[OpenID] [LIKELY_SPAM]Re: [LIKELY_SPAM]Re: [LIKELY_SPAM]Re: Combining Google & Yahoo user experience research
Martin Atkins
mart at degeneration.co.uk
Wed Oct 22 23:29:28 UTC 2008
Chris Messina wrote:
> I'm unclear what you're saying -- security isn't my first language.
>
> I'm only pointing out a behavior that's already observable in the wild
> -- where you provide one identifier and Yahoo essentially discards the
> whole thing and only looks at the domain and uses identifier select.
>
> This may not be ideal or what's expected, but it's a practice that exists.
>
Indeed, and it is in fact allowed by the OpenID 2.0 spec if you
interpret it as the following, rather bizarre, interaction:
* RP requests verification of http://id1.example.com/
* OP ignores that request, but then...
* OP sends RP an "unsolicited positive assertion" for
http://id2.example.com/ .
Section 10 of the 2.0 spec says that RPs SHOULD accept unsolicited
positive assertions.
In practice, most RPs respond to an unsolicited positive assertion the
same way as a solicited one, but depending on the use-case this might
not make sense.
While I don't dispute that it's correct per spec, I think it does make
for a confusing user experience if there's already an active session for
the "wrong" account, and it also causes trouble for users of delegation
since if Yahoo! verifies the wrong identifier the delegation will be
wrong and the RP's OpenID library will (or rather, should) treat it as
an invalid assertion.
More information about the general
mailing list