[OpenID] metadata/annotations in the primary key
Andrew Arnott
andrewarnott at gmail.com
Wed Jun 24 23:52:07 UTC 2009
On Wed, Jun 24, 2009 at 4:24 PM, Peter Williams <pwilliams at rapattoni.com>wrote:
> we typically say that a good RP would use the validated localid as its
> primary key, especially in the delegation flows.
If I understand you correctly, all I have to do is set up a claimed
identifier that points to my own OP endpoint, but uses *your* localid
value. Then I can spoof your identity at a 'good RP'. Is that right?
Claimed Identifiers are supposed to be "primary keys" -- not local ids!
Nowhere in the OpenID protocol does the user prove he controls an OP local
identifier. They only prove they control the Claimed Identifier.
Therefore, RPs must only key off of the claimed ID.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090624/19bb2a71/attachment.htm>
More information about the general
mailing list