one
and hopes that that is the one where the user's login will be accepted in a
user-friendly way. (i.e. the user won't be logged into the admin portion of
the web site when he's just a normal user).

I'd be happy to fill you in on details of how I did it if you'd like, but
again, I felt that the spec gave a complete enough description of assertion
discovery that it just worked.

And for all your "discovery4" markers in your emails that seem to suggest
multiple rounds of discovery, my RP only requires one identifier discovery
step to receive an unsolicited assertion.

On Tue, Nov 11, 2008 at 5:47 AM, Peter Williams <pwilliams at rapattoni.com>wrote:

>  15.1.1.  Eavesdropping Attacks
>
>
>
> This section should be renamed 15.1.1.  Reuse of Assertions
>
>
>
> The section discusses 2 topics: eavesdropping, replay on the wire of an
> assertion to a given RP.
>
>
>
> The use of the term eavesdropping (a passive attack) is somewhat
> inappropriate: since the description is all about an active deletion and
> insertion attack, following early intercept.
>
>
>
>
>
> *From:* general-bounces at openid.net [mailto:general-bounces at openid.net] *On
> Behalf Of *Peter Williams
> *Sent:* Tuesday, November 11, 2008 5:17 AM
> *Cc:* OpenID List
> *Subject:* OpenID] review of text for validating unsolicited assertions,
> given an openid2 request about identity=localid
>
>
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081111/4929edd1/attachment-0002.htm>

More information about the general mailing list