<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">The SREG 1.1 spec for openID 2.0 is unofficial but used. <div>Some people still use SREG 1.0 with openID 2.0 but that is not spec compliant.</div><div><br></div><div>The only official standard to pass attributes is AX in openID 2.0.</div><div><br></div><div>By default they are not signed or encrypted, so the values can be modified by the user. </div><div>This was considered OK in the design because all the attributes are self asserted.</div><div><br></div><div>The IDP can easily make the AX parameters part of the signed body of the assertion.</div><div>However you may find that RP are not necessarily checking for that.</div><div><br></div><div>Any encryption would need to be custom.</div><div><a href="http://openid.net/specs/openid-attribute-exchange-1_0.html">http://openid.net/specs/openid-attribute-exchange-1_0.html</a></div><div><br></div><div>openID Connect has merged into openID AB. We expect to circulate draft specs at IIW.</div><div>It will have more of the features it sounds like you are looking for.</div><div><br></div><div>The mailing list is:</div><div><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></div><div><br></div><div>John B.</div><div><br><div><div>On 2011-04-14, at 4:28 PM, Kleber - Corujito wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">Hi guys,<div><br></div><div>We are building a new OpenID Provider. It works, but we would appreciate some security tips. Can you help us? :)</div><meta http-equiv="content-type" content="text/html; charset=utf-8"><div><br>
</div><div>we read AX and SREG specs and we wonder if is there another way to pass user information from Provider to RP?</div><div>We were figuring out if parameters could be passed in a encrypted way.</div><div><br></div>
<div>is there something from openid community that we are missing? I read from <a href="http://openidconnect.com/">openidconnect.com</a> some time ago that it is considered 'openid 3.0'. Should we implement it?</div>
<div><br></div><div>Thanks</div><div>-- <br>Kleber Manoel Infante (Corujito)<br>
</div>
_______________________________________________<br>general mailing list<br><a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>http://lists.openid.net/mailman/listinfo/openid-general<br></blockquote></div><br></div></body></html>