Consolidated Delegate Proposal
Josh Hoyt
josh at janrain.com
Tue Oct 17 18:15:23 UTC 2006
On 10/17/06, Dick Hardt <dick at sxip.com> wrote:
> > It is, and must be, the relying party's responsibility to ensure that
> > the information in the response matches what is discovered. This is
> > true regardless when portable identifiers are used and when they are
> > not. It is true for all of the proposed delegation mechanisms. It is
> > really one of the fundamental elements of OpenID.
> >
> > A response from an IdP is meaningless until it is compared with the
> > discovered information for the identifier in question.
>
> If the RP is needing to make sure they match, then what is the point
> in sending both since the RP is figuring them out anyway?
1. IdP is not required to do discovery (more importantly, if an IdP
gets it wrong or is tricked, it is not treated as the authority on the
discovered information)
2. It is explicit what is going on from an implementation and
specification perspective
It seems like this discussion is no longer constructive. It's a pretty
subtle issue, but I have not seen any new insight in a while. I think
we need to come up with a decision making strategy that we can live
with, and get the decision made.
Josh
More information about the specs
mailing list