[security] Validating openid.identity in authentication responses
Trevor Johns
trevor at tjohns.net
Fri Nov 16 21:04:57 UTC 2007
On Nov 16, 2007, at 9:01 AM, David Recordon wrote:
> This is actually desired functionality to allow for "directed
> identity". The use case here is that an End User might type their
> OP Identifier such as "http://aol.com" to start the discovery
> process. Then while at the OP, they could potentially create a new
> OpenID Identifier on the fly or might only have one which is where
> this can also serve as a convenience feature.
Actually, I was referring to behavior in OpenID 1.1. I could
definitely see why it would be needed for directed identity, but as
has been mentioned already, that's only supported in OpenID 2.0.
--
Trevor Johns
http://tjohns.net
More information about the security
mailing list