[OpenID] Delegation leading to new accounts on websites
Breno de Medeiros
breno at google.com
Fri Jul 10 18:57:02 UTC 2009
It is not a question of expanding scope. From a security standpoint, it
makes no sense to assess only one aspect of the flow. It could be argued
that the other aspect of the flow (performing discovery of the OpenID
identifier to resolve the OP) is already performed by the RP so it can
assess the security of that secondary flow directly. One then hopes that RPs
will be sophisticated enough to understand that if they do not assess that
flow themselves (and know how to do it) then they get essentially no benefit
from using PAPE.
On Fri, Jul 10, 2009 at 11:50 AM, Johnny Bufu <johnny.bufu at gmail.com> wrote:
> If PAPE or other extensions expand their scope and include the claimed
> identifiers or other entities into what they assert - it's a totally
> different deal.
>
--
--Breno
+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090710/8d5c467c/attachment.htm>
More information about the general
mailing list