[OpenID] OP-initiated RP discovery
John Bradley
ve7jtb at ve7jtb.com
Tue Oct 6 15:32:50 UTC 2009
I should clarify.
RP discovery for return_to validation is required by the GSA profile.
In other cases the large OPs are ignoring not finding a RP XRDS to
validate.
At most they show a warning to the user.
The main concern is RPs that have open relays like checkid_immediate
that could be used to intercept a token if the OP only verifies the
realm against the return_to.
I don't think RPs should be forced to publish XRDS but it is a good
idea for a number of reasons.
In principal a Tor host could still publish a XRDS for IdIb by the
users browser.
I think at the moment the only hang up is the OP doing RP discovery.
Some of the possible artifact binding solutions may also be an issue.
John B.
On 2009-10-06, at 2:19 AM, SitG Admin wrote:
>> That sounds like what we call an "unsolicited assertion".
>
> I thought those were non-direct OP-RP communications, with the user
> carrying the payload? The diagram I found seems to support this:
> http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf
> The use-case would be a Relying Party running on a server only
> available through the Tor network; *but*, that server would
> asymmetrically be able to make requests to other servers on The
> Internet, even though most servers can't access .onion TLD's. I
> *think* OpenID could still work in this way, over Tor, because the
> OP is returning documents as a response and not a separate request
> of its own.
>
> -Shade
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
More information about the general
mailing list