[OpenID] Questions about security? :)
John Bradley
ve7jtb at ve7jtb.com
Thu Apr 14 21:07:32 UTC 2011
The SREG 1.1 spec for openID 2.0 is unofficial but used.
Some people still use SREG 1.0 with openID 2.0 but that is not spec compliant.
The only official standard to pass attributes is AX in openID 2.0.
By default they are not signed or encrypted, so the values can be modified by the user.
This was considered OK in the design because all the attributes are self asserted.
The IDP can easily make the AX parameters part of the signed body of the assertion.
However you may find that RP are not necessarily checking for that.
Any encryption would need to be custom.
http://openid.net/specs/openid-attribute-exchange-1_0.html
openID Connect has merged into openID AB. We expect to circulate draft specs at IIW.
It will have more of the features it sounds like you are looking for.
The mailing list is:
http://lists.openid.net/mailman/listinfo/openid-specs-ab
John B.
On 2011-04-14, at 4:28 PM, Kleber - Corujito wrote:
> Hi guys,
>
> We are building a new OpenID Provider. It works, but we would appreciate some security tips. Can you help us? :)
>
> we read AX and SREG specs and we wonder if is there another way to pass user information from Provider to RP?
> We were figuring out if parameters could be passed in a encrypted way.
>
> is there something from openid community that we are missing? I read from openidconnect.com some time ago that it is considered 'openid 3.0'. Should we implement it?
>
> Thanks
> --
> Kleber Manoel Infante (Corujito)
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20110414/8a0f4bd2/attachment.html>
More information about the general
mailing list