[security] Validating openid.identity in authenticationresponses
Dick Hardt
dick at sxip.com
Fri Nov 16 19:12:01 UTC 2007
Note that it primarily a limit of the OP, in which case the user does
the same thing all the time as they are using the same OP everywhere.
-- Dick
On 16-Nov-07, at 11:07 AM, Bradescu, Roxana wrote:
> It's unfortunate that users have to know which version of the protocol
> sites are running to know what they can type into the login box.
>
> Roxana Bradescu | VeriSign Innovation
>
>
> -----Original Message-----
> From: Johnny Bufu [mailto:johnny at sxip.com]
> Sent: Friday, November 16, 2007 10:07 AM
> To: Bradescu, Roxana
> Cc: david at sixapart.com; Trevor Johns; security at openid.net
> Subject: Re: [security] Validating openid.identity in
> authenticationresponses
>
>
> On 16-Nov-07, at 9:39 AM, Bradescu, Roxana wrote:
>> David, I've noticed the use case you describe doesn't actually work
>> at a
>> many RP's. For example if I go to livejournal.com and just put in
>> just
>> my IDP pip.verisignlabs.com I get an error.
>
> Directed identity is a 2.0 feature, while livejounal seems to be
> speaking only 1.x.
>
>
> Johnny
>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
>
>
More information about the security
mailing list